How to recognise and respond to a GDPR Subject Access Request
Recognising and responding to a UK GDPR subject access request (SARs) is a key part of data protection and privacy law compliance. It is also one of the most common ways employees encounter customers and clients asserting their rights under the UK GDPR[1] and the Data Protection Act 2018.
Organisations that operate within the EU[2] must also comply with EU GDPR subject access requests and as we shall see below, draft guidelines released by the European Data Protection Board (EDPB) in January of this year have raised the bar concerning what is expected of data controllers.
Before discussing how a person receiving an SAR can recognise and respond to the request, let us briefly point out what an SAR is.
What is a subject access request?
Article 15 of the UK GDPR provides a person with the right to:
• Know whether personal data relating to them is being processed,
• Certain prescribed information concerning the processing of their data for example whether automated processing is being used and the safeguards implemented when transferring their personal data to a third country, and
• A copy of all the personal data you have relating to them.
The above rights are not absolute. You can refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
How do I recognise a UK GDPR subject access request?
SARs can be made verbally or in writing, including over social media, or by a third party. It is valid so long as the person is requesting access to their own personal data. In the case of requests made by third parties, for example, a friend, relative, solicitor, or accountant, you must check that they have been authorised by the data subject to make the request.
A SAR does not have to refer to the GDPR or any other legislation. Even if your organisation provides a SAR form, you cannot refuse to deal with requests sent via another method.
How long do I have to respond to an subject access request (SAR)?
You must respond to an SAR within one month of receipt.
This can be extended by a further two months if the request is complex or you have received several requests from the person. If you process significant amounts of personal data, you can request that the data subject clarify the specific information they wish to access/obtain a copy of. Although the time limit will be paused until you receive clarification, you should still send any other data you know has been requested within one month.
How should I respond to a GDPR subject access request?
It is best practice to respond to an SAR in the same format in which you receive the request, for example, if the request is sent via email, reply by email. If possible, you should try and establish the requester’s preferred mode of communication as soon as possible.
Can we charge a fee for a subject access request?
For business owners, one of the most frustrating aspects of a subject access request (SAR) is that in most cases, you are forbidden by law to charge for the time and resource it takes to fulfil them. The Information Commissioners Office (ICO) states that:
“you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.”
Unfortunately, this is not helpful when it comes to locating, collating, and sending requested data which may run into thousands of pages. With this in mind, below are our three top tips for making SAR compliance easier:
1. Put accessible policies and procedures in place covering the operation steps of dealing with an SAR, namely[3]:
2. assessing the validity of the access request;
3. searching for personal data relating to the requester;
• considering whether any statutory exemptions apply; and
1. responding to the request.
2. Ensure you have an up-to-date data map which sets out where the personal data your business holds is kept and how and who can access it.
3. The employee dealing with a SAR must keep meticulous records explaining the steps they took to fulfil the request. If the SAR is refused, reasons for this decision must be documented. These records will provide evidence should the data subject complain and the ICO subsequently launch an investigation.
Concluding comments
The above provides a guide to fulfilling SAR under the UK GDPR. As mentioned above, the EDPB has released draft guidelines concerning SARs which, if adopted, controllers and processors of EU citizens’ data will need to be aware of. For example, the guidelines aim to clarify when a controller can refuse an SAR for being ‘manifestly unfounded’ or ‘excessive’ or be permitted to charge a reasonable fee. The draft guidelines state that the term ‘manifestly unfounded’ is to be interpreted narrowly and the fact that a particular request will involve a lot of time and effort does not necessarily mean it will qualify as excessive. However, the controller can consider the motives behind the request and may be able to refuse to comply if it is initiated with the aim of ‘causing damage or harm or disruption to the controller.’
To ensure you and your team can comply with SARs it is vital to seek professional advice and ensure everyone receives sufficient training on recognising and responding to requests. As with all matters concerning compliance (and law in general) prevention is far more effective and cheaper than the cure.
To find out more about any matters discussed in this article, please email us at info@43legal.com
Please note that this article does not constitute legal advice.
[1] Along with many other EU laws, the principles, and regulations of the GDPR were transposed into what is now known as the UK GDPR. From 1 January 2020, the EU GDPR ceased to apply to UK personal data; however, it continues to apply to EU personal data processed by UK-based organisations. At the time of writing the text of the UK GDPR and EU GDPR are almost identical.
[2] This article refers to the EU; however, the same principles and laws apply to the EEA States.
[3] Brennan, D, The new Guidelines on access requests – is the bar now too high?, P. & D.P. 2022, 22(5), 9-12
48 Comments
Add comment Cancel reply
You must be logged in to post a comment.
Collect Social Metrics
pcfrmhlpa enpkv nzkpyjf eeib hqnrtcwudfkdtuh
… [Trackback]
[…] Find More here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Information to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More Info here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More on to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Here you will find 49778 additional Information to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More Info here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] There you will find 73272 more Information to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Info on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] There you will find 71649 additional Information on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Information on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More Info here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Here you will find 9139 more Information to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Here you can find 97190 more Info to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] There you will find 47896 more Information to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More Information here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More Info here on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Info to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More here on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More on on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Info to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More on to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Info to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More Info here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More Information here on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More Information here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] There you can find 52817 more Information to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More on to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] There you will find 70967 additional Information on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More Information here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More here on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More Information here on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Here you will find 68550 additional Info to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More here on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Find More to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Here you will find 14634 additional Info on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Read More here to that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] There you will find 69241 additional Info on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]
… [Trackback]
[…] Information on that Topic: ismeandco.com/how-to-recognise-and-respond-to-a-gdpr-subject-access-request/ […]