Legal Lingo: What is a 'subject access request'?

Viewpoints
June 15, 2023
2 minutes

Being an aspiring commercial lawyer often means being confronted by complex, often abstract, concepts leading to an often impenetrable wall of jargon for students and trainees. Next up in our Legal Lingo series, which we've introduced to help break down this jargon, is an explanation of what a subject access request (SAR) is.

The EU’s General Data Protection Regulation 2016/679, (GDPR) is quite possibly the most comprehensive data protection law in the world. The GDPR was previously applicable in the UK. However, following Brexit, the UK data protection regime consists of the retained law version of the GDPR (UK GDPR), together with the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), (PECR).

The GDPR and the UK GDPR apply to the processing of personal data (essentially any information relating to an identified or identifiable individual). Among other things, the GDPR and the UK GDPR confer certain rights on individuals (also known as data subjects) regarding their personal data, including the “right of access”.

Data subjects have the right to obtain from controllers (persons or organisations that determine how and why personal data is processed) confirmation as to whether or not personal data concerning them is being processed and, if so, access to the relevant personal data and certain other supplementary information. Data subjects may issue subject access requests (SARs) in this regard. Controllers must respond to SARs by providing a copy of the relevant personal data in accordance with certain conditions and time limits and usually free of charge.

In addition to the data subject’s personal data, controllers must provide the following information in response to a SAR:

  • The purposes of the processing;
  • The types of personal data concerned;
  • The recipients or types of recipients with whom the personal data has been or will be shared;
  • If possible, the expected time period that the personal data will be stored for (or how that time period will be decided);
  • The right to ask the controller to correct or delete such personal data, restrict the processing of such personal data, or object to the processing of such personal data in certain circumstances;
  • The individual's right to complain to a supervisory authority;
  • Any available information about where the personal data was obtained from if such data is not collected from the individual;
  • The existence of any automated decision-making, including profiling, meaningful information about the logic involved and the significance and envisaged consequences of such processing for the individual; and
  • If the personal data is transferred internationally, details of the safeguards implemented to protect the transferred data.

Controllers may be able to refuse to respond to a SAR if a relevant exemption applies or where the SAR itself is manifestly unfounded or excessive (although data subjects must be informed of the reasons for refusal; their right to complain to the relevant supervisory authority; and their ability to seek a judicial remedy).