How can we help?

Privacy and Data Protection

Subject access requests


Individuals have a right to ask an organisation whether or not they are using or storing personal information through a subject access request (SAR).

Responding and actioning a request requires following the correct steps to comply. Our lawyers can help you navigate the process.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Subject access requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR.

A data subject access request (DSAR) is a request made by an individual to:

  • Obtain confirmation from an organisation that it is processing their personal data
  • Access their personal data held by an organisation
  • Receive other information concerning this data and its processing purposes

Any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR. We see these being made frequently in the employment context, whereby an employee submits a DSAR to their past or present employer.

As a first step the identity of the individual submitting the DSAR must be verified. The validity of the request should be checked and relevant personal data must then be collected and provided to the data subject, possibly in an amended format.

An organisation must respond to a DSAR “without undue delay” and within one month of the request being received. This deadline may be extended up to three months in total if the request is a complex one, or if an individual has submitted several DSARs to the same organisation.

Responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, in which case the organisation may charge a reasonable fee or refuse to act on the request (but this decision may be subject to a review by the Information Commissioner’s Office).

Responding to a DSAR can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in a dispute between an individual and an organisation.

A DSAR is a fundamental right under the UK GDPR. The UK GDPR regulates the way organisations handle personal data and it is important for organisations to comply with the UK GDPR’s requirements when responding to DSARs.

Key contacts

Read, listen and watch our latest insights

  • 09 February 2024
  • Privacy and Data Protection

Are we suffering from cookie fatigue?

An over-indulgence in Easter treats might not be the only cookie fatigue that individuals will suffer this year according to the Information Commissioners Office (ICO).

  • 26 January 2024
  • Privacy and Data Protection

AI Podcast: AI, Discrimination and Automated Decision-making

In this podcast, Lucy Densham Brown and Jordan Masters, members of the data protection team at Clarkslegal, discuss how using AI and automated decision-making could conflict with GDPR protections and lead to discrimination.

  • 28 December 2023
  • Privacy and Data Protection

Data Protection: What’s in store for 2024?

As 2023 nears to a close, we take a look at some of the key trends and developments to watch out for in 2024.

  • 12 December 2023
  • Privacy and Data Protection

Is Santa’s List Naughty or Nice?

All year we all work hard to make sure we end up on the Nice List, and avoid that dreaded lump of coal at the end of our bed. But what about Santa himself?

  • 04 December 2023
  • Privacy and Data Protection

The UK-US data bridge for transfers of personal data – Melanie Pimenta writes for Business Voice magazine

In Business Voice magazine, Melanie Pimenta, Senior Solicitor at Clarkslegal writes that transferring data can be a tricky business and the risks of getting it wrong can be costly both reputationally and financially.

  • 21 November 2023
  • Privacy and Data Protection

Privacy matters: How the 8 data subject rights protect personal data

In this guide we explore the 8 data subject rights under the UK GDPR and discover how they play a vital role in preserving your organisation’s privacy standards in an increasingly interconnected world.