A subject access request (SAR) is a request made by an individual to an organization (data controller) to obtain a copy of their personal data that the organization holds about them. This right is provided under data protection laws such as the UK GDPR and the EU GDPR. The purpose of a SAR is to allow individuals to see what personal information is being processed, understand how and why it is used, and verify that it is being handled lawfully
. Key points about a subject access request include:
- It can be made verbally or in writing, including via social media, and does not require specific wording or reference to legislation
- A third party can make a SAR on behalf of the individual, but the organization must verify that the third party is authorized to act on the individual's behalf
- Organizations must respond to a SAR without undue delay and within one month of receipt, with a possible extension of two months for complex or multiple requests
- The response should include a copy of the personal data, supplementary information such as the purposes of processing, categories of data, recipients of the data, retention periods, and the rights of the individual (e.g., to rectification or complaint)
- Organizations should provide the information in an accessible, concise, and secure manner
- They cannot usually charge a fee to fulfill a SAR unless the request is manifestly unfounded or excessive
- SARs help individuals exercise control over their personal data and ensure transparency in data processing
In summary, a subject access request is a formal mechanism for individuals to access their personal data held by organizations, enabling transparency and control over personal information processing
