What Is a Subject Access Request?
A subject access request (SAR), or the right of access, is fundamental in data protection laws, allowing individuals to obtain copies of their data. GDPR’s Article 15 and the Data Protection Act (2018) stipulate that data controllers (organisations managing personal data processing) must confirm how they process their data to data subjects.
Controllers must promptly respond to a data subject access request (DSAR), providing relevant documentation copies. Data subjects can submit SARs verbally and in writing, meaning your team will need training to accurately recognise and process these requests.
How to Recognise a Data Subject Access Request
Recognising subject access requests is vital, as they are accessible to all individuals and don’t require legislative language or specific mention of the term itself. Your responsibility is to identify these genuine requests, which can take various forms.
Individuals may seek access to documents, written notes, emails, videos, audio recordings, images, visitor logs, and data stored on platforms like Microsoft Teams and software systems.
Third parties, such as solicitors or relatives, may submit a SAR on a person’s behalf. For example, a parent or guardian will exercise a child’s right of access if they’re too young to understand their rights.
How Long Do You Have to Respond to a Subject Access Request
You have one calendar month to respond to a subject access request, excluding weekends and holidays.
Organisations can extend the period by two months if the complexity and volume of requests exceed their scope. GDPR’s Article 12(3) requires data controllers to notify the individual within a month of receiving the request, explaining the reasons for the extension.
Can a Company Refuse a SAR?
Yes. A data controller can reject a subject access request if it is:
- Manifestly Unfounded: SARs lacking a genuine intention to exercise rights, which can often be driven by malicious intent or disruption.
- Manifestly Excessive: Requests that are unreasonable or excessive, depending on the appealed information, context, available resources and so on.
- Repetitive: SARs reiterating previously resolved requests for the same personal data.
- Detrimental to Others: Requests that would harm the rights and freedoms of other individuals.
Organisations must inform the data subject why they’ve rejected their SAR and highlight their rights to complain to the ICO or seek justice through a judicial remedy.
How Do You Respond to a Subject Access Request
Once your Data Protection Officer (DPO) has recognised a DSAR, you must request proof of identity and whether they are an appropriate authority on a subject’s behalf. Clarifying the scope of the SAR and acknowledging you have received it should also be done as early as possible.
The following steps include gathering the requested data, considering exemptions, and sending the SAR to the subject. For a detailed overview of handling SARs, head to our 2023 guide.
Contact Data Protection People for SAR Support Services
Managing subject access requests is a time-consuming task requiring specialist training, software and skill. At Data Protection People, we help organisations outsource requests with our SAR support service. We’ll effectively collate, reduct, digitalise and redact documentation needed for a data subject.
Remain compliant with GDPR and contact our team to discover more about our services.