What Your Company Needs to Know About SAR

The right for every individual to access data held about them is a core principle of the GDPR. Individuals get hold of that data via a subject access request (SAR), but how should the request be made – and what happens when you receive one? GDPR Local’s Zlatko Delev explains.

In the UK and EU, you’ll find the Right of Access in Article 15 of the General Data Protection Regulation (GDPR)[1], which says:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.”

In addition to accessing information you hold about them, an individual has the right to know how you are processing their personal data. That means they have the right to know the purpose(s) for which the data is being held and processed and the length of the retention period (or at least an understanding of how the retention period is calculated). They have the right to object to how the data is processed, to demand its erasure or rectification, or to restrict its processing. In the UK, they also have the right to raise any concerns with the ICO[2], the UK’s supervisory authority.

In this post, we’ll explore what happens when an individual makes such a request, and how your organisation should react. Find full, detailed guidance on managing the right to access on the ICO’s website[3].

[1] Article 15 of the General Data Protection Regulation

[2] ICO

[3] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/

When is a request a request?

A SAR can be verbal or in writing. It doesn’t need to use specific wording, quote legislation or use the term ‘SAR’ or ‘subject access request’. If it looks like a request for an individual’s personal data, it should be treated as such.

How quickly should you respond to an SAR?

Without delay and within one month unless the request is complex. Where the request is complex, you can take an additional two months to comply. Best practice would recommend notifying an individual if their request will be delayed.

Do you need an individual’s ID before complying with their data request?

Yes. In fact, the one-month time limit doesn’t begin until you have received such identification, although you should request this information promptly.

How should you respond to a subject access request?

As a rule of thumb, you should comply with the subject’s preferences, where appropriate. If they ask for a verbal response to their request for records of processing activities, you should reply in kind if appropriate.

Where there is a risk that the individual will not be able to access the data in the format in which you provide it (for example, because it would require the recipient to have a specific piece of software) you should check they will be able to access it and, if not, provide it in alternative format.

Can you charge for a subject access request?

Usually you should provide the service for free. If, however, complying with the request will involve what the ICO describes as “manifestly excessive” work (or if the request is “manifestly unfounded”) you can charge a reasonable admin fee. You may also charge a fee if an individual requests additional copies of their data.

Can you refuse a SAR?

Yes. Once again, the ICO uses the phrases “manifestly excessive” and “manifestly unfounded”. You can find full details of how the ICO defines those terms below[1], but in general the test for ‘excessiveness’ is based on whether a request is clearly or obviously unreasonable, and the test for that is based on proportionality of the burden or cost of complying. The test for ‘manifestly unfounded’ is a little murkier. Although the ICO provides a list of examples which may constitute unfoundedness (e.g. malicious intent such as harassment, personal grudges or a campaign designed to cause disruption), the context is important. The ICO uses the example of an individual wanting to understand how you are processing personal data about them, and using abusive language in their request. While unacceptable, it doesn’t necessarily render their application ‘unfounded’.  

Ask for GDPR advice

Our GDPR consultancy services can help every business deal with personal data protection more effectively. For GDPR advice on Article 15, talk to Zlatko.

[1] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/when-can-we-refuse-to-comply-with-a-request/#refuse3