Subject Access Request
(SAR)
A Subject Access Request is a right under UK GDPR allowing any individual to ask an organisation for a copy of all the personal data it holds about them. Organisations must respond within one month (extendable to three months for complex requests) and provide the information free of charge in most cases. The right can be limited where disclosure would adversely affect the rights and freedoms of others.
Under Article 15 of the UK GDPR, data subjects have the right to obtain confirmation of whether their personal data is being processed, access to that data, and supplementary information (including purposes, categories, recipients, and retention periods). Organisations must respond within one calendar month; for complex or numerous requests this can be extended by a further two months with notice. There is no fee for most SARs — a reasonable fee can only be charged for manifestly unfounded or excessive requests. Organisations can refuse clearly unfounded or excessive requests. The response must be provided in an accessible format. If the organisation fails to respond adequately, the individual can complain to the ICO, which can issue enforcement notices. Employees frequently use SARs in the context of disciplinary proceedings or tribunal claims to obtain relevant communications.