What can be requested in a subject access request?

You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR.

What can you request under GDPR?

The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. those who decide how and why data are processed), as well as other relevant information (as detailed …

How do you respond to a data subject access request GDPR?

How to respond to a subject access request: a step by step guide for organisations

1. 30 April 2019.
2. Recognise the subject access request.
3. Identify the individual making the subject access request.
4. Act swiftly and clarify the subject access request.
5. identify personal data to be disclosed.
6. Identify personal data exemptions.

Who can request SAR under GDPR?

Individuals can make SARs verbally or in writing, including via social media. A third party can also make a SAR on behalf of another person. In most circumstances, you cannot charge a fee to deal with a request. You should respond without delay and within one month of receipt of the request.

On what grounds can an SAR be refused?

The ICO guidance says that you can only refuse to comply with a SAR where it is manifestly unfounded or excessive, taking into account whether it is repetitive. If you conclude you do not need to respond, you must to be able to justify your decision.

How do you respond to SAR?

If you got the SAR by email, you should reply by email, unless the requester has said otherwise. Check with them what format they’d like it sent in and give it a final check with steps seven and eight in mind.

How long do you have to respond to a SAR request?

within one month
An organisation normally has to respond to your request within one month. If you have made a number of requests or your request is complex, they may need extra time to consider your request and they can take up to an extra two months to respond.

On what grounds can SAR be refused?

Can we refuse to comply with a SAR? The ICO guidance says that you can only refuse to comply with a SAR where it is manifestly unfounded or excessive, taking into account whether it is repetitive. If you conclude you do not need to respond, you must to be able to justify your decision.

Can a SAR request be refused?

Yes. If an exemption applies, you can refuse to comply with a SAR (wholly or partly). Not all exemptions apply in the same way and you should look at each exemption carefully to see how it applies to a particular request.