Frequently asked questions
What is a subject access request under GDPR?
A subject access request (SAR) under GDPR allows an individual to request and receive a record of all the personal data — both digital and paper — an organization has collected about them.
What information can I get from a subject access request?
Subject access requests should include any information relating to the personal information an organization has collected about you, including:
- Data the organization collected (unless the information could compromise someone else’s identity or an investigation)
- Why the organization collected the data
- How the organization processed the data
- Who the organization shared the data with
- How long the organization has had the data
- How much longer the organization is planning on keeping the data
- If the organization used the data to make an automatic decision about you
- If the organization used the data to make a customer profile about you
Who makes a subject access request?
Individuals can make a SAR on their own behalf or ask someone else — such as a relative or friend — to make the request on their behalf with written permission.
What is exempt from a subject access request?
Information exempt from SARs includes data that would also identify another individual or data that would negatively impact an ongoing official or legal inquiry.
What happens if a company ignores a subject access request?
SAR requests under GDPR must be fulfilled within 30 days of receipt of the request, although this can be extended if the request is complex — in this case, businesses must inform individuals within 30 days that their request will take longer to fulfill.
If companies ignore a subject access request, individuals can apply for court orders that compel the release of information or provide monetary compensation.