We may not have the course you’re looking for. If you enquire or give us a call on +357 26030221 and speak to our training experts, we may still be able to help with your training requirements.
Training Outcomes Within Your Budget!
We ensure quality, budget-alignment, and timely delivery by our expert instructors.
Imagine waking up one morning to find your inbox overflowing with emails from companies you barely remember. They know your name, your preferences, and even your recent purchases. Ever wondered how they got all that information and what they’re doing with it? That’s where Subject Access Requests (SARs) come in. They give you the power to peek behind the curtain and see what’s really happening with your data.
In this blog, we’ll walk you through everything you need to know about SARs. From understanding your rights to handling requests effectively, we’ll help you make sense of the digital trail we all leave behind. Ready to take charge of your data story? Let’s dive in and empower ourselves!
Table of Contents
1) What is a Subject Access Request (SAR)?
2) Why is Understanding Subject Access Requests Important?
3) What is Personal Data Under GDPR?
4) How to Make a Subject Access Request (SAR)?
5) How to Respond to a Data Subject Access Request?
6) What is the Time Limit for Responding to a Subject Access Request?
7) Refusing and Handling Repeat Subject Access Requests
8) Are Organisations Required to Comply with Every SAR?
9) Conclusion
What is a Subject Access Request (SAR)?
A Subject Access Request (SAR) is a formal request made by an individual to an organisation for access to their personal data. Under the General Data Protection Regulation (GDPR), individuals have the right to know what information is being held about them, how it is being used, and who it is being shared with.
In simple terms, SARs are a way for individuals to take control of their data. Whether you’re a consumer concerned about privacy or a business navigating data protection laws, understanding SARs is crucial.
Why is Understanding Subject Access Requests Important?
We live in a world where personal data is at the heart of almost everything. From online shopping to banking and social media, your information is constantly being collected, processed, and stored. Understanding SARs allows individuals to ensure their data is handled responsibly and lawfully.
For businesses, mishandling SARs can lead to hefty fines, reputational damage, and loss of trust. Navigating these requests effectively is not just a legal obligation but a demonstration of good data stewardship.
What is Personal Data under GDPR?
Personal data refers to any information or data that relates to an identified or identifiable individual. This can include:
1) Basic details like your name, address, and phone number.
2) Online identifiers like your IP address or cookie data.
3) Sensitive information like your health records or political beliefs.
Under GDPR, organisations are required to process this data fairly, transparently, and securely. If you’re wondering whether something qualifies as personal data, ask yourself: “Does this information reveal something about me as an individual?” If the answer is yes, it’s personal data.
How to Make a Subject Access Request (SAR)?
Making a SAR is straightforward and empowering. Follow these steps to make sure that your request is processed smoothly.
1) Draft Your Request
Write a clear and concise request. You don’t need any fancy legal jargon—just state that you’re making a SAR under GDPR and mention what information you’d like to access. For example:
"I am writing to request access to the personal data you hold about me under the General Data Protection Regulation (GDPR). Please provide a copy of my data along with details of how it is being processed and shared."
2) Send it to the Appropriate Contact
Identify the correct recipient for your SAR. Most organisations have a dedicated Data Protection Officer (DPO) or a privacy team. Check the company’s website or privacy policy for guidance.
3) No Fees Required
One of the best things about GDPR is that organisations cannot charge for processing SARs unless the request is excessive or repetitive. In such cases, a reasonable fee may apply, but this is rare.
4) Someone Else can Submit a SAR on Your Behalf
If needed, you can appoint someone to make a SAR for you, such as a legal representative. Ensure you provide written consent to avoid delays.
Explore the world of Data Protection and implement GDPR compliant programs by registering for GDPR Training now!
How to Respond to a Data Subject Access Request?
If you’re on the receiving end of a SAR, handling it correctly is essential to stay compliant and maintain trust.
1) Recognise the Subject Access Request
SARs don’t have to follow a specific format, so you must be vigilant. A simple email, letter, or even a verbal request may qualify as a SAR. Train your team to identify these requests promptly.
2) Confirm the Individual’s Identity
Before releasing any information, confirm the requester’s identity. Ask for identification, if necessary, especially if sensitive data is involved. This step prevents unauthorised access.
3) Clarify the Details of the SAR
If the request is vague, seek clarification. For example, if an individual asks for "all my data," you might ask if they’re referring to specific accounts or interactions. This ensures you provide relevant information without wasting resources.
4) Locate, Retrieve, and Gather the Requested Data
Work systematically to locate the individual’s data. This might involve checking multiple systems, databases, or departments. Once retrieved, ensure the data is accurate and complete.
5) Determine Applicable Exemptions
Not all data has to be shared. For instance, information revealing trade secrets or impacting another person’s privacy may be exempt. Familiarise yourself with these exemptions to ensure lawful responses.
6) Provide the Information Securely to the Individual
When sharing the data, prioritise security. Use encrypted emails or password-protected files to minimise the risk of unauthorised access.
7) Document the Decision-Making Process
Keep a record of how you handled the SAR. This includes dates, communication logs, and decisions made regarding exemptions. Documentation can protect you in case of a dispute or audit.
What is the Time Limit for Responding to a Subject Access Request?
Time is of the essence when responding to SARs. Under GDPR, organisations must respond within one month of receiving the request. If the SAR is complex, you may extend this by an additional two months, but you must inform the individual of the delay and provide reasons.
Delays without valid justification can lead to penalties and complaints, so stay on top of deadlines.
Refusing and Handling Repeat Subject Access Requests
Not every SAR must be fulfilled. If a request is:
1) Manifestly unfounded (e.g., malicious or made with no real intent to access data).
2) Excessive (e.g., repetitive without new context).
You may refuse it. However, you must inform the requester of your reasons and their right to complain to a supervisory authority.
Handling repeat requests requires judgment. If new data has been added or significant time has passed, fulfilling the SAR may still be necessary.
Are Organisations Required to Comply with Every SAR?
Not necessarily. GDPR allows organisations to refuse SARs in specific situations, such as when fulfilling the request would compromise intellectual property, harm others’ rights, or impose an unreasonable burden. Each case must be evaluated carefully, with decisions backed by clear reasoning.
Are you looking to expand your understanding of GDPR requirements? Join our Certified EU General Data Protection Regulation (EU GDPR) Practitioner Course today!
Conclusion
Subject Access Request empowers individuals and challenges organisations to prioritise transparency and accountability. By mastering SAR processes, individuals can protect their privacy, and businesses can uphold trust while avoiding legal pitfalls. In an era where data is the new currency, SARs remind us of the value of control and clarity over our information.
Want to learn about the important Data Protection principles? Register for the Data Protection Act Training (DPA 2018) Course now!
Frequently Asked Questions
If a SAR is made verbally, it is still valid under GDPR. The organisation must document the request and process it like any written SAR. However, the individual may be asked to clarify or confirm details in writing to ensure accurate handling.
No, organisations generally cannot charge for a SAR. However, if the request is excessive, repetitive, or unfounded, a reasonable fee may be charged. This fee must reflect the administrative cost of fulfilling the request.
The Knowledge Academy takes global learning to new heights, offering over 30,000 online courses across 490+ locations in 220 countries. This expansive reach ensures accessibility and convenience for learners worldwide.
Alongside our diverse Online Course Catalogue, encompassing 17 major categories, we go the extra mile by providing a plethora of free educational Online Resources like News updates, Blogs, videos, webinars, and interview questions. Tailoring learning experiences further, professionals can maximise value with customisable Course Bundles of TKA.
The Knowledge Academy’s Knowledge Pass, a prepaid voucher, adds another layer of flexibility, allowing course bookings over a 12-month period. Join us on a journey where education knows no bounds.
The Knowledge Academy offers GDPR Training including the Certified EU General Data Protection Regulation (EU GDPR) Foundation and Practitioner course and EU General Data Protection Regulation Awareness Course. These courses cater to different skill levels, providing comprehensive insights into GDPR Changes.
Our IT Security & Data Protection Blogs cover a range of topics related to Data Security & Protection, offering valuable resources, best practices, and industry insights. Whether you are a beginner or looking to advance your expertise on Data Protection, The Knowledge Academy's diverse courses and informative blogs have got you covered.
Upcoming IT Security & Data Protection Resources Batches & Dates
Date