Subject access request (SAR)

A subject access request (SAR) under GDPR allows an individual to request and receive a record of all the personal data — both digital and paper — an organization has collected about them.

Subject access requests should include any information relating to the personal information an organization has collected about you, including:

• Data the organization collected (unless the information could compromise someone else’s identity or an investigation)

• Why the organization collected the data

• How the organization processed the data

• Who the organization shared the data with

• How long the organization has had the data

• How much longer the organization is planning on keeping the data

• If the organization used the data to make an automatic decision about you

• If the organization used the data to make a customer profile about you

Individuals can make a SAR on their own behalf or ask someone else — such as a relative or friend — to make the request on their behalf with written permission.

Information exempt from SARs includes data that would also identify another individual or data that would negatively impact an ongoing official or legal inquiry.

SAR requests under GDPR must be fulfilled within 30 days of receipt of the request, although this can be extended if the request is complex — in this case, businesses must inform individuals within 30 days that their request will take longer to fulfill.

If companies ignore a subject access request, individuals can apply for court orders that compel the release of information or provide monetary compensation.