< Return to GDPR Basics

Do you know how to handle Subject Access Requests?

Under the General Data Protection Regulation (GDPR), individuals are granted the right to access their personal data and supplementary information that organisations hold about them.

a man who would like to make a subject access request under GDPR (SAR)

This right is exercised through a process known as a Subject Access Request (SAR).

SARs play a vital role in maintaining transparency, accountability, and trust between organisations and the people whose data they process.

In this guide, we explore what SARs entail, how organisations should respond to them, and the key actions needed to ensure full compliance.

What Is a Subject Access Request?

A Subject Access Request (SAR) allows individuals to:

  • Obtain a copy of their personal data held by an organisation.
  • Understand the reasons for data processing.
  • Confirm the lawfulness of the processing.
  • Discover the categories of data being processed and the sources from which the data was obtained.
  • Identify third parties or recipients with whom the data has been shared.

SARs can be made in various ways—verbally, in writing, by email, or even via social media. No specific wording is required. A simple message such as “Please send me all the data you have on me” qualifies as a valid request. SARs may also be submitted by third parties acting on behalf of individuals, such as legal representatives or family members. In these cases, organisations must verify that the third party is authorised to act.

Preparing for SARs

Organisations should adopt a proactive, structured approach for managing SARs. This includes:

  • Recognising SARs: Train all staff, especially frontline teams, to identify valid requests.
  • Recording Requests: Implement a central log or ticketing system to document SARs upon receipt.
  • Verifying Identity: Where necessary, request proof of identity to ensure the requester is who they claim to be.
  • Clarifying Ambiguities: If a request is unclear or overly broad, seek clarification. The deadline to respond can be paused until clarification is received.
  • Understanding Refusals: Educate staff on when a request may be lawfully refused or limited.
  • Locating Data: Maintain a clear map of where personal data is stored (e.g., email, CRM, HR systems, cloud storage) to support efficient retrieval.

Complying with SARs

Timely Response

SARs must be responded to without undue delay and within one month of receipt.

For complex requests or multiple concurrent requests from the same individual, an extension of up to two months may be applied. The individual must be notified of the delay and the reasons for it within the original one-month window.

A proportionate search must be conducted, meaning that organisations should take all reasonable steps to locate the requested data. While exhaustive searches are not required, efforts should be demonstrably thorough.

Third-Party Requests

Where data about other individuals is involved, organisations must balance the rights of the data subject with the privacy rights of third parties. Redactions or partial disclosure may be necessary if third-party consent is not obtained.

Child Requests

Children have the same rights under GDPR as adults. When a SAR involves a child, assess their capacity to understand their rights. If competent, the response should be directed to the child; otherwise, it may be given to a parent or guardian if it serves the child’s best interests.

Providing the Information

The response to a SAR must be:

  • Clear, concise, and written in plain language.
  • Delivered electronically (e.g., PDF or CSV) unless otherwise requested.
  • Secure—use encrypted emails, password-protected links, or secure file-sharing services.

Include the following in your response:

  • The personal data requested.
  • The purposes of the data processing.
  • Categories of data involved.
  • Any data recipients.
  • Retention periods.
  • A summary of the individual’s rights under GDPR.

Security

Security must be maintained throughout the SAR process. This includes:

  • Confirming the identity of the requester.
  • Logging all actions taken.
  • Safely storing request and response records.
  • Ensuring secure data transmission and access controls.

These practices not only support GDPR compliance but also demonstrate accountability in the event of a regulatory audit.

When Can a SAR Be Refused?

An organisation can refuse to fulfil a SAR if:

  • The request is manifestly unfounded, for example made with malicious intent.
  • The request is excessive, such as repetitive requests with no significant changes.
  • A GDPR exemption applies (see below).

Even when refusing a SAR, the organisation must:

  • Respond within the statutory timeframe.
  • Clearly explain the reason for refusal.
  • Inform the individual of their right to complain to the Information Commissioner’s Office (ICO) or pursue legal action.

Key Exemptions and Special Cases

Under the Data Protection Act 2018, certain exemptions apply to SARs. These include:

  • Crime and taxation: Data processed for law enforcement or tax collection.
  • Legal privilege: Confidential legal communications.
  • Journalism, research, archiving: Where disclosure would undermine journalistic or scientific purposes.
  • Education and health records: These may require additional safeguards before disclosure.

Special scenarios also require care, including:

  • Archived or backup data.
  • Data held by third-party service providers.
  • Information that, if disclosed, could cause harm to individuals.

Enforcing the Right of Access

If an individual believes their SAR was mishandled, they can:

  • Request an internal review.
  • Lodge a complaint with the ICO.
  • Seek legal remedies through the courts.

Non-compliance may result in fines, enforcement notices, or reputational damage. Establishing robust SAR processes is a critical component of data protection governance.

Further Reading and Resources

For more information, consult:

Final Thoughts

Efficient and compliant handling of Subject Access Requests is not only a legal requirement—it’s a demonstration of your organisation’s commitment to transparency, privacy, and accountability. By implementing clear processes, training your staff, and maintaining up-to-date documentation, you empower your organisation to fulfil its obligations confidently and build trust with stakeholders.

Handled correctly, SARs are more than a burden—they are an opportunity to demonstrate ethical data stewardship and reinforce your values around individual rights.

FAQs

What should I do if I’m unsure whether a request qualifies as a SAR?

If an individual asks for information about how their personal data is used, held, or shared, treat it as a SAR—even if they don’t use formal language. It’s best to train staff to err on the side of caution and escalate such requests for review.

Can I charge a fee for handling a SAR?

In most cases, SARs must be provided free of charge. However, a “reasonable fee” may be charged if a request is manifestly unfounded, excessive, or repetitive. The fee must reflect administrative costs only.

What counts as ‘personal data’ in the context of a SAR?

Personal data is any information that relates to an identified or identifiable individual. This can include names, email addresses, personnel files, CCTV footage, IP addresses, call logs, and even notes about a person.

How do I handle emails that contain third-party information?

You may need to redact names or details about other individuals before disclosing the email. If the third party has consented or it is otherwise reasonable to disclose, you may include their information. Always assess on a case-by-case basis.

Can I extend the one-month response deadline?

Yes. If a SAR is particularly complex or if the requester has submitted multiple requests, you can extend the deadline by up to two additional months. Be sure to inform the requester within the first month, explaining why the extension is needed.

What evidence should I keep to demonstrate compliance with a SAR?

Maintain a full record of the request, any identity checks, communications with the requester, data searches conducted, redactions made, and your final response. This documentation is essential in case of an ICO investigation or dispute.

Further Reading

How to handle subject access requests – A guide from the ICO (UK)

GDPR Legislation and Subject Access Requests

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG