Share

6 min read

Writen by Zlatko Delev

Posted on: February 14, 2023

What Your Company Needs to Know About SAR

The right for every individual to access data held about them is a core principle of the GDPR. Individuals get hold of that data via a subject access request (SAR), but how should the request be made – and what happens when you receive one? GDPR Local’s Zlatko Delev explains.

In the UK and EU, you’ll find the Right of Access in Article 15 of the General Data Protection Regulation (GDPR)[1], which says:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.”

In addition to accessing information you hold about them, an individual has the right to know how you are processing their personal data. That means they have the right to know the purpose(s) for which the data is being held and processed and the length of the retention period (or at least an understanding of how the retention period is calculated). They have the right to object to how the data is processed, to demand its erasure or rectification, or to restrict its processing. In the UK, they also have the right to raise any concerns with the ICO[2], the UK’s supervisory authority.

In this post, we’ll explore what happens when an individual makes such a request, and how your organisation should react. Find full, detailed guidance on managing the right to access on the ICO’s website[3].


[1] Article 15 of the General Data Protection Regulation

[2] ICO

[3] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/

When is a request a request?

A SAR can be verbal or in writing. It doesn’t need to use specific wording, quote legislation or use the term ‘SAR’ or ‘subject access request’. If it looks like a request for an individual’s personal data, it should be treated as such.

How quickly should you respond to an SAR?

Without delay and within one month unless the request is complex. Where the request is complex, you can take an additional two months to comply. Best practice would recommend notifying an individual if their request will be delayed.

Do you need an individual’s ID before complying with their data request?

Yes. In fact, the one-month time limit doesn’t begin until you have received such identification, although you should request this information promptly.

How should you respond to a subject access request?

As a rule of thumb, you should comply with the subject’s preferences, where appropriate. If they ask for a verbal response to their request for records of processing activities, you should reply in kind if appropriate.

Where there is a risk that the individual will not be able to access the data in the format in which you provide it (for example, because it would require the recipient to have a specific piece of software) you should check they will be able to access it and, if not, provide it in alternative format.

Can you charge for a subject access request?

Usually you should provide the service for free. If, however, complying with the request will involve what the ICO describes as “manifestly excessive” work (or if the request is “manifestly unfounded”) you can charge a reasonable admin fee. You may also charge a fee if an individual requests additional copies of their data.

Can you refuse a SAR?

Yes. Once again, the ICO uses the phrases “manifestly excessive” and “manifestly unfounded”. You can find full details of how the ICO defines those terms below[1], but in general the test for ‘excessiveness’ is based on whether a request is clearly or obviously unreasonable, and the test for that is based on proportionality of the burden or cost of complying. The test for ‘manifestly unfounded’ is a little murkier. Although the ICO provides a list of examples which may constitute unfoundedness (e.g. malicious intent such as harassment, personal grudges or a campaign designed to cause disruption), the context is important. The ICO uses the example of an individual wanting to understand how you are processing personal data about them, and using abusive language in their request. While unacceptable, it doesn’t necessarily render their application ‘unfounded’.  

Ask for GDPR advice

Our GDPR consultancy services can help every business deal with personal data protection more effectively. For GDPR advice on Article 15, talk to Zlatko.


[1] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/when-can-we-refuse-to-comply-with-a-request/#refuse3

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

Appointment of a DPO in Singapore: What You Need to Know Before 30th September

If your business handles personal data in Singapore, it’s important to be aware of a key deadline

Enterprise Data Protection: Securing Large-Scale Information Assets

Cyber threats and regulatory pressures have made it necessary for businesses around the world to sa

Continuous Data Protection: Ensuring Real-Time Information Security

Continuous data protection (CDP) has emerged as a crucial strategy in safeguarding data assets agai

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us
anytime.

Contact Us
06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy