A subject access request (SAR) is a formal request to obtain personal information held by an organisation.
No. It is possible to make a verbal subject request. However, a request in writing can be helpful so that there is a written record of:
Data Processing refers to an organisation holding and/or using a person's personal information. The personal information being processed could have been gathered through a number of ways, such as through surveys or online forms, saving the personal data in databases, sharing the personal information with third parties, using personal information to create profiles, updating personal information with current data (e.g. address details).
A data subject is the person who owns the data or the person whose personal data is being held. While it is more common for natural persons to be data subjects, it is also possible for an organisation (e.g. a company) to be a data subject as the organisation could have legal personality and therefore have personal data.
Personal data means any information relating to an identified or identifiable natural person (a data subject). It is therefore information from which a person may be identified directly or indirectly. Examples of personal data include a data subject's:
The subject access request should be sent by the data subject. This person can either be a natural person or an organisation with a legal personality. The subject access request can also be sent by an authorised representative of the data subject where the data subject is incapable of doing it themselves.
Once the subject access request is ready, it should be signed and sent to the organisation either by post or electronically via email.
Proof of the data subject's identity should usually be provided with a subject access request (such as a copy of the driving licence or passport).
If the subject access request is made by a third party with authority to act on behalf of the data subject, copies of any evidence to confirm their authority to act should be attached to the request (e.g. a power of attorney).
The organisation should provide a response within 28 days.
Proof of the data subject's identity should be provided with a subject access request (such as a copy of the driving licence or passport).
If another person is making the request on the data subject's behalf, then they should attach proof of their authority to make the request. For example, this may include a copy of a power authority, or the data subject's written consent.
Under the law, a person can make a subject access request for free, however, in some cases, an organisation can ask that a fee should be paid in order to process the request. These include:
Yes, there are situations in law that permit an organisation to refuse a request. Where this is the case, the full reasoning should be sent out in the organisation's response. An example of such a situation is where the information being requested is covered by legal privilege, if the information is confidential or if processing the request will infringe on the rights and freedoms of another person.
If the sender wishes to dispute a response to a subject access request they can:
A subject access request should contain:
The main legal provisions that apply to a subject access request are:
It is also possible to obtain information, advice and guidance from the Information Commissioner's Office (ICO) about the use and retention of their data.
You can choose to consult a lawyer if you need help.
The lawyer can answer your questions or help you through the process. You will be offered this option when you complete the document.
You fill out a form. The document is created before your eyes as you respond to the questions.
At the end, you receive it in Word and PDF formats. You can modify it and reuse it.
Subject Access Request - Template - Word & PDF
Country: United Kingdom