Understanding Subject Access Requests (SAR): Process, Implementation, and Rights

Table of Contents

A Subject Access Request (SAR) is a right granted under the General Data Protection Regulation (GDPR) that allows individuals to access their personal data held by organizations. This article explains the SAR process, how to submit a request, and what actions to take if an organization does not comply with your request.

What is a Subject Access Request (SAR)?

A SAR is a request made by an individual to an organization to obtain a copy of their personal data, understand how it is being processed, and learn why it is being processed. This right ensures transparency and allows individuals to verify the lawfulness of the processing.

How to Submit a SAR

  1. Identify the Data Controller
    • Determine which organization holds your personal data and is responsible for processing it. This is the data controller.
  2. Prepare Your Request
    • Form of Request: While SARs can be submitted verbally or in writing, it is best to make the request in writing for documentation purposes.
    • Details to Include: Clearly state that you are making a SAR and include any relevant information to help the organization identify your data, such as your name, contact details, and any specific data you are requesting.
  3. Submit the Request
    • Send your request to the data controller. You can typically find contact details for the data protection officer (DPO) or privacy department on the organization’s website.
  4. Proof of Identity
    • The organization may require proof of identity to ensure the request is legitimate. Be prepared to provide a copy of an identification document if asked.

What Happens After Submitting a SAR

  1. Acknowledgment of Request
    • The organization should acknowledge receipt of your SAR promptly, usually within a few days of receiving it.
  2. Processing the Request
    • The data controller must respond to your SAR without undue delay and within one month. In certain complex cases, this period can be extended by up to two additional months, but you should be informed of the extension and the reasons for it.
  3. Response to SAR
    • The response should include:
      • Copy of Personal Data: A copy of your personal data being processed.
      • Processing Information: Information about the purposes of processing, categories of personal data, recipients, retention periods, and your rights regarding the data.
      • Source of Data: Where the data was not collected from you directly, information about the source.
      • Automated Decision-Making: Information on any automated decision-making, including profiling, and the logic involved.
  4. No Fee for SAR
    • In most cases, SARs are free of charge. However, if the request is manifestly unfounded or excessive, particularly if it is repetitive, the organization may charge a reasonable fee or refuse to act on the request.

Filing a Complaint

If an organization does not comply with your SAR or you are dissatisfied with the response, you can take the following steps:

  1. Contact the Organization
    • Reach out to the organization to address the issue. Provide details of your SAR and any communication you have had with them. Sometimes, issues can be resolved through direct communication.
  2. File a Complaint with the Data Protection Authority (DPA)
    • If the organization does not resolve the issue, you can file a complaint with the relevant DPA. Provide all relevant information, including details of your SAR, the response received, and any communication with the organization.
  3. Seek Legal Action
    • In cases of significant non-compliance, you may consider seeking legal advice to explore further actions, such as filing a lawsuit for damages caused by the violation of your rights.

SAR Process Chart

1. Identify Data ControllerDetermine the organization holding your data.
2. Prepare Your RequestWrite a clear request including relevant details.
3. Submit the RequestSend the request to the data controller’s contact point.
4. Provide Proof of IdentityProvide identification if requested.
5. Acknowledge RequestOrganization acknowledges receipt of your SAR.
6. Processing the RequestOrganization processes your request within one month.
7. Response to SARReceive copy of your data and processing information.
8. No Fee for SARSARs are generally free, fees apply only for excessive requests.


Submitting a Subject Access Request (SAR) is a powerful tool for individuals to understand how their personal data is being processed and to ensure compliance with data protection laws. By following the outlined process and knowing your rights, you can effectively manage your personal data. If an organization fails to comply with your SAR, there are steps you can take to file a complaint and seek enforcement of your rights.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a free 30-day trial now.