A subject access request is a request from an individual (or “data subject”) to see a copy of information a data controller holds about them, or to see how that information is processed.
The GDPR introduces new rules for dealing with such requests, and businesses must ensure they comply. Information must be provided to the individual at no cost within 30 days. Individuals must be allowed to make subject access requests by email and are entitled to receive the information in an electronic form if the request is made electronically.
Requests that are obviously unfounded or excessive can be refused, but the individual must be told why the request has been refused and must be informed of their right to complain to the Information Commissioner’s Office.
If you have received a subject access request and need advice on how to proceed, our experienced team can guide you through your obligations.
