6 min read

Writen by Zlatko Delev

Posted on: February 14, 2023

What Your Company Needs to Know About SAR

The right for every individual to access data held about them is a core principle of the GDPR. Individuals get hold of that data via a subject access request (SAR), but how should the request be made – and what happens when you receive one? GDPR Local’s Zlatko Delev explains.

In the UK and EU, you’ll find the Right of Access in Article 15 of the General Data Protection Regulation (GDPR)[1], which says:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.”

In addition to accessing information you hold about them, an individual has the right to know how you are processing their personal data. That means they have the right to know the purpose(s) for which the data is being held and processed and the length of the retention period (or at least an understanding of how the retention period is calculated). They have the right to object to how the data is processed, to demand its erasure or rectification, or to restrict its processing. In the UK, they also have the right to raise any concerns with the ICO[2], the UK’s supervisory authority.

In this post, we’ll explore what happens when an individual makes such a request, and how your organisation should react. Find full, detailed guidance on managing the right to access on the ICO’s website[3].

[1] Article 15 of the General Data Protection Regulation

[2] ICO


When is a request a request?

A SAR can be verbal or in writing. It doesn’t need to use specific wording, quote legislation or use the term ‘SAR’ or ‘subject access request’. If it looks like a request for an individual’s personal data, it should be treated as such.

How quickly should you respond to an SAR?

Without delay and within one month unless the request is complex. Where the request is complex, you can take an additional two months to comply. Best practice would recommend notifying an individual if their request will be delayed.

Do you need an individual’s ID before complying with their data request?

Yes. In fact, the one-month time limit doesn’t begin until you have received such identification, although you should request this information promptly.

How should you respond to a subject access request?

As a rule of thumb, you should comply with the subject’s preferences, where appropriate. If they ask for a verbal response to their request for records of processing activities, you should reply in kind if appropriate.

Where there is a risk that the individual will not be able to access the data in the format in which you provide it (for example, because it would require the recipient to have a specific piece of software) you should check they will be able to access it and, if not, provide it in alternative format.

Can you charge for a subject access request?

Usually you should provide the service for free. If, however, complying with the request will involve what the ICO describes as “manifestly excessive” work (or if the request is “manifestly unfounded”) you can charge a reasonable admin fee. You may also charge a fee if an individual requests additional copies of their data.

Can you refuse a SAR?

Yes. Once again, the ICO uses the phrases “manifestly excessive” and “manifestly unfounded”. You can find full details of how the ICO defines those terms below[1], but in general the test for ‘excessiveness’ is based on whether a request is clearly or obviously unreasonable, and the test for that is based on proportionality of the burden or cost of complying. The test for ‘manifestly unfounded’ is a little murkier. Although the ICO provides a list of examples which may constitute unfoundedness (e.g. malicious intent such as harassment, personal grudges or a campaign designed to cause disruption), the context is important. The ICO uses the example of an individual wanting to understand how you are processing personal data about them, and using abusive language in their request. While unacceptable, it doesn’t necessarily render their application ‘unfounded’.  

Ask for GDPR advice

Our GDPR consultancy services can help every business deal with personal data protection more effectively. For GDPR advice on Article 15, talk to Zlatko.


Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

AI Act: Fundamental Rights Impact Assessments (FRIA) – Who, When, Why, and How to Ensure Ethical AI Deployment

The European Union (EU) has positioned itself as a leader in shaping the responsible development an

How the Privacy Act Protects Personal Information in Australia

 As cyber threats loom larger and data breaches become more common, the significance of strong

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy