FAQs – Data Subject Access Requests
- 04 November 2024
- Privacy and Data Protection
Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject. This is a key concept used to determine what data falls under the category of ‘personal data’. Data subjects have certain rights under the UK GDPR.
A data subject access request (DSAR) is a request made by an individual to:
Any data subject (the identified or identifiable living individual to whom personal data relates) has the right to make a DSAR. We see these being made frequently in the employment context, whereby an employee submits a DSAR to their past or present employer.
As a first step the identity of the individual submitting the DSAR must be verified. The validity of the request should be checked and relevant personal data must then be collected and provided to the data subject, possibly in an amended format.
An organisation must respond to a DSAR “without undue delay” and within one month of the request being received. This deadline may be extended up to three months in total if the request is a complex one, or if an individual has submitted several DSARs to the same organisation.
Responses to DSARs must be provided free of charge, unless the requests are “manifestly unfounded or excessive”, in which case the organisation may charge a reasonable fee or refuse to act on the request (but this decision may be subject to a review by the Information Commissioner’s Office).
An organisation must respond to a DSAR “without undue delay” and within one month of the request being received.
Responding to a DSAR can be time-consuming and expensive, which is why a DSAR is sometimes made as a tactical strategy in a dispute between an individual and an organisation. A DSAR can be challenged in certain circumstances, or have its scope clarified.
Certain confidential information that would otherwise be revealed in the response to a DSAR can be redacted. There is also no obligation to provide full copies of documents which contain relevant personal data, the personal data can be extracted and presented as part of a new document. The data controller must take care when doing this, to avoid failing to disclose all of the personal data.
The data subject can make a complaint to the Information Commissioner who may impose penalties, and can also apply for a court order requiring the controller to comply with the request fully, or to seek compensation.
Speak to our Data Protection team today for legal advice and assistance.
Keep up to date with the latest tips, analysis and upcoming events by our legal experts, direct to your inbox.
Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.