The GDPR Essentials: Dealing with Subject Access Requests

31st July 2024

Your guide to Subject Access Requests

Individuals have several rights under the UK GDPR, one of these being the right of access. This gives individuals the right to obtain a copy of their personal data, as well as other supplementary information.

What is a SAR?

Any individual can send a Subject Access Request (SAR) to an organisation that may hold their data, e.g., customers that have purchased something from a company, or employees sending one to their employer. It can be made verbally or in writing, including on social media and it can be made by a third party on behalf of the individual. You need to be satisfied that you know the identity of the requester and so you can ask for information to very their identity but only if this is necessary, as the timescale for responding to a SAR does not begin until you have received the information you ask for. For example, if the request came from an employee, it wouldn’t be necessary to ask for their ID for example.

Do you have to respond?

All organisations are legally obligated to respond to a SAR without undue delay and at the latest within one month of receiving the request, unless the request is complex or you have received several requests from the same individual, in which case you can extend the time to respond by a further two months. An exemption may apply that allows you to refuse to provide all or some of the requested information and you can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive, but this is a very high threshold. In the majority of cases, you must respond to the SAR and provide all of the information requested.

Obviously, you can only provide them with the information they have requested if you have it as it may have been deleted in accordance with your retention policy. You cannot delete the information after you have received the request.

If you refuse to comply with a request, you must respond to the SAR and explain why, point out their right to complain to the ICO and to enforce the SAR through the courts.

How do you respond?

You must respond with all the information the individual has requested unless an exemption applies. There are several exemptions but the most common are if the information contains personal data of someone else that you should not disclose without consent, if it comprises of/includes communications with your solicitor as it is protected by legal privilege and shouldn’t be disclosed, or the information is confidential business data you would not want in the public domain.

If exemptions apply to some parts of the information requested, you must still comply with the request but redact any information that is exempt.

If the individual requests a large amount of information, you may respond and ask them to clarify their request, but you are not able to ask them to limit their request.

What other information is an individual entitled to?

As well as the information requested, individuals have the right to receive information such as your purposes for processing, the categories of personal data you’re processing, who you disclose the personal data to, and the retention period, just to name a few. The supplementary information you must provide largely corresponds with the information you should have in your privacy policy.

If you have received a SAR and need some advice on how to respond, whether exemptions apply or what to redact, please contact sophiebrazier@schofieldsweeney.co.uk.

 

We’re here for you – contact us today

0300 124 0406
enquiries@schofieldsweeney.co.uk

Contact Us

Bradford office

Church Bank House
Bradford
West Yorkshire
BD1 4DY

What3words - names.frosted.broke
Phone: 01274 350 800 Fax: 01274 306 111

Leeds office

Centura
76 Wellington Street
Leeds
West Yorkshire
LS1 2AY

What3words - crass.makes.store
Phone: 0113 849 4000 Fax: 0113 243 9326

Huddersfield office

30 Market Street
Huddersfield
West Yorkshire
HD1 2HG

What3words - eaten.salads.case
Phone: 01484 915 000 Fax: 0800 368 8449

London office

33 Bedford Row
London
WC1R 4JH
Phone: 020 8146 5119
Copyright © Schofield Sweeney Solicitors. All Rights Reserved.

Schofield Sweeney LLP is authorised and regulated by the Solicitors Regulation Authority.

Website by Tall
Conveyancing Quality