Open Navigation
Request a callback
Scroll to main

Data Protection & Subject Access Requests

We can help with all aspects of data protection law

A Subject Access Request (SAR) is a request made by an individual to an organisation for access to personal data that the organisation holds about them

What is a Subject Access Request?

A Subject Access Request (SAR) is a request made by an individual to an organisation for access to personal data that the organisation holds about them. Under the UK Data Protection Act 2018, which aligns with the General Data Protection Regulation (GDPR), individuals have the right to know what information is being processed about them and how it is being used. This request is a vital tool for transparency, allowing individuals to understand and verify the data held by organisations.

What is Included in a Subject Access Request?

When an individual submits a Subject Access Request, the organisation is required to provide a comprehensive overview of the personal data they possess. This includes:

  1. Personal Data: This encompasses any information that can identify the individual directly or indirectly. Examples include names, contact details, identification numbers, or any data linked to the individual, such as employment records or transaction history.
  2. Purpose of Processing: The organisation must clarify why the personal data is being processed. This could be for a range of reasons, such as fulfilling a contract, legal obligations, or for legitimate interests pursued by the organisation.
  3. Data Sources: If the personal data was not collected directly from the individual, the organisation must disclose where the information originated from. This helps in understanding how the data was obtained and if any third parties are involved.
  4. Recipients of Data: The organisation should provide information about any third parties or entities with whom the personal data has been shared. This can include service providers, affiliates, or regulatory bodies.
  5. Retention Period: An explanation of how long the personal data will be retained by the organisation is required. If it is not possible to specify the exact duration, the organisation should provide criteria used to determine this period.
  6. Rights Related to Data: The individual should be informed of their rights concerning the personal data, including the right to rectify inaccurate data, the right to request erasure, and the right to restrict processing under certain conditions.

How to Make a Subject Access Request

To make a Subject Access Request, the individual must contact the organisation holding their data, typically in writing, though some organisations may have specific forms or online processes for this purpose. The request should include sufficient detail to help the organisation locate the data, such as names, dates, and any other relevant identifiers. Organisations are generally required to respond within one month, although this period can be extended in complex cases. There is usually no fee for making a SAR, but organisations can charge a reasonable fee for excessive or unfounded requests.

Subject Access Request Time Limit

Under the UK Data Protection Act 2018, which incorporates the General Data Protection Regulation (GDPR), organisations are required to respond to a Subject Access Request (SAR) within one month of receiving it. This time limit is designed to ensure that individuals can promptly access their personal data and verify how it is being used. In certain circumstances, such as if the request is particularly complex or if multiple requests are made by the same individual, the organisation may extend this period by up to two additional months. However, if an extension is necessary, the organisation must inform the individual of the delay and the reasons for it within the initial one-month period. This time limit helps maintain transparency and accountability in data processing, ensuring that individuals’ rights to access their data are respected in a timely manner.

Subject Access Request Emails About Me

When submitting a Subject Access Request (SAR) to obtain emails that mention or relate to you, the organisation must provide access to any personal data contained within those communications. This includes emails where you are directly or indirectly identified, such as through your name, job title, or other identifiable characteristics. The organisation is obliged to search its records, including emails, and provide copies of relevant data. This can include emails sent to and from the organisation’s staff, internal communications, and correspondence with third parties that contain your personal data. However, it’s important to note that while the organisation must provide access to your personal data, it may redact or withhold parts of the emails if they contain third-party information or if they fall under specific exemptions, such as legal privilege or other individuals’ rights. This ensures a balance between transparency and protecting the privacy and interests of all parties involved.

Subject Access Request Legal Advice

When submitting a Subject Access Request (SAR), seeking legal advice can be highly beneficial. A legal professional can help you understand your rights under data protection laws, ensuring that your request is comprehensive and specific enough to cover all relevant personal data. They can also assist in interpreting the responses you receive, identifying any withheld information or potential data protection breaches. Moreover, if the organisation fails to comply with your request or disputes arise regarding the information provided, a lawyer can guide you through the process of filing a complaint with the Information Commissioner’s Office (ICO) or pursuing further legal action. This support can be crucial in navigating complex legal language and procedures, helping to protect your rights and interests effectively.

Supporting you through the process

Discover how our specialist team can help you.
Request a callback