Subject access is a fundamental right of individuals under the General Data Protection Regulation (GDPR). Whatever business you're in, if you hold or process personal data, you may have to respond to a request at some point.
What is a subject access request (SAR)?
A subject access request is the right of an individual to request a copy of any personal information you may hold on them.
- can be verbal or in writing
- can be submitted by any means, eg via web form, email, letter, phone call, etc
- can be made to any part of your business, not just a specific department
- doesn't have to explicitly state the phrase 'subject access request', but has to be clear that the individual is requesting their own personal data
The GDPR doesn't stipulate what makes a request valid. It also doesn't require you to have a standardised form for SARs, although it recommends that individuals should be able to make requests to you electronically.
Who can request a personal information?
Individuals will only be able to request access to their own personal data, unless:
- they are acting on behalf of someone
- the data that relates to another person also happens to relate to them
Under the GDPR, you can ask individuals to provide proof of identity before you comply with their request. This helps avoid third parties gaining unlawful access to personal data. You should only ask for minimum information necessary to confirm who they are.
You may not have to comply with certain rights of data subjects if you cannot identify which data in your possession relates to the relevant data subject.
What is included in a subject access request?
As well as a copy of their personal data, the data subject is also entitled to receive:
- confirmation of whether you are processing their data
- other supplementary information (including mandatory privacy information)
Before responding to any request, you should establish if the information requested falls within the definition of personal data. See the definition in what is the GDPR.
How to deal with GDPR data subject access requests?
To comply with subject access requests, you have to:
- respond to a request without undue delay and within one month of receipt
- give information in a concise, transparent, intelligible and easily accessible form
- use clear and plain language, especially if you are disclosing information to a child
- respond electronically, if the request was made by same means - unless asked otherwise
You could consider providing data subjects remote access to a secure self-service system, which would give them direct access to their information - eg allow employees to access their own personal data held on a secure HR system.
How long do I have to comply with SAR?
In most cases, you have one calendar month (from the day after you receive the request) to comply with a subject access request. If you fail to meet this deadline, the individual who made the request may complain to the Information Commissioner's Office.
You can extend the timescale to respond by a further two months, if the request is complex or you have received a number of requests from the individual.
If you process a large amount of information about an individual, you can ask them to clarify their request. Let them know as soon as possible if you need more information. In this case, the one month mark for responding to the request begins when you receive the additional information.
Can you charge for subject access requests?
In most cases, you cannot charge a fee to comply with a subject access request. However, you may charge a ‘reasonable fee’ for the administrative costs of complying with the request:
- if the request is manifestly unfounded or excessive
- if an individual requests further copies of their data following a request
Can I refuse subject access request?
You may be able to refuse to grant an access request if you deem it manifestly unfounded or excessive. However, you will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
Find further information on subject access requests.
This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.