How can we help?

Privacy and Data Protection

Subject access requests


Understanding DSARs

Individuals have a right to access data which is held about themselves by organisations. They can do this via a “Data Subject Access Request” (known as DSARs or SARs).  If a DSAR is made, then the holder of the information needs to provide all personal data which they hold on the individual. Given the amount of data which can be held via a number of different sources (such as emails, computer back ups and physical sources) this can be a very intimidating task.

Why You Need a Solicitor

It can be onerous for the data processor to consider how to ensure they are searching for the correct data, and the data subject may find it confusing to know exactly what they can request and how to go about it. Our team have experience in acting for both individuals and businesses to assist on making and dealing with a request.

For Individuals:

Our solicitors can help draft the DSAR request to ensure that the request is wide enough to gather all the information which you would like information on but is proportionate enough so the data processor has no grounds to deny your request.

For Businesses:

Our solicitors can help advise on what terms should be searched and can help redact the documents to ensure you do not breach others’ personal data rights. We can help review the request and determine whether its complex or manifestly unfounded, and give you further advice on how you can respond to these requests. Dealing with DSARs can be a timely task so our team can take on some of the burden and help with preparing these documents.

Why it’s important to get DSARs right?

Failures to correctly perform a DSAR can lead to complaints to the Information Commissioner Office (ICO) or a court order to ensure compliance. This can result in hefty fines and compensation if you’ve failed to comply correctly so you want to ensure they are carried out correctly.

For individuals, if your request is held to be manifestly unfounded, your request may be refused or you can be charged a reasonable fee by the data processor in order for them to carry out the request.

How we can help you deal with future requests?

It’s important for organisations to hold on to information but they are only required to retain it for a specific period of time. We can advise you on the time limits for this information so you can manage your storage systems while complying with legal requirements as to data retention.

We can help advise on you how to implement policies and training within your organisation to help you deal with requests.

Contact Our Expert Data Protection Solicitors

If you need any assistance with carrying out a DSAR or general advice on what you are required to do, please do get in contact with our data protection team who will be able to assist.

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Subject access requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR.

A data subject access request (DSAR) is a request made by an individual to:

  • Obtain confirmation from an organisation that it is processing their personal data
  • Access their personal data held by an organisation
  • Receive other information concerning this data and its processing purposes

Any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR. We see these being made frequently in the employment context, whereby an employee submits a DSAR to their past or present employer.

As a first step the identity of the individual submitting the DSAR must be verified. The validity of the request should be checked and relevant personal data must then be collected and provided to the data subject, possibly in an amended format.

An organisation must respond to a DSAR “without undue delay” and within one month of the request being received. This deadline may be extended up to three months in total if the request is a complex one, or if an individual has submitted several DSARs to the same organisation.

Responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, in which case the organisation may charge a reasonable fee or refuse to act on the request (but this decision may be subject to a review by the Information Commissioner’s Office).

Responding to a DSAR can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in a dispute between an individual and an organisation.

A DSAR is a fundamental right under the UK GDPR. The UK GDPR regulates the way organisations handle personal data and it is important for organisations to comply with the UK GDPR’s requirements when responding to DSARs.

Key contacts

Louise Keenan


View profile

+44 118 960 4614

Read, listen and watch our latest insights