Subject Access Request (SAR) Under GDPR Compliance

Getting to know what and how your personal data is processed is a crucial aspect of the privacy protection practice. Understanding the concept of what is a subject access request, enables you to manage the data about you. It gives you the power to demand explanations and ensures your data is handled responsibly. The following discussion will cover the operation of SARs and their significance.

Table of Contents

1) What is a Subject Access Request?

2) Why is Understanding Subject Access Requests Important?

3) What is Personal Data under GDPR?

4) How to Make a Subject Access Request (SAR)?

5) How to Respond to a Data Subject Access Request?

6) What is the Time Limit for Responding to a Subject Access Request?

7) Refusing and Handling Repeat Subject Access Requests

8) Are Organisations Required to Comply with Every SAR?

9) Conclusion

What is a Subject Access Request?

A Subject Access Request represents an individual’s legal right to the information held by an organisation concerning them. This makes it possible to see the usage of the data and the reasons for the processing. The request thus turned into a means of preserving personal privacy while data processing is ongoing.

Individuals can present their requests either through speaking or writing, and the organisation has to reply within a time frame of one month. This reply must show the data that is being processed, the reason for such processing, and the persons or bodies to which the information has been shared. The whole process signifies a power shift in favour of individuals over their personal data

Why is Understanding Subject Access Requests Important?

Access request is important because it gives people control over their personal data. When you ask the company how your data is being used, the company must answer. It builds trust, helps in keeping data safe, and ensures that legal rules are followed.

1) It creates data transparency and increases trust between the customer and the company.

2) It helps in following laws like GDPR, otherwise, it can be fined.

3) You can see wrong or old data and get it corrected.

What is Personal Data under GDPR?

Personal data means any information that is directly or indirectly linked to a real, living person. Like name, ID number, phone number, photo, fingerprint or IP address, these are all examples of personal data. GDPR only applies to data that is related to a person and through which that person can be identified. Whether the data is in electronic form or in written files, if a person can be identified from it, then it is personal data.

1) If the data directly or indirectly identifies a person, it is personal data

2) The format can be anything, such as text, image, audio or video

3) The use of the data also matters; if it is for identifying someone, then GDPR applies

How to Make a Subject Access Request (SAR)?

If you want to see how a company is storing or using your personal data, you can ask for your data by sending them a DSAR. You can send the request via email, phone call, direct message, letter or tweet. Use the format the company accepts.

This request is free. The company cannot ask for money from you unless your request is repeated or very complex.

1) Write Your Request

Clearly write your Subject Access Request and keep a copy for yourself. It is best to send it in writing, whether by letter, email, or an online form, so you can track what you asked for and when.

2) Send it to the Right Person

Direct your request to the Data Protection Officer or the main contact email of the organisation. In this way, your request reaches the right department and is processed in no time.

3) You Don't Have to pay

Under the UK GDPR, you are allowed to obtain your personal data without any charge. Only if the request is unreasonable, or if you ask for multiple copies, the organisation can charge you a fee.

4) Someone can Make the SAR for you

A parent, guardian, lawyer, or authorised representative can make a request on your behalf. It may be necessary for you to give them written consent or proof of authority so that they can act for you.

Explore the world of Data Protection and implement GDPR compliant programs by registering for GDPR Training now!

How to Respond to a Data Subject Access Request?

If you’re on the receiving end of a SAR, handling it correctly is essential to stay compliant and maintain trust.

1) Recognise the Subject Access Request

SARs don’t have to follow a specific format, so you must be vigilant. A simple email, letter, or even a verbal request may qualify as a SAR. Train your team to identify these requests promptly.

2) Confirm the Individual’s Identity

Before releasing any information, confirm the requester’s identity. Ask for identification, if necessary, especially if sensitive data is involved. This step prevents unauthorised access.

3) Clarify the Details of the SAR

If the request is vague, seek clarification. For example, if an individual asks for "all my data," you might ask if they’re referring to specific accounts or interactions. This ensures you provide relevant information without wasting resources.

Explore the world of Data Protection and implement GDPR compliant programs by registering for GDPR Training now!

4) Locate, Retrieve, and Gather the Requested Data

Work systematically to locate the individual’s data. This might involve checking multiple systems, databases, or departments. Once retrieved, ensure the data is accurate and complete.

5) Determine Applicable Exemptions

Not all data has to be shared. For instance, information revealing trade secrets or impacting another person’s privacy may be exempt. Familiarise yourself with these exemptions to ensure lawful responses.

6) Provide the Information Securely to the Individual

When sharing the data, prioritise security. Use encrypted emails or password-protected files to minimise the risk of unauthorised access.

7) Document the Decision-Making Process

Keep a record of how you handled the SAR. This includes dates, communication logs, and decisions made regarding exemptions. Documentation can protect you in case of a dispute or audit.

What is the Time Limit for Responding to a Subject Access Request?

Time is of the essence when responding to SARs. Under GDPR, organisations must respond within one month of receiving the request. If the SAR is complex, you may extend this by an additional two months, but you must inform the individual of the delay and provide reasons.

Delays without valid justification can lead to penalties and complaints, so stay on top of deadlines.

Refusing and Handling Repeat Subject Access Requests

Not every SAR must be fulfilled. If a request is:

1) Manifestly unfounded (e.g., malicious or made with no real intent to access data).

2) Excessive (e.g., repetitive without new context).

You may refuse it. However, you must inform the requester of your reasons and their right to complain to a supervisory authority.

Handling repeat requests requires judgment. If new data has been added or significant time has passed, fulfilling the SAR may still be necessary.

Are Organisations Required to Comply with Every SAR?

Not necessarily. GDPR allows organisations to refuse SARs in specific situations, such as when fulfilling the request would compromise intellectual property, harm others’ rights, or impose an unreasonable burden. Each case must be evaluated carefully, with decisions backed by clear reasoning.

Are you looking to expand your understanding of GDPR requirements? Join our Certified EU General Data Protection Regulation (EU GDPR) Practitioner Course today!

Conclusion

Your data rights are a key factor in being up to date and safeguarding your privacy. Becoming aware of what is a subject access request allows you to manage the information that companies keep about you. If you invoke the necessity of SARs, the organisation will be obliged to keep your personal data transparent, accurate, and also responsible.Want to learn about the important Data Protection principles?

Register for the Data Protection Act Training (DPA 2018) Course now!