What is a subject access request?

Put simply, it is a request from an individual to obtain a copy of all the information an organisation holds about them as well as information about how and why they are using your data. This allows you to ensure the data is accurate, relevant and being processed lawfully. Everybody has this right and it is considered a cornerstone of data protection regualtion however, in some instances (such a law enforcement purposes) this right can be restricted.

Key changes to Subject Access Requests under the GDPR

SARs are not a new right but the GDPR has made some key changes.

  1. A reduction in the SLA to 1 month. Previously organisations had an SLA of 40 days to respond to a SAR. Organisations are now required to respond withing 1 month, to calculate this take the date you applied and add one month and one day, for example a request made on 3rd June would be due back by the 4th of July. Organisation may however extend this period by a further 30 days under certain circumstances such as a request that is deemed complex or repetitive however, they must still respond within 30 days to explain why your request has been delayed.
  2. An obligation to respond electronically. Where requests are made electronically by an individual (also known as a data subject) organisations should respond in a commonly used electronic format unless you request otherwise. This will typically be in the form of a PDF. The ICO suggest it is best practice for companies to provide a portal to access this information such as Egress.
  3. A removal of the fee. Previously orgnaisations could charge a £10 fee for all SARs and the GDPR has now forced them to remove this fee. However, a ‘reasonable fee’ may still be levied under certain circumstances (manifestly unfounded, excessive, repetitive or copies).
  4. Additional processing information. The organisation is also required to tell you how and why they are using your personal data. You can find a full list of what is required in Article 15 of the GDPR which you can view in full HERE. It includes information such as their reason for processing your data and how long it will be retained for.

An organisation cannot: 

  • Force you to use their form
  • Force you to submit your form in a specific manner
  • Force you to provide more information than is required to prove your identity
  • Force you to prove your address (unless you have requested hard copies)
  • Force you to withdraw your request
  • Put undue pressure on you to narrow your request

Further information on SARs

  • Opinions on you count as personal data but personal data relating to other individuals may be redacted.
  • An organisation is under no obligation to provide data in specified electronic formats.
  • Forcing an individual to submit a SAR is a criminal offence under the DPA 2018.
  • Organisations MUST provide a response within 30 days even if it is simply to inform you that your request has been delayed.
  • If an organisation delays your request or wishes to charge a fee they must explain why.
  • You have a right to complain to the regulator (in the UK this is the Information Commissioners Office). You can see their complaints page HERE.
  • You can submit requests verbally but you may still be required to send documents to prove your identity.
  • If an organisation uses industry terms or abbreviations these must be explained. According to the ICO the response “should be capable of being understood by the average person”.
  • The ICO also states that “it is unlikely to be reasonable to extend the time limit if you are requesting proof of identity before considering the request”.
  • The obligation to respond to SARs lies with data controllers not processors however, controllers are responsible for making sure that requests submitted to processors are still dealt with.

References:

GDPR full text

ICO guidance on SARs

IAB Europe GDPR Implementation Working Group working paper on SARs

Leave a comment