Subject Access Requests (SARs): everything you need to know
By eleanor blackwood
Thu 2 July 2020
What is a Subject Access Request?
A Subject Access Request or ‘SAR’ is a written request that you can send to any organisation in order to see what personal data they hold on you.
By personal data, we mean any information that can directly or indirectly be used to identify you. Think address, financial details, and political views.
The great thing about sending a Subject Access Request is that it's the best way to find out where your data is, and how it's being used. They're also free to send, which is handy!
Once you've sent your request, companies must reply to your request within 30 days by GDPR law. In their response, they have to send you a copy of all of the information they have of yours, and tell you how they've been using it.
Even if they don't have your personal data, they still have to reply to let you know.
After you've viewed your personal data, you can then choose to delete it or leave it. It’s up to you.
Why should I make a Subject Access Request?
At Rightly, we believe that you should decide how your data is used. Sending a SAR is a great way to do this; if you understand how your data is being used and why, you can control it.
Another reason to send a SAR is curiosity - you might be surprised at just how much data a company has on you! It could be interesting to see how much, and what kind of, data companies like Google, Facebook, Amazon, dating apps, your grocery store or even your gym have on you.
You should also send a SAR to find out if you suspect that a company is mishandling your data.
How do I make a Subject Access Request?
Well, there are two main ways you can make a request.
Now, we're biased, but the quickest and easiest way to send a request is through Rightly!
That's because rather than having to find contact details, the right procedure, and upload your information each time, you can just upload once and pick the companies you want to send requests to, and you're done! You can get started here.
With Rightly, you can...
- Instantly search our database for the organisations you want to send requests to
- Quickly and easily send your verified ID - Companies set their ID preferences with us so there is less back and forth
- Directly communicate with the company through our secure platform - no more sifting through your emails!
- Receive your data files securely and direct to your Rightly account
- Manage all your personal data in a central place
- Decide what you want to happen to your data
- Have a friendly support team on hand for any questions or assistance you need!
If you'd like to just send one yourself, no problem.
You can simply write an email, phone, or even message the organisation through social media and ask them to share the data they hold on you. Some organisations might invite you to fill out a company form, but this isn’t compulsory.
Although, you can ask for access to your data in any way you wish, there's certain information that you should provide so the organisation can identify you and know what to look for.
To make this process easier for you, here are some helpful steps below:
This will be located on their website. Many privacy policies are confusing but they can give you an idea about the kind of information the company collects and what they do with it. It will also help you decide if you want to send a SAR to that particular company.
2) Make a note of the information you would need
If there’s any specific information you’d like the company to send you, including any specific dates, make a note so you can ask for it in the request. It’s also fine to request ‘All the data you hold on me’ if that’s what you want to receive.
3) Ensure that you have a copy of your ID
Some companies require proof of ID and/or proof of address so they can verify you. Make sure that you have these already scanned and ready to send in case they ask you for it.
4) Find a contact email address
5) Write to the company
You should include your full name, address, telephone number and email address (if you have previously signed up to their services, using your email). Some organisations will require an account number or unique ID number too!
6) State that it is a Subject Access Request
There are several things you can request under GDPR, so it’s important to specify that you are writing to make a Subject Access Request, under the GDPR or Data Protection Act 2018 (if you are from the UK).
7) State the 30 day deadline
Organisations have 30 days to respond from the date they receive your request. Include the reference to the deadline in your request. This will help them to determine how long they have to provide the information to you.
8) State how and where you want the information
Organisations are required to be able to provide your data in electronic format, but you can request that it is posted to you. Be specific about where you would like the data sent.
The Information Commissioner's Office (ICO) provides a sample letter on their website (link) which might be helpful to you.
Too much headache?
How long does it take to get a response?
As we mentioned, once a company has received a request they have to respond within 30 days.
In the response, companies have to send you:
- Purpose- why your personal data is being processed
- Categories- what kind of data is being processed
- Recipients- everyone the data has been disclosed to
- Retention period- how long it’ll be stored for
- Source- how they got this data, if it wasn’t directly from you
- Safeguards- how the security of your data is ensured if it’s being transferred to a third country
- Your rights- a reminder that you can correct, delete, restrict and object to data processing
- A reminder that you can make a complaint to the Information Commissioner
What happens when I have made a SAR?
Ideally, you'll receive a copy of all of your data within a month, hurray!
If not, these are some of the things you can expect:
- You may receive a response from the organisation asking for more information, for example a copy of your ID, after you send this information they have a further month to complete the request.
- The organisation may ask for more time if the request is complex. Organisation are allowed up to 2 more months to answer a request as long as they give a good reason for doing so.
- You may be asked to pay a fee. This is unlikely to happen but an organisation is allowed to charge a small administrative fee if your request is ‘manifestly unfounded or excessive’, or if you ask for more copies of data following a request.
- While unlikely, the organisation may simply refuse to answer a request they deem ‘manifestly unfounded or excessive’, or they may reply that they can ‘neither confirm nor deny’ whether they hold data on you, for example, if you're asking a police station for data back that may compromise a current investigation, the police can make the decision to reply in this way.
- If the organisation doesn't respond, or you're not happy with a response, you can complain to the organisation and report your concerns to the ICO, they will give you advice on what to do next.
Overall, Subject Access Requests are a great way to get more control over your data . You can send one through the platform, or by yourself, both are free!
Either way, if you have any questions, do get in touch with our support team, they'd be happy to help.
Or, tweet us @rightlydata
Let us know how sending your first Subject Access Request goes!