How can we help?

Privacy and Data Protection

Subject access requests


Individuals have a right to ask an organisation whether or not they are using or storing personal information through a subject access request (SAR).

Responding and actioning a request requires following the correct steps to comply. Our lawyers can help you navigate the process.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Subject access requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR.

A data subject access request (DSAR) is a request made by an individual to:

  • Obtain confirmation from an organisation that it is processing their personal data
  • Access their personal data held by an organisation
  • Receive other information concerning this data and its processing purposes

Any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR. We see these being made frequently in the employment context, whereby an employee submits a DSAR to their past or present employer.

As a first step the identity of the individual submitting the DSAR must be verified. The validity of the request should be checked and relevant personal data must then be collected and provided to the data subject, possibly in an amended format.

An organisation must respond to a DSAR “without undue delay” and within one month of the request being received. This deadline may be extended up to three months in total if the request is a complex one, or if an individual has submitted several DSARs to the same organisation.

Responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, in which case the organisation may charge a reasonable fee or refuse to act on the request (but this decision may be subject to a review by the Information Commissioner’s Office).

Responding to a DSAR can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in a dispute between an individual and an organisation.

A DSAR is a fundamental right under the UK GDPR. The UK GDPR regulates the way organisations handle personal data and it is important for organisations to comply with the UK GDPR’s requirements when responding to DSARs.

Key contacts

Read, listen and watch our latest insights

  • 19 September 2023
  • Privacy and Data Protection

Organisations’ use of social media: Data protection

Social media applications (or commonly known as ‘apps’) are being developed all the time and we are constantly being introduced to new social media platforms, some of which take almost no time to gain huge popularity.

  • 22 August 2023
  • Privacy and Data Protection

Overview of Data Subject Access Requests

In recent months, we have witnessed a series of high-profile data breaches that have brought data protection issues to the forefront of the public’s mind and with this comes an increase in Data Subject Access Requests (DSARs).

  • 16 August 2023
  • Privacy and Data Protection

PSNI and Electoral Commission Data Breach

Both the UK Electoral Commission and the PSNI, announced serious data breaches. This article looks at what happened to cause the breaches, and what lessons employers can learn from this about processing data and how to protect the information.

  • 09 August 2023
  • Privacy and Data Protection

Penalties for data breaches

Individuals and organisations alike are increasingly reliant on technology to assist with all kinds of functions – from communicating and sharing data to strengthening security and recruiting staff.

  • 27 July 2023
  • Privacy and Data Protection

Nigel Farage v NatWest: When you can’t bank on data protection?

If you have seen the headlines recently, you will have read that NatWest CEO Dame Alison Rose has resigned from her position following the row over Nigel Farage’s bank account and the disclosure of his banking data.

  • 21 July 2023
  • Privacy and Data Protection

What will happen if the Metaverse comes to life?

Metaverse talk has seemingly died down when just a few months ago it was a popular topic on the internet. This is no surprise since Mark Zuckerberg – the CEO of Meta Platforms, formerly ‘Facebook’ – has stopped discussing the Metaverse after a period of actively promoting it.