Data Subject Access Requests (DSARs)

Individuals have the right to submit DSARs to obtain copies of their personal data that organisations hold about them. An activity performed on a piece of data by an organisation is called “processing.” In order to receive this copies of personal data undergoing processing, a data subject access request must be submitted.

What is the right of access?

The UK GDPR provides the right of access, or subject access, which gives individuals a way to obtain copies of their personal data from organisations. The legislation builds on a now repealed subject access mechanism provided by the Data Protection Act 1998. 

Subject access also provides individuals with the right to receive other supplementary information – discussed below. It gives everyone the ability to understand what data organisations hold on them and helps to ensure that organisations are processing personal data lawfully.

This is a very important right. It is a bit of a cliché, but technology is ever expanding its role in our daily lives. The popular video sharing platform TikTok has over 1 billion monthly users. In three months, 35.8 meals were ordered in the UK and Ireland on Deliveroo. Apps such as these process personal data on a colossal scale. It is crucial that organisations of any size appreciate their obligations around data access, and for individuals to know how to enforce them. 

What is a DSAR?

The UK GDPR does not define how subject access requests must be made. They can be made verbally, or in writing, including via social media. Even a simple tweet to an organisation requesting your data would constitute a subject access request. However, it must be clear that the individual is asking for their personal data.

If a subject access request is submitted, make sure to use polite, clear language and check that the organisation understands what you are asking of them. This might mean providing them with a summary of what your expectations are.

Further information

The right of data subject access also includes the right to ask specific questions around how an individual’s data has or is being used by an organisation. These questions are:

• confirmation that an organisation processes their personal data;
• the purposes of that processing; 
• categories of personal data processed;
• the organisation’s lawful basis for processing their data;
• the period for which the organisation will store their data;
• any relevant information about how the data was obtained;
• any relevant information about automated decision-making and profiling; and/or
• the names of any third parties the organisation shares their information with.

An individual can ask for this information without requesting copies of their personal data, or these questions may be combined with a request for copies. 

What are the key points to consider when responding to a subject access request?

It is important to understand that a subject access request must be responded to without ‘undue delay’, and within 30 days of receiving the request. However, if the request is complex, unduly large (given the amount of personal data held by an organisation), or if an organisation has received a number of requests from the individual the response time can be extended by a further two months.

A reasonable effort must be made to find and retrieve the requested documentation. However, organisations are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. So if an individual is requesting their personal health data from a private company, the search must be more comprehensive. Searches can be manual (e.g by searching an email inbox for key terms), but for larger requests specialised software is available.

An important point to keep in mind is that individuals are not directly entitled to an original copy of a document that contains their personal data, such as an email. It is compliant to simply provide an extract of the personal data in summary form. 

When considering how to respond to a subject access request, an organisation should take into account both the way in which the access request was submitted, as well as whether the individual has the ability to access the data you provide in that format. For example, if a subject submits an access request verbally, they may not necessarily get the copies of their personal data in electronic form. But if the request is via email, then the response is likely going to be via email as well. 

When submitting a DSAR, what should I include?

If you are submitting an access request, the request should be as clear as possible. Although there is not a defined list of what needs to be included in a data subject access request, the following are useful (but not required):

• clearly labelling your request (e.g DSAR);
• the date of the request;
• your full name and any other name you go by (e.g if your name is Michael, you may go by Mike);
• any other information used by the organisation to identify or distinguish you from other individuals – such as an employee number;
• your contact details;
• a comprehensive list of what personal data you want to access, based on what you need;
• any details, relevant dates, or search criteria that will help the organisation narrow down and identify what you want; and/or
• how you would like to receive the information.

If there is a specific person who deals with subject access requests in an organisation, make sure to send it to them. Although this is not compulsory, it is likely to speed the process up. Their contact details are usually given in an organisation’s privacy notice.

If a DSAR is submitted, make sure to use polite, clear language and check that the organisation understands what you are asking of them. This might mean providing them with a summary of what your expectations are.

Do I need to use the organisation’s standard form?

Although organisations may have a standard form of DSAR they wish individuals to use, this is not compulsory. They do, however, make it easier for an organisation to deal with your request and may speed up the process.

Who can I ask to submit a DSAR for me?

It is not compulsory to submit an access request for yourself. You can ask anyone you trust to do so. However, before giving them the authority to do so, ensure that you are happy for them to receive your personal data.

Examples of who you could ask to submit a request for you:

• a trusted friend or family member;
• a partner; or
• a lawyer.

Keep in mind that the organisation receiving the request may ask for formal evidence showing that the third party is entitled to submit an access request for you, such as written permission.

Children have the same rights as adults. But if the child is too young (In England and Wales, sufficient age is assessed by capacity), then they will need to have their parent or guardian do so on their behalf. 

Can an organisation ask for ID?

Yes, an organisation can request to see some form of identification from the data subject before proceeding with the access request. The timescale for responding to a DSAR does not begin until an organisation has received the requested information.

Is there a charge from organisations?

Usually, organisations cannot charge a fee for data subject access requests. However, if a request is ‘manifestly unfounded or excessive’, or if an individual requests further copies of their data, an organisation may be able to charge a ‘reasonable fee’ or the administrative costs of complying with such a request.

Can a DSAR be refused?

A subject access request may be refused if it is manifestly unfounded or manifestly excessive. These terms have distinct meanings, which the ICO has issued guidance on.

In short, a request is manifestly unfounded if the individual making the request is not doing so to actually review the data. Instead, they are doing so to annoy or to be malicious. This distinction is important; as the case of Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 demonstrates, just having another reason to make the request (in that case to obtain evidence in a court claim), does not preclude you from making a DSAR. 

Manifestly excessive typically relates to repeat requests, rather than the request being too large. It is on the organisation to have sufficient evidence to demonstrate the manifestly unfounded or excessive nature of the request. 

In a lot of cases, this will be highly difficult to demonstrate satisfactorily. 

If an organisation refuses to comply with a subject access request, they must inform the individual of:

• the reason(s) why;
• their right to make a complaint to the ICO or another supervisory authority; and
• their ability to seek to enforce this right through the courts.

Failure to respond could lead to regulatory action and a fine.

Final thoughts

Despite the ease of submitting a DSAR, ensuring that an individual obtains their personal data can often be more complicated. Organisations must have in place robust policies to deal adequately with DSARs, or they risk falling foul of strict laws and being legally liable to requestors. The Courts and the ICO have time again sided with individuals, as long as individuals’ DSARs are valid. 

At EM Law, we are experts in data protection law. If you are an individual we can help you submit a DSAR or if you are an organisation we can help you respond to one that you have received. Get in contact with us here if you need help submitting or responding to a DSAR, or if you have any questions regarding the UK GDPR or data protection more generally.