What is a Subject Access Request (SAR), and How do I Make it?

Imagine waking up one morning to find your inbox overflowing with emails from companies you barely remember. They know your name, your preferences, and even your recent purchases. Ever wondered how they got all that information and what they’re doing with it? That’s where Subject Access Requests (SARs) come in. They give you the power to peek behind the curtain and see what’s really happening with your data. 

In this blog, we’ll walk you through everything you need to know about SARs. From understanding your rights to handling requests effectively, we’ll help you make sense of the digital trail we all leave behind. Ready to take charge of your data story? Let’s dive in and empower ourselves! 

Table of Contents 

1) What is a Subject Access Request (SAR)? 

2) Why is Understanding Subject Access Requests Important? 

3) What is Personal Data Under GDPR? 

4) How to Make a Subject Access Request (SAR)? 

5) How to Respond to a Data Subject Access Request? 

6) What is the Time Limit for Responding to a Subject Access Request? 

7) Refusing and Handling Repeat Subject Access Requests 

8)  Are Organisations Required to Comply with Every SAR? 

9) Conclusion 

What is a Subject Access Request (SAR)? 

A Subject Access Request (SAR) is a formal request made by an individual to an organisation for access to their personal data. Under the General Data Protection Regulation (GDPR), individuals have the right to know what information is being held about them, how it is being used, and who it is being shared with. 

In simple terms, SARs are a way for individuals to take control of their data. Whether you’re a consumer concerned about privacy or a business navigating data protection laws, understanding SARs is crucial.
 

Why is Understanding Subject Access Requests Important? 

We live in a world where personal data is at the heart of almost everything. From online shopping to banking and social media, your information is constantly being collected, processed, and stored. Understanding SARs allows individuals to ensure their data is handled responsibly and lawfully. 

For businesses, mishandling SARs can lead to hefty fines, reputational damage, and loss of trust. Navigating these requests effectively is not just a legal obligation but a demonstration of good data stewardship. 

What is Personal Data under GDPR? 

Personal data refers to any information or data that relates to an identified or identifiable individual. This can include: 

1) Basic details like your name, address, and phone number. 

2) Online identifiers like your IP address or cookie data. 

3) Sensitive information like your health records or political beliefs. 

Under GDPR, organisations are required to process this data fairly, transparently, and securely. If you’re wondering whether something qualifies as personal data, ask yourself: “Does this information reveal something about me as an individual?” If the answer is yes, it’s personal data. 

How to Make a Subject Access Request (SAR)? 

Making a SAR is straightforward and empowering. Follow these steps to make sure that your request is processed smoothly.
 

1) Draft Your Request 

Write a clear and concise request. You don’t need any fancy legal jargon—just state that you’re making a SAR under GDPR and mention what information you’d like to access. For example: 

"I am writing to request access to the personal data you hold about me under the General Data Protection Regulation (GDPR). Please provide a copy of my data along with details of how it is being processed and shared." 

2) Send it to the Appropriate Contact 

Identify the correct recipient for your SAR. Most organisations have a dedicated Data Protection Officer (DPO) or a privacy team. Check the company’s website or privacy policy for guidance. 

3) No Fees Required 

One of the best things about GDPR is that organisations cannot charge for processing SARs unless the request is excessive or repetitive. In such cases, a reasonable fee may apply, but this is rare. 

4) Someone Else can Submit a SAR on Your Behalf 

If needed, you can appoint someone to make a SAR for you, such as a legal representative. Ensure you provide written consent to avoid delays. 

Explore the world of Data Protection and implement GDPR compliant programs by registering for GDPR Training now!   

How to Respond to a Data Subject Access Request? 

If you’re on the receiving end of a SAR, handling it correctly is essential to stay compliant and maintain trust.
 

1) Recognise the Subject Access Request 

SARs don’t have to follow a specific format, so you must be vigilant. A simple email, letter, or even a verbal request may qualify as a SAR. Train your team to identify these requests promptly. 

2) Confirm the Individual’s Identity 

Before releasing any information, confirm the requester’s identity. Ask for identification, if necessary, especially if sensitive data is involved. This step prevents unauthorised access. 

3) Clarify the Details of the SAR 

If the request is vague, seek clarification. For example, if an individual asks for "all my data," you might ask if they’re referring to specific accounts or interactions. This ensures you provide relevant information without wasting resources. 

4) Locate, Retrieve, and Gather the Requested Data 

Work systematically to locate the individual’s data. This might involve checking multiple systems, databases, or departments. Once retrieved, ensure the data is accurate and complete. 

5) Determine Applicable Exemptions 

Not all data has to be shared. For instance, information revealing trade secrets or impacting another person’s privacy may be exempt. Familiarise yourself with these exemptions to ensure lawful responses. 

6) Provide the Information Securely to the Individual 

When sharing the data, prioritise security. Use encrypted emails or password-protected files to minimise the risk of unauthorised access. 

7) Document the Decision-Making Process 

Keep a record of how you handled the SAR. This includes dates, communication logs, and decisions made regarding exemptions. Documentation can protect you in case of a dispute or audit. 

What is the Time Limit for Responding to a Subject Access Request? 

Time is of the essence when responding to SARs. Under GDPR, organisations must respond within one month of receiving the request. If the SAR is complex, you may extend this by an additional two months, but you must inform the individual of the delay and provide reasons. 

Delays without valid justification can lead to penalties and complaints, so stay on top of deadlines. 

Refusing and Handling Repeat Subject Access Requests 

Not every SAR must be fulfilled. If a request is: 

1) Manifestly unfounded (e.g., malicious or made with no real intent to access data). 

2) Excessive (e.g., repetitive without new context). 

You may refuse it. However, you must inform the requester of your reasons and their right to complain to a supervisory authority. 

Handling repeat requests requires judgment. If new data has been added or significant time has passed, fulfilling the SAR may still be necessary. 

Are Organisations Required to Comply with Every SAR? 

Not necessarily. GDPR allows organisations to refuse SARs in specific situations, such as when fulfilling the request would compromise intellectual property, harm others’ rights, or impose an unreasonable burden. Each case must be evaluated carefully, with decisions backed by clear reasoning. 

Are you looking to expand your understanding of GDPR requirements? Join our Certified EU General Data Protection Regulation (EU GDPR) Practitioner Course today! 

Conclusion 

Subject Access Request empowers individuals and challenges organisations to prioritise transparency and accountability. By mastering SAR processes, individuals can protect their privacy, and businesses can uphold trust while avoiding legal pitfalls. In an era where data is the new currency, SARs remind us of the value of control and clarity over our information. 

Want to learn about the important Data Protection principles? Register for the Data Protection Act Training (DPA 2018) Course now!