Our next webinar "AI and Privacy: Navigating Data Protection for DPOs in the Age of AI" is March 8th! Register Now!

What are Subject Access Requests?

What are Subject Access Requests

Subject Access Requests (SARs) are a fundamental right under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 in the UK. Subject Access Requests (SARs) also known as Data Subject Access Requests (DSARs) enable individuals to access their personal data that is being processed by organizations and understand how this data is being used. This right provides individuals with greater control over their personal data and the ability to hold organizations accountable for the way they handle this data.

An individual can ask for a SAR by making a request to the organization that is processing their data. This request can be made in writing, by email or by phone. The request must be made to the controller of the data, who is the person or organization that determines the purposes for which and the manner in which any personal data are processed.

How are Subject Access Requests (SARs) processed?

Once a SAR has been received, the organization has one month to respond to the request. If the request is complex or the organization receives a high volume of requests, the organization can extend the deadline by a further two months. The response to a SAR must include the following information:

  1. Confirmation of whether the organization is processing the individual's data
  2. A copy of the personal data that is being processed
  3. Information about the purposes for which the data is being processed
  4. Details of any third parties to whom the data has been disclosed
  5. Information about how long the data will be kept
  6. Details of any automated decision-making processes that have been used.

Organizations must respond to SARs free of charge, although they may charge a reasonable fee if the request is excessive or repetitive. If the request is refused, the individual must be informed of the reasons for the refusal and their right to make a complaint to the Information Commissioner's Office (ICO).

The origin of SARs can be traced back to the Data Protection Act 1998 in the UK and the EU Data Protection Directive 1995. These laws established the right of individuals to access their personal data and ensured that organizations were held accountable for the way they handled personal data. The GDPR, which came into effect in 2018, strengthened the rights of individuals and provided for more robust enforcement mechanisms.

In conclusion, SARs are a crucial tool for individuals to understand and control the way their personal data is being processed by organizations. Organizations have a legal obligation to respond to SARs within one month and provide individuals with the information they need to exercise their rights. The origin of SARs can be traced back to the Data Protection Act 1998 in the UK and the EU Data Protection Directive 1995, and these rights have been strengthened by the GDPR. See how PrivacyEngine handles Data Subject Rights Log as a solution.