Subject Access Request Policy

Under the GDPR an individual (Data Subject) has the right to obtain from the Data Protection Officer confirmation as to whether personal data concerning him or her is being processed. Where that is the case, the Data Subject is entitled to access to that personal data and certain information as follows:

  1. the purposes of the processing
  2. categories of personal data concerned
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed (particularly recipients in other countries or international organisations)
  4. where possible the period for which the personal data may be stored or, if that is not possible, the criteria used to decide that period
  5. the existence of the right to request, from the Data Protection Officer, rectification of the data or erasure of the data (if not contractual requirements) or restriction on processing of the data or to object to the processing.
  6. the right to lodge a complaint with the ICO
  7. where the personal data has not been collected from the Data Subject, any available information as to the source of that data
  8. the existence of any automated decision making and information about that decision making

If personal data is transferred to a third country or to an international organisation the Data Subject is entitled to be informed about the appropriate safeguards which have been made relating to the transfer.

The Data Protection Officer must provide a copy of the personal data which it is processing (i.e. a copy of all the personal data about the Data Subject which it holds).

The Data Protection Officer is not allowed to charge a fee for the provision of information in response to a Subject Access Request. If the Data Subject requires further copies of the personal data, then the Data Protection Officer can charge a reasonable fee based on the administrative costs of providing the further copies.

Where the Data Subject makes the Subject Access Request by electronic means (and unless the Data Subject requests otherwise) the information is to be provided in a commonly used electronic form (SAR access request form).

The Data Protection Officer must respond to a Subject Access Request within one month of receipt of the request. It may be possible to extend the period, but the Data Protection Officer should not rely on that.

Where requests from a Data Subject are manifestly unfounded or excessive (especially if they are repetitive) then the Data Protection Officer can either charge a reasonable fee for the administrative costs and providing the information or refuse to act on the request. However, it is the Data Protection Officer who must prove that the request was manifestly unfounded or excessive.

If the Data Protection Officer has reasonable doubts about the identity of the person making the Subject Access Request, then they are entitled to request additional information to confirm the identity of the individual.

An individual is only entitled to personal data about himself or herself. Therefore, if the personal data include information about someone else, the Data Protection Officer will need to confirm that information before supplying the personal data to the individual making the subject access request or may be able to decline to provide that data.

If responding to a Subject Access Request may involve providing information which relates to the individual making the request and someone else i.e. a third party, then the Data Protection Officer does not have to comply with the request if to do so would mean disclosing information about the other individual who can be identified from the information. Material qualifies as third-party information either if the other person can be identified as the source of the information, or if they are just included in it e.g. as a witness; and if you have any reason to believe that the Data Subject could identify the other person. However, third party material is not automatically excluded. You do have to provide the information about the other person if:

  • that person has given their consent; or it is reasonable to go ahead without their consent. In deciding whether it is reasonable to go ahead without consent, you must take account of:
  • any duty of confidentiality you owe to the other person;
  • anything you have done to try and get their consent;
  • whether they can give consent;
  • whether they have refused consent.

Material that is subject to legal professional privilege may be held back – this protects communications between lawyers and their clients for the purposes of giving or obtaining legal advice and communications between lawyers, clients and third parties made for the purposes of litigation, either actual or contemplated. However, the personal data can be disclosed where the other individual consents to the disclosure or it is reasonable in all the circumstances to comply with the request without the other individual’s consent.

Personal data includes opinions about an individual therefore opinions about the individual making a Subject Access Request must be included in the personal data which is provided to them.

Before responding to a Subject Access Request, it is important to establish whether the information requested falls within the definition of personal data. It is not always obvious whether it does. The ICO has produced separate guidance on this topic;

A Data Protection Officer is not permitted to amend or delete data if it would not otherwise have done so, just because it has received a Subject Access Request.

If a Data Protection Officer receives a Subject Access Request from a parent for information held about a child, they should consider whether the child is mature enough to understand their rights. The personal data of the child belongs to the child, not to their parent or guardian. What matters is that the child is able to understand, in broad terms, whether it needs to make a Subject Access Request and how to interpret the information they receive as a result of doing so. There are several factors which need to be taken into account in making that decision. The ICO guidance on Subject Access Requests provides more information on this.

Dealing with the Subject Access Requests can be time consuming and onerous. That might be because of the nature of the request, but it may be because of the way in which the Data Protection Officer holds the personal data and the amount it holds. This reinforces the requirement to make sure that personal data is kept in a way which makes it easy to locate when a Subject Access Request is made. It also underlines the importance of deleting data once it is out of date and is no longer needed.

The ICO has published a short guide on responding to Subject Access Requests; If you have any queries, questions or comments on the information contained in this policy, kindly email

Responsibility Statement: The information contained in this policy represents Dynamic Training UK Ltd's interpretation of the law as at the date of this edition. Dynamic Training UK Ltd takes all reasonable care to ensure that the information contained in this policy is accurate and that any opinions, interpretations and guidance expressed have been carefully considered in the context in which they are expressed. However, before taking any action based on the contents of this Guidance, readers are advised to confirm the up to date position and to take appropriate professional advice specific to their individual circumstances.

Please click here to download a copy of Subject Access Request form