What on earth is a SAR?

subject access

Subject access requests or a SAR refers to the right of an individual to request full details of the personal data held about them by an organisation. You may never have heard of a subject access request. But if your organisation receives one you have one month to respond. Here is some helpful, basic information about them.

How should subject access requests be submitted?

There is no specific rule on how a person can submit a SAR. They can make a request by:

  • calling
  • sending an email
  • writing you a letter
  • submitting a form on your website
  • and more.

However, you can choose to use a subject access request form. This makes the process clear and simpler for your organisation. This will request all the information you need in order to process the request.

What personal data are you required to provide?

The information you are required to provide in a subject access request can be very wide ranging. The volume will depend on the complexity of your relationship with the individual. For example, if they are on your marketing list then the data you hold will be more limited than if they were a client, patient, or student. The data you hold could include emails, video, photographs, or voice recordings. In addition you will also need to confirm:

  • That you are processing the individual’s data
  • What categories of personal data you are processing
  • The purpose for processing the data
  • Any recipients of the data (third parties to whom the data has been disclosed)
  • The data retention time period

You will also need to inform the individual about:

  • Their right to object to: the processing of their data, correction requests, right to erasure, and restricting processing
  • Information on how the data was obtained (if not obtained from the individual directly)
  • Any automated decision making regarding their data
  • Their right to complain to the ICO
  • Information on how you keep the data safe if sending it outside the EEA

Can you charge for dealing with a subject access request?

In most cases, no, you cannot charge. Fulfilling a subject access request must be free of charge. However if an individual repeatedly requests information, you are permitted to charge a ‘reasonable fee’. This fee must only represent the administrative cost of making the request. You must also explain why you are making the charge.

Multiple subject access requests can be very time consuming and thus expensive. This is particularly apparent if your organisation holds a large quantity of data on individuals. It is even more so if that data includes Special Category Personal Data.

As such, it is advisable to ensure the personal data you store is well organised and easily accessible. It is advisable to have good policies, procedures and checklists for dealing with data protection matters.

If you need assistance with policies, procedures or training for dealing with subject access requests then we can help, just get in touch.

info@dataprivacyadvisory.com

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation