Search

How can we help?

Privacy and Data Protection

Subject access requests

 

Individuals have a right to ask an organisation whether or not they are using or storing personal information through a subject access request (SAR).

Responding and actioning a request requires following the correct steps to comply. Our lawyers can help you navigate the process.

Contact us

“Very professional, knowledgeable and accessible lawyers.” 

Chambers and Partners

FAQs – Subject access requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR.

A data subject access request (DSAR) is a request made by an individual to:

  • Obtain confirmation from an organisation that it is processing their personal data
  • Access their personal data held by an organisation
  • Receive other information concerning this data and its processing purposes

Any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR. We see these being made frequently in the employment context, whereby an employee submits a DSAR to their past or present employer.

As a first step the identity of the individual submitting the DSAR must be verified. The validity of the request should be checked and relevant personal data must then be collected and provided to the data subject, possibly in an amended format.

An organisation must respond to a DSAR “without undue delay” and within one month of the request being received. This deadline may be extended up to three months in total if the request is a complex one, or if an individual has submitted several DSARs to the same organisation.

Responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, in which case the organisation may charge a reasonable fee or refuse to act on the request (but this decision may be subject to a review by the Information Commissioner’s Office).

Responding to a DSAR can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in a dispute between an individual and an organisation.

A DSAR is a fundamental right under the UK GDPR. The UK GDPR regulates the way organisations handle personal data and it is important for organisations to comply with the UK GDPR’s requirements when responding to DSARs.

Related services

Audits

Data breaches

Privacy documentation

International transfers

Key contacts
Ashan Arif

Partner

View profile

+44 118 960 4651
Stuart Mullins

Partner

View profile

+44 118 960 4672

Read, listen and watch our latest insights

art
  • 17 October 2022
  • Privacy and Data Protection

UK Government’s plan to replace UK GDPR 

The Data Protection and Digital Information Bill (‘DPDI Bill’) was due to have its second reading in Parliament on 5 September 2022. The aim of the Bill was to update the UK’s data protection framework.

art
  • 20 September 2022
  • Privacy and Data Protection

The Data Protection and Digital Information Bill  

In September 2021, the government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws following Brexit, the responses to which were published in June this year.
Pub
  • 12 September 2022
  • Privacy and Data Protection

Regulating AI to protect personal data

In this podcast Melanie Pimenta and Jacob Montague solicitors in the Data Protection team discuss the Government’s proposals to regulate the use of AI.
art
  • 30 August 2022
  • Privacy and Data Protection

UK Data Protection – Where are we now?

There have been many developments relating to how data flows are governed, ranging from the standard contractual clauses (SCCs) to the notable Schrems II decision; following this, the UK was deemed an ‘adequate’ country by the EU in respect of personal data transfers.
art
  • 08 August 2022
  • Privacy and Data Protection

New guidance on the UK Binding Corporate Rules 

On 25 July 2022, the Information Commissioner’s Office (ICO) published guidance and revised application forms and tables to simplify the UK Binding Corporate Rules (UK BCRs) approval process for controllers and processors.  
art
  • 06 July 2022
  • Privacy and Data Protection

Data protection: moving in a ‘new direction’ for the UK?  

There have been many developments in data protection over the last few years, ranging from the implementation of the GDPR, the result of the decision in the case of Schrems II and new agreements and processes for international data transfers.

See More

Our related expertise

IP and Commercial

Providing guidance on contracts and agreements across all sectors, to minimise risk and maximise profitability.

Find out more

forburyTech

From brainstorm to market, provides concise, clear, and jargon free advice for start-up and small businesses in tech.

Find out more

Contact Ashan

+44 118 958 5321