Subject access request (SAR)
Also known as a data subject request (DSR) or data subject access request (DSAR), a subject access request (SAR) is a formal request by an individual (data subject) to a controller (company) to disclose what personal data the organization has collected about the individual and how they use or intend to use it. Consumers are granted the right to request this information under data privacy laws such as GDPR and CCPA/CPRA.
Frequently asked questions
What is a subject access request under GDPR?
A subject access request (SAR) under GDPR allows an individual to request and receive a record of all the personal data — both digital and paper — an organization has collected about them.
What information can I get from a subject access request?
Subject access requests should include any information relating to the personal information an organization has collected about you, including:
- Data the organization collected (unless the information could compromise someone else’s identity or an investigation)
- Why the organization collected the data
- How the organization processed the data
- Who the organization shared the data with
- How long the organization has had the data
- How much longer the organization is planning on keeping the data
- If the organization used the data to make an automatic decision about you
- If the organization used the data to make a customer profile about you
Who makes a subject access request?
Individuals can make a SAR on their own behalf or ask someone else — such as a relative or friend — to make the request on their behalf with written permission.
What is exempt from a subject access request?
Information exempt from SARs includes data that would also identify another individual or data that would negatively impact an ongoing official or legal inquiry.
What happens if a company ignores a subject access request?
SAR requests under GDPR must be fulfilled within 30 days of receipt of the request, although this can be extended if the request is complex — in this case, businesses must inform individuals within 30 days that their request will take longer to fulfill.
If companies ignore a subject access request, individuals can apply for court orders that compel the release of information or provide monetary compensation.