Why It Matters
Subject Access Requests are among the most frequently exercised GDPR rights. Organizations must be able to find, compile, and deliver all personal data they hold about an individual — across all systems, databases, emails, and backups — within one month. Failure to respond properly is a common reason for complaints to supervisory authorities.
What the Individual Is Entitled To
Under Article 15, the data subject has the right to receive:
- Confirmation of whether their data is being processed
- A copy of the personal data in an accessible format
- The purposes of the processing
- Categories of data being processed
- Recipients to whom data has been or will be disclosed
- Retention periods or criteria for determining them
- Rights information — right to rectification, erasure, restriction, objection
- Source of data — if not collected directly from the individual
- Automated decision-making — logic, significance, and consequences
How to Handle a SAR
- Verify identity — confirm the requester is who they claim to be (but don't request excessive information)
- Log the request — record the date received (the clock starts immediately)
- Search all systems — email, CRM, HR systems, databases, paper files, backups
- Review and redact — remove third-party personal data that would infringe others' rights
- Compile the response — provide data in a commonly used electronic format
- Respond within one month — extendable by two months for complex requests, with notice
- Provide free of charge — no fee for the first copy; reasonable fee for subsequent copies
Common Challenges
- Fragmented data — personal data scattered across dozens of systems
- Volume — large organizations may receive thousands of SARs per year
- Redaction — balancing the requester's rights against others' privacy
- Unstructured data — emails, chat messages, meeting notes
- Employee SARs — particularly complex in employment disputes
- Manifestly unfounded or excessive requests — can be refused or charged, but must be justified
Exemptions
Organizations may restrict the right of access when disclosure would:
- Prejudice legal proceedings or investigations
- Infringe another person's rights (including trade secrets)
- Compromise national security or law enforcement
- Undermine professional privilege (legal advice)
Key Regulation
- GDPR Article 15 — right of access
- GDPR Article 12 — transparent communication and modalities
- EDPB Guidelines on data subject rights — practical guidance
- ICO guidance on SARs — detailed UK interpretation (applicable as best practice)