What is a Subject Access Request (SAR)? GDPR Guide

Subject Access Request (SAR)

A Subject Access Request is a formal request by an individual (data subject) to obtain a copy of all personal data an organization holds about them, along with information about how that data is processed. Organizations must respond within one month under GDPR.

GDPRprivacydata subject rightsArticle 15SARDSAR

Why It Matters

Subject Access Requests are among the most frequently exercised GDPR rights. Organizations must be able to find, compile, and deliver all personal data they hold about an individual — across all systems, databases, emails, and backups — within one month. Failure to respond properly is a common reason for complaints to supervisory authorities.

What the Individual Is Entitled To

Under Article 15, the data subject has the right to receive:

Confirmation of whether their data is being processed
A copy of the personal data in an accessible format
The purposes of the processing
Categories of data being processed
Recipients to whom data has been or will be disclosed
Retention periods or criteria for determining them
Rights information — right to rectification, erasure, restriction, objection
Source of data — if not collected directly from the individual
Automated decision-making — logic, significance, and consequences

How to Handle a SAR

Verify identity — confirm the requester is who they claim to be (but don't request excessive information)
Log the request — record the date received (the clock starts immediately)
Search all systems — email, CRM, HR systems, databases, paper files, backups
Review and redact — remove third-party personal data that would infringe others' rights
Compile the response — provide data in a commonly used electronic format
Respond within one month — extendable by two months for complex requests, with notice
Provide free of charge — no fee for the first copy; reasonable fee for subsequent copies

Common Challenges

Fragmented data — personal data scattered across dozens of systems
Volume — large organizations may receive thousands of SARs per year
Redaction — balancing the requester's rights against others' privacy
Unstructured data — emails, chat messages, meeting notes
Employee SARs — particularly complex in employment disputes
Manifestly unfounded or excessive requests — can be refused or charged, but must be justified

Exemptions

Organizations may restrict the right of access when disclosure would:

Prejudice legal proceedings or investigations
Infringe another person's rights (including trade secrets)
Compromise national security or law enforcement
Undermine professional privilege (legal advice)

Key Regulation

GDPR Article 15 — right of access
GDPR Article 12 — transparent communication and modalities
EDPB Guidelines on data subject rights — practical guidance
ICO guidance on SARs — detailed UK interpretation (applicable as best practice)

Subject Access Request (SAR)

GDPRprivacydata subject rightsArticle 15SARDSAR

Subject Access Request (SAR)

Why It Matters

What the Individual Is Entitled To

How to Handle a SAR

Common Challenges

Exemptions

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

GDPR Training for Employees: The Complete Guide for 2026

Want more than the definition?

Subject Access Request (SAR)

Why It Matters

What the Individual Is Entitled To

How to Handle a SAR

Common Challenges

Exemptions

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

What Is a Privacy Impact Assessment (PIA)? Complete Guide for 2026

GDPR Training for Employees: The Complete Guide for 2026

Want more than the definition?