How to submit a SAR (Subject Access Request) or IR (Individual Rights request).

You can find our SAR/IR form HERE.

Whilst the advent of GDPR/DPA2018 has strengthened some of our rights and generally made people more informed of these rights understanding how to enact them can still be rather confusing.

First, the basics, what are your rights? 

The GDPR provides the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

You can read more about these rights HERE.  However, these rights are not absolute and in certain cases organisations can legally refuse. For example you cannot ask HMRC to delete your tax data if this is being processed to comply with a legal obligation. If you want to know more about how your rights are impacted by the lawful basis you can read our article HERE.

How to enact your rights

First I would recommend using a search engine to look for the name of the organisation and subject access request, ie “MapSterling Subject Access Request” and you will often find a page that guides you through the process.

If this does not work I recommend navigating to the company’s home page and looking for a ‘privacy’ or ‘privacy policy’ link. This is typically found right at the top or bottom of the home page. Once on this page, again I suggest you search (Cntrl+F) for ‘SAR’, ‘Subject access request’, ‘DSAR’ or ‘personal information’. Again there will often be a guide to take you through the process or contact details you can use. If you cannot find anything relating to a SAR you should always be able to find contact details for their DPO or their privacy team. Failing this you can either use a generic customer services contact details for your request or ask their customer services where a request should be sent.

If you only intend to submit a single request and there is a clearly explained process and a form for you to complete I would suggest you follow that process. This makes it less likely that errors will occur and it will normally mean the organisation can be more efficient and respond to you more quickly as they will be dealing with a form they understand well and have likely seen before.

If you plan to submit multiple request and/or the process is not well explained and clearly defined I suggest you use our form below and send this direct to the contact details you have gathered. This form fully explains their obligations as an organisation under GDPR and gives supporting links for both yourself and the organisation. Using this form means that you can send the same request to multiple organisations without having to re-write your contact details in a different way each time.

You can find our SAR/IR form HERE.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s