A Subject Access Request (SAR) is a right granted under the General Data Protection Regulation (GDPR) that allows individuals to access their personal data held by organizations. This article explains the SAR process, how to submit a request, and what actions to take if an organization does not comply with your request.
What is a Subject Access Request (SAR)?
A SAR is a request made by an individual to an organization to obtain a copy of their personal data, understand how it is being processed, and learn why it is being processed. This right ensures transparency and allows individuals to verify the lawfulness of the processing.
How to Submit a SAR
- Identify the Data Controller
- Determine which organization holds your personal data and is responsible for processing it. This is the data controller.
- Prepare Your Request
- Form of Request: While SARs can be submitted verbally or in writing, it is best to make the request in writing for documentation purposes.
- Details to Include: Clearly state that you are making a SAR and include any relevant information to help the organization identify your data, such as your name, contact details, and any specific data you are requesting.
- Submit the Request
- Send your request to the data controller. You can typically find contact details for the data protection officer (DPO) or privacy department on the organization’s website.
- Proof of Identity
- The organization may require proof of identity to ensure the request is legitimate. Be prepared to provide a copy of an identification document if asked.
What Happens After Submitting a SAR
- Acknowledgment of Request
- The organization should acknowledge receipt of your SAR promptly, usually within a few days of receiving it.
- Processing the Request
- The data controller must respond to your SAR without undue delay and within one month. In certain complex cases, this period can be extended by up to two additional months, but you should be informed of the extension and the reasons for it.
- Response to SAR
- The response should include:
- Copy of Personal Data: A copy of your personal data being processed.
- Processing Information: Information about the purposes of processing, categories of personal data, recipients, retention periods, and your rights regarding the data.
- Source of Data: Where the data was not collected from you directly, information about the source.
- Automated Decision-Making: Information on any automated decision-making, including profiling, and the logic involved.
- The response should include:
- No Fee for SAR
- In most cases, SARs are free of charge. However, if the request is manifestly unfounded or excessive, particularly if it is repetitive, the organization may charge a reasonable fee or refuse to act on the request.
Filing a Complaint
If an organization does not comply with your SAR or you are dissatisfied with the response, you can take the following steps:
- Contact the Organization
- Reach out to the organization to address the issue. Provide details of your SAR and any communication you have had with them. Sometimes, issues can be resolved through direct communication.
- File a Complaint with the Data Protection Authority (DPA)
- If the organization does not resolve the issue, you can file a complaint with the relevant DPA. Provide all relevant information, including details of your SAR, the response received, and any communication with the organization.
- Seek Legal Action
- In cases of significant non-compliance, you may consider seeking legal advice to explore further actions, such as filing a lawsuit for damages caused by the violation of your rights.
SAR Process Chart
| Step | Description |
|---|---|
| 1. Identify Data Controller | Determine the organization holding your data. |
| 2. Prepare Your Request | Write a clear request including relevant details. |
| 3. Submit the Request | Send the request to the data controller’s contact point. |
| 4. Provide Proof of Identity | Provide identification if requested. |
| 5. Acknowledge Request | Organization acknowledges receipt of your SAR. |
| 6. Processing the Request | Organization processes your request within one month. |
| 7. Response to SAR | Receive copy of your data and processing information. |
| 8. No Fee for SAR | SARs are generally free, fees apply only for excessive requests. |
Conclusion
Submitting a Subject Access Request (SAR) is a powerful tool for individuals to understand how their personal data is being processed and to ensure compliance with data protection laws. By following the outlined process and knowing your rights, you can effectively manage your personal data. If an organization fails to comply with your SAR, there are steps you can take to file a complaint and seek enforcement of your rights.
