Search

How can we help?

Icon

FAQs – Data Subject Access Requests

Who is a data subject?

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR.

What is a Data Subject Access Request?

A data subject access request (DSAR) is a request made by an individual to:

  • Obtain confirmation from an organisation that it is processing their personal data
  • Access their personal data held by an organisation
  • Receive other information concerning this data and its processing purposes

When can a DSAR be submitted?

Any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR. We see these being made frequently in the employment context, whereby an employee submits a DSAR to their past or present employer.

How should I respond to a DSAR?

As a first step the identity of the individual submitting the DSAR must be verified. The validity of the request should be checked and relevant personal data must then be collected and provided to the data subject, possibly in an amended format.

When do I need to respond to a DSAR?

An organisation must respond to a DSAR “without undue delay” and within one month of the request being received. This deadline may be extended up to three months in total if the request is a complex one, or if an individual has submitted several DSARs to the same organisation.

Can I charge a fee for responding to a DSAR?

Responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, in which case the organisation may charge a reasonable fee or refuse to act on the request (but this decision may be subject to a review by the Information Commissioner’s Office).

Harry Berryman

Solicitor

View profile

+44 118 960 4636

An organisation must respond to a DSAR “without undue delay” and within one month of the request being received.

Can I challenge a DSAR that I have received?

Responding to a DSAR can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in a dispute between an individual and an organisation.  A DSAR can be challenged in certain circumstances, or have its scope clarified.

My response to a DSAR will contain confidential information – what can I do?

Certain confidential information that would otherwise be revealed in the response to a DSAR can be redacted.  There is also no obligation to provide full copies of documents which contain relevant personal data, the personal data can be extracted and presented as part of a new document.  The data controller must take care when doing this, to avoid failing to disclose all of the personal data.

I believe that information that should have been in the response to my DSAR was not included – what can I do?

The data subject can make a complaint to the Information Commissioner who may impose penalties, and can also apply for a court order requiring the controller to comply with the request fully, or to seek compensation.

 Speak to our Data Protection team today for legal advice and assistance.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Harry Berryman

Solicitor

View profile

+44 118 960 4636

About this article

Read, listen and watch our latest insights

art
  • 20 June 2025
  • Privacy and Data Protection

Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully received Royal Assent.

Pub
  • 16 June 2025
  • Privacy and Data Protection

WhatsApp in the workplace: Is it legally safe?

In this podcast, Lucy White and Monica Mastropasqua, members of the Data Protection team at Clarkslegal, will address frequently asked questions from clients regarding the use of WhatsApp at work.

art
  • 13 June 2025
  • Employment

Human Resources – A Shift Towards artificial intelligence?

On 6 May 2025, the SRA authorised the first law firm providing legal services through artificial intelligence. Garfield.Law will provide an AI-powered tool which can assist businesses with the small claims court process, to aid in recovering unpaid debts.

art
  • 04 June 2025
  • Privacy and Data Protection

Decrypting the ICO’s Draft Updated Guidance On Encryption

Where data breaches are easily achieved by human error, encryption not only offers a secure way of sending personal data, but also provides another layer of protection if a data breach was to occur.

art
  • 27 May 2025
  • Privacy and Data Protection

Extension of UK adequacy: The European Data Protection Board adopts the European Commission’s decision

Earlier this year, the European Commission adopted an extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025.

art
  • 21 May 2025
  • Privacy and Data Protection

ICO investigating online platforms and the importance of having a good privacy notice

The ICO has recently reported that it is investigating how social media and video sharing platforms use UK children’s personal information.