Subject access request and data subject rights


In addition to the 6 Principles, the GDPR’s impose extended obligations to data subjects and you should therefore be aware of what’s changing.

As before, the legislation allows individuals to be informed as to whether you are processing their personal data. In doing so, data subjects have the right of access to the data held about them by a controller and the purposes for which it is being processed. You are also required to provide details about retention periods and the subjects’ rights of rectification, erasure, restriction and objection. It must also include details of any third parties to whom the personal data may be disclosed.

This information must be communicated to them in an intelligible form and must include any sources available to you in collecting and processing the data.

You aren’t obliged to supply any information unless you’ve received a request in writing. Under the GDPR’s, you can no longer charge for subject access requests although you may charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive, or in extreme cases, refuse to comply with that request.

If you do refuse, then you will need to explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month. You can’t simply ignore the subject access request.

Another change under the GDPR affects the amount of time that you have to comply with subject access requests. Relevant information needs to be provided without delay and, at the latest, within one calendar month of receipt. The previous law allowed for 40 days.

Another right which a data subject may exercise is the right to data portability, that is, to have their data moved to a different platform. This would be relevant if they moved accounts to a different provider. The data must be transferred in a process-able format and, as the purpose would come to an end, the data should be erased (or archived if sufficient grounds to do so).

If we can assist you or your business in any way, or if you have any questions in relation to the services that we offer, please contact us. We look forward to working with you.

Subject Access Requests and Data Subject Rights Checklist

  • Are you a data controller?
  • Have you verified the identity of the data subject making the request?
  • Have you clarified the scope of the request with the data subject?
  • Do you have a Subject Access Request Policy?
  • Has your policy been updated to reflect new timescales and additional information?
  • Do you use any automated decision making or profiling in your processing?
  • Do you transfer data to another location or jurisdiction?  If so, what transfer safeguards exist within your organisation?
  • Have you received any requests for rectification?  If so, you should investigate sources for accuracy of information.