View What is a Data Subject Access Request, or DSAR?

What is a Data Subject Access Request, or DSAR?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully. Individuals may exercise the right by making…

read more


View How can a DSAR be made?

How can a DSAR be made?

An individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point. A request does not have to include the phrase ‘subject access request’ or…

read more


View Do we have to reply to a DSAR?

Do we have to reply to a DSAR?

In almost all cases the answer is “yes”. If a request is within the scope of the Data Protection Act (there are a few exemptions), you are required to comply and must provide the information requested. You can also refuse to comply with a subject access request if it is: manifestly unfounded; or excessive. In…

read more


View How long do we have to respond to a DSAR?

How long do we have to respond to a DSAR?

You must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receiving any information requested to confirm the requester’s identity. You should calculate the time limit from the day you receive the request (whether it is a working…

read more


View What steps should we take before we respond to a DSAR?

What steps should we take before we respond to a DSAR?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You need to let the individual know as soon as possible that you…

read more


View Who can make a DSAR?

Who can make a DSAR?

The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the…

read more


View What should we provide when we respond to a DSAR?

What should we provide when we respond to a DSAR?

An individual is entitled only to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is essential that you establish whether the information requested falls within the definition of personal data. In addition to a…

read more


View Who should manage the response to a DSAR?

Who should manage the response to a DSAR?

Responsibility for complying with a subject access request lies with your organisation, as the data controller. Your DPO will generally be responsible for fulfilling a DSAR, if you haven’t appointed a DPO, the responsibility should be given to someone with up-to-date data protection knowledge and training in GDPR compliance. If you don’t have the internal…

read more


View What happens if we fail to respond to a DSAR?

What happens if we fail to respond to a DSAR?

To fail to respond to a DSAR is to break the law. Under the Data Protection Act 2018, fines of up to €20 million, or 4% of a business’ annual global turnover in the preceding financial year, whichever is higher, could be imposed by the ICO for non-compliance with data subject access requests. So far,…

read more


  1. Pages:
  2. 1
  3. 2