A data subject access request is a request from an individual (or “data subject”) to see a copy of information a data controller holds about them, or to see how that information is processed. A third party can also make a request on behalf of another person.
Upon receipt of a request, information must be provided to the individual, generally at no cost and within 30 days. If the request is complex, or you receive multiple requests from the individual, you can extend the time frame by a further two months. Individuals can make data subject access requests either verbally or in writing; there are no formal requirements for the request to be valid.
Requests that are obviously unfounded or excessive can be refused, but the individual must be told why the request has been refused and must be informed of their right to complain to the Information Commissioner’s Office and the ability to seek to enforce this right through the courts.
You can also refuse a request if an exemption, or a restriction applies, such as if disclosing the information requested would identify another individual.
If you have received a data subject access request and need advice on how to proceed, our experienced team can guide you through your obligations.
