Right of access: How to make a subject access request

–– 29 Mar 2019

Know your rights. A subject access request, (known as a SAR or DSAR), is a request to a company or organisation asking for access to the personal data they may hold about you.  

We’ve talked before about what a subject access request is. This guide will show you how to make a subject access request and what to expect of organisations from which you’re requesting information.

Your right to make a subject access request

The right existed under the Data Protection Act 1998, but organisations were allowed to charge a fee of £10 to provide you with the information.

Following changes to data protection legislation introduced by EU-wide regulation called GDPR, you can now make a subject access request for free.

This right of access allows you to be aware of and verify the lawfulness of the processing of your personal data. For example, you might want to make a subject access request if you’re not convinced the company is processing your data lawfully.

You might also want to ask about any logic involved in any automated decisions made about you or get confirmation that your data is being processed and request access.

How to make a subject access request

There isn’t a particular format to sending an SAR to an organisation. You may wish to email, write, phone, DM or tweet the organisation and ask them to provide all the information they may hold about you, who they share it with and request copies of it.

The organisation should offer a few methods for you to send a subject access request but many may just have one way to do this, for example a web form (by the way it’s not best practice for an organisation to offer just one way for customers to send a SAR). All details of sending a SAR need to be clearly shown in their privacy policy and the link to their policy will generally be located toward the bottom of their website.

If an organisation tries their luck and wants to charge you a fee, inform them that, as of 25 May 2018, subject access requests can be made for free when GDPR became law in the UK as the Data Protection Act 2018. 

To make a subject access request (SAR), you may wish to follow these steps:

  • Find out the right department and person to send the request to, normally they have a dpo@ email address on their website, or they might have a general contact or support email address
  • Note down all the information you need, so you can ask for this in the same request
  • Write to the organisation, including your full name, address and contact telephone number ; any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique IDs, etc); and include details of the specific information you require and any relevant dates
  • Include a reference to the one month deadline that applies when dealing with requests to provide personal information
  • Reference that you have the right to make a subject access request for free under the Data Protection Act 2018
  1.  

Feel free to use this free template letter available on the Information Commissioner’s Office (ICO) website to make a subject access request.

Or use our free tool to make a subject access request. The app is free and available on Apple and Android. *We don’t collect or hold your personal data.

Record and copy everything

You should try to send your request by recorded delivery, or by email and you should keep a copy of the SAR and all other materials sent and received to and from the organisation. 

By doing all the above you can then provide these as evidence later down the line if you wish to complain to the Information Commissioner’s Office (ICO) about the organisation and that they didn’t give you the information you think you are entitled to after you made the SAR.

Work smart with SAR’s – Use a tool!

You can use our free secure tool to make a subject access request. We built the Tapmydata app to take the headache and workload out of sending subject access requests. We also don’t collect or hold your personal data.

The app will always be free and is available on Apple and Android

What organisations need to do

The Data Protection Act 2018 requires companies to let you know what information is held about you, whether it is on a computer or paper.

Here are the steps an organisation would need to take when dealing with a subject access request:

  • It has to reply to you without delay and at the latest within 30 days, starting from the day they receive the SAR.
  • It is allowed to extend the period of compliance by a further two months where requests are complex or numerous, but it must inform you within one month of the receipt of the request and explain why an extension is necessary.
  • It must provide you with a copy of the personal data requested in the SAR free of charge.
  • It can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
  • It may charge a reasonable fee for requests of further copies of the same information, but this doesn’t mean it can charge you for all subsequent access requests
  • It should give you the information in a commonly used format, but it need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen.
  1.  

Can organisations withhold my personal data?

Organisations can, and are allowed, in certain situations to withhold information from you.

For example:

    • If the information could identify someone else, and it would not be reasonable to disclose that information to you.
  • If you are being investigated for a crime, or in connection with taxes, and the investigation would be prejudiced if you had access to the information.

Subscribe to the Tapmydata newsletter.

    Media coverage.

    Find out who’s talking about Tap in the media.

    Download press kit

    Our partners.

    Check out our tribe of talented partners.

    Contact Tapmydata