[wordpress_gdpr_request_data]

At a glance

  • Individuals have the right to access and receive a copy of their personal data, and other supplementary information.
  • This is commonly referred to as a subject access request or ‘SAR’.
  • Individuals can make SARs verbally or in writing, including via social media.
  • A third party can also make a SAR on behalf of another person.
  • In most circumstances, you cannot charge a fee to deal with a request.
  • You should respond without delay and within one month of receipt of the request.
  • You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.
  • You should perform a reasonable search for the requested information.
  • You should provide the information in an accessible, concise and intelligible format.
  • The information should be disclosed securely.
  • You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.

Checklists

Preparing for subject access requests

☐ We know how to recognise a subject access request and we understand when the right of access applies.

☐ We have a policy for how to record requests we receive verbally.

☐ We understand what steps we need to take to verify the identity of the requester, if necessary.

☐ We understand when we can pause the time limit for responding if we need to ask for clarification.

☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

☐ We understand the nature of the supplementary information we need to provide in response to a subject access request.

☐ We have suitable information management systems in place to allow us to locate and retrieve information efficiently.