Responding to a Subject Access Request

A subject access request (SAR) is a request made in any form for a copy of all information your business holds on an individual. While it is good practice to respond to such a request immediately, you must do so within one month of the request’s reception.


So, what does an SAR look like?

How to recognise an SAR? Because there is no set rule defining how SARs should be submitted, sometimes they are not easy to spot. Nor do they have to make it clear they are submitting an SAR, even if your company provides specific forms for such a request.

The request for an SAR can be made either verbally or in writing, in person or via the internet. It can even be made using social media. The onus is on you to recognise the request, not the person making the request.

If you are unsure whether or not a request has been made, the most effective course of action is to check with the person to obtain clarification immediately. This is also effective for avoiding any later disputes. It is also sound advice to ensure that your staff learn to recognise an SAR and what to do when they see one.

Keep a record

Any SAR made to your company, or any suspected SAR, should be immediately recorded. This applies to all non-verbal and verbal requests.

Verify the person’s identity

Any information your business holds on an individual is confidential and should not be made public to anyone without the individual’s permission. Consequently, when asked to divulge what information you hold on an individual, you must verify that person’s identity before releasing the information.

Buy yourself some valuable time

As previously mentioned, you should respond immediately to an SAR. However, it is unreasonable for that response to include the requested details. It takes time to gather information. Thus, you must respond to the SAR and acknowledge its receipt, but you must also advise the person it will take a short while to assemble all the information they have requested.

Provide copies of all data held

Once you have collated all the information you hold on an individual, it is your legal responsibility to send them a copy of everything. If the request made is verbal or in writing, you should send them hard copy unless requested to forward the information electronically. If the request comes via electronic means, you should forward the information electronically.

If you use codes, then explain these clearly to the person using straightforward, easily understood language. Be transparent at all times.

Please note that if a document that contains their information also contains information about a third party, that information can be removed/redacted.

Revealing how their data has been used

Not only must you provide all details of the data you have kept on the person, but you must also advise them how that data has been used. They should understand the following:

  • What category the data was held under – i.e. sensitive?
  • What has the data been used for?
  • Where you obtained the data?
  • Whom has the data been shared with, mainly if it is outside the European Union?
  • How long you intend to keep their data?
  • What methods do you use to keep the data safe from third parties?
  • Whether and how any profiling of the data has been performed, i.e. to predict behaviour?

Advising the person in question of their rights

To ensure impartiality, you should also advise the person requesting an SAR that they have the right to:

  • Make a complaint to the regulator
  • Make an objection to your processing of their data
  • Request you delete, change, remove or restrict the use of your data

What about confidentiality and legal privilege?

If, for example, you are a firm of solicitors, there are certain circumstances under which you do not have to release information to the person submitting an SAR, particularly if it breaches:

  • Any legal, professional privilege
  • Any duty of confidentiality towards that person as your client


Here at, we treat all data held by us as highly confidential, storing it in the most secure manner available to us.  If you feel that your personal data is being held or used by a company without your express permission, contact one of our business law solicitors, who can assist you with the submission of an SAR and remedying the situation.

This site uses cookies to make it more useful and reliable. See our privacy policy. Do not use this site if you do not consent to our use of cookies.