GDPR Subject Access Requests
GDPR Subject Access Requests underpin a data subject’s right of access to their data. While subject access requests are not new, the introduction of GDPR presents challenges when responding to subject access requests. Businesses should familiarize themselves with GDPR subject access requests to ensure that they are not penalized.
This article is part of our guidance on GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law. However, while industry experts have put together our guide, it does not constitute legal advice. If you require definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).
On this page:
What is a GDPR Subject Access Request (SAR)?
In the context of GDPR, a subject access request (also commonly referred to as a SAR) is the mechanism through which an individual exercises their right to request a copy of their information any organization may hold.
A subject access request:
- Can be provided in writing or verbally
- Be submitted through several means, including email, letter, phone call, web form, etc.
- Does not have to be addressed or sent to any specific department within your organization
- Does not have to have to mention the phrase, ‘subject access request’. However, the request must be clear that the data subject is requesting their data
GDPR does not define a standardized form or validity criteria for a SAR. However, it does recommend that subject access requests can be made electronically.
See also GDPR Data Subject Rights
Who can request Personal Data?
Under GDPR, subject access requests from data subjects requesting their data will be valid. However, in certain circumstances, requests to access another individual’s data may be possible as follows:
- The data subject is acting on behalf of another individual
- The other individual’s data also happens to relate to them
To avoid third parties gaining unlawful access to personal data, an organization can ask for proof of identity before complying with an individual’s subject access request.
However, organizations should only ask for the minimum information necessary to prove the requesting individual’s identity.
If an organization cannot identify which data in their possession relates to the relevant individual, they may not have to comply with certain data subject rights.
What information is included in a Subject Access Request?
As well as a copy of their data, the data subject is also entitled to receive:
- confirmation of whether you are processing their data
- other supplementary information (including mandatory privacy information)
Upon receiving a SAR, organizations should first establish if the information requested falls within the definition of personal data before responding to any request.
If an organization decides not to disclose personal data, they will need to record the reason and communicate this to the SAR applicant within the appropriate timeframe.
It is worth noting that some EU member states have national laws, such as the UK’s Data Protection Act 2018 (DPA 2018), complement the European Union’s General Data Protection Regulation. These laws may set out exemptions regarding the type of information which needs to be included in a subject access request.
Responding to a GDPR Subject Access Request
Under GDPR law, individuals can request a copy of any information that’s to do with them. If a ‘subject access request’ (SAR) has been made, they ask you for a copy of their data, by phone, in person, or in writing.
Stage 1: Log the request
Upon receiving a SAR, organizations should first establish if the information requested falls within the definition of personal data before responding to any request.
- Select a data protection lead – If you are a one-person outfit, you are the data protection lead. For other organizations, a data protection lead should be selected, if not already done so. Processors should have a contract in place with the Controller, which details how SARs are managed.
- Verify the identity – Businesses must quickly verify the requester’s identity if they are unsure who they say they are. The identity verification should be proportionate and may simply involve asking questions that only the requestor would know, such as reference numbers or appointment details. A photo ID can be requested, but if you do not know what the requestor looks like, you can not verify it.
- Check they are authorized – Organizations will need to verify permission in the event individual requesting the SAR is not the same as the person to whom the personal data relates. This requesting individual could be a relative, lawyer or friend. Verification can be achieved via a written authority confirming the requester is acting on behalf of the person concerned or has a general power of attorney.
- Set reminders – Organizations have one calendar month to gather the information and send it to the requester. The one-month time limit can start once you have verified the ID or asked for other details. However, any additional information you need should be asked for as soon as possible.
Stage 2: Gather the information
Locating and gathering information is the most time-consuming part when responding to GDPR subject access requests. Organizations will find it useful to implement a procedure that enables them to check the data they process and store it.
- Locate the relevant information – Consider where this information might be stored. Potential locations may include archived and live systems, smartphones, and email folders. Also check external hard-drives, tablets, portable memory sticks, voice recordings, social media posts and CCTV files, too.
- Take into account the impact of releasing data about other individuals – Generally, disclosing information about other people in a SAR should be avoided. However, there may be instances when the personal data includes information closely linked to another individual (other than the requester). In such cases, the personal data requested should still be released. However, you should consider the impact of disclosing data about another person when doing so.
- Check if any data needs to be redacted – Before providing the information to the requester, the information should be reviewed, ensure it is regarding them. Any information which is not theirs should be redacted. For instance, there may be an email that mentions several individuals. In such an email, any information which does not relate to the individual making the GDPR subject access request should be blacked out (redacted). Alternatively, the sections relevant to the SAR can be copied and pasted into a separate document.
Stage 3: Communicate with the requester
Communications with the requester have to use plain and unambiguous language, especially if the information is being disclosed to a child.
Consideration should be given to providing data subjects with remote access to a secure self-service system, providing them with direct access to their information. For example, an organization may opt to allow employees to access their data held on a secure HR system.
- Prepare your reply – If the SAR was received by email, any response should be via the same communication channel (i.e. email), unless requested otherwise. Organizations have the option of confirming with the requester what format they would like the information sent in.
- Send your reply securely, keeping a record of what has been sent – Along with the requester’s data, a copy of your privacy information must also be sent. Data subjects have a right under GDPR to know why their data is being held by an organization, how that data was obtained, how long it will be kept, who will it be shared with, and how they can request it to be changed or erased. Organizations should ensure dated records are retained of the sent information for future reference.
How long do I have to comply with SAR?
From the day after the request is received, organizations have one calendar month to fulfil a GDPR subject access request. Failure to meet this deadline could result in the individual making the SAR making a complaint to the Data Protection Authority (DPA).
In some instances, if the request is complex or several requests have been received from the same individual, the timescale to respond may be extended by a further two months.
Organizations can ask for the request to be clarified if there is a need to process a large quantity of information about an individual. If more information is required, organizations will need to let them know as soon as possible. In such cases, the one-month response timeline commences once the additional information has been received.
Subject Access Requests – Fees and Refusal
For the majority of cases, an organization cannot charge a fee for fulfilling a GDPR subject access request.
However, a ‘reasonable fee’ for administrative costs may be charged for complying with the request, if:
- The request is evidently excessive or speculative (i.e. unfounded)
- Following a request, the individual requests further copies of their data
Organizations may refuse an access request if it is deemed to be speculative or excessive. In such cases, organizations will need to demonstrate why the request meets these criteria, so having clear refusal policies and procedures in place will be useful.
Read further on data subject access requests.