“Common Questions On GDPR Subject Access Requests”

“Common Questions On GDPR Subject Access Requests”

Wednesday, August 7, 2019

Ann-Maree Blake, Data Protection and Corporate Partner

Subject Access Requests (SARs) provide for some of the most challenging compliance matters relating to the GDPR.  Recently, the Information Commissioner’s Office (ICO) issued two enforcement notices against the Metropolitan Police Service (MPS) over a backlog of information requests.  The ICO has given the MPS until 30 September to clear all pending SARs.  Failure to comply could result in a potential fine under the GDPR framework of up to €10 million (£8.9 million).

In this article, I will outline the law around SARs and deal with two common concerns, namely:

  1. how do I deal with a SAR where multiple individuals are identified; and
  2. do I have to hand over documents where someone in the organisation has made inappropriate statements regarding a customer or staff member?

What is a SAR?

Article 15 of the GDPR provides for the right of access by data subjects.  Specifically, it says:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data”.

In addition, the data subject is entitled to information (referred to as ‘Supplementary Information’) on the purpose of data processing, categories of data concerned, recipients, period of storage, existence of rights for correction, limitation of processing, deletion, objection, the right to make a complaint, the source of the information, and the use of automated decision making (e.g. profiling).  If data is being sent to a third country (i.e. a State outside the European Economic Area), then the data subject can ask to see what protections have been put in place to arrange a secure transfer.

Crucially, a SAR does not have to be worded explicitly as such.  Training should, therefore, be provided so employees recognise when a request for personal data is being made.

Clear policies and procedures should be in place to deal with a SAR effectively.  Included should be the ability to:

  • Identify the genuineness of the request to protect against possible data breaches and identity theft
  • Confirm receipt of the SAR
  • Request additional details if needed to complete the request
  • Identify the personal data and supplementary information needed to fulfil the request
  • Meet relevant timescales (SARs usually have to be completed within one month of receipt)
  • Ensure consistent and simple language is used to answer the request (especially if the information concerns a child)
  • Handle requests from third parties
  • Know when to refuse a SAR

The ICO makes it explicitly clear that the data controller is responsible for complying with SARs.  If you have outsourced your organisation’s data processing functions, you must ensure that every supplier contract has terms inserted to cover SAR compliance and can deliver within the required timeframes.

Finally, it is best practice to record how you have complied with your organisation’s SAR policy at each stage of the request.  This ensures that in the event of a complaint, evidence is available to demonstrate all appropriate steps were taken.

What if a SAR will mean confidential information about another person will be revealed to the requester?

Imagine a SAR is made by an employee.  The information requested contains confidential information about another employee’s job performance, salary, or mental health.  Are you required to comply with the request in full?

This is a dilemma often faced by HR departments.

The first thing to do in such a situation is to analyse the scope of the request.  If it is extremely broad, Recital 63 indicates that where an employee requests personal data, the employee should specify the information or processing activities to which the request relates.  If the employee refuses, you may have grounds to argue under Article 12 (5) that the request is “manifestly unfounded or excessive”, and either refuse to act or charge a fee.

Top tip – under the GDPR, an employee has no right to access documents, only personal data.  If information about multiple employees is contained in a document unrelated to personal data, you do not have to disclose it.

If the SAR is reasonable but involves disclosing information regarding a third party, you need to consider the following:

  • Does the request require disclosure of information that identifies another individual?
  • If it does, has the other individual consented to the disclosure?
  • Would it be reasonable to disclose without consent?


In deciding whether it is reasonable to disclose information without consent you must consider:

  • The type of information that would be disclosed.
  • Any duty of confidentiality.
  • Whether the other individual is capable of giving consent.
  • Any express refusal of consent by the other individual

In B v General Medical Council [2018] EWCA Civ 1497, the Court of Appeal considered how a data controller should run the balancing exercise required (under section 7(4) of the Data Protection Act 1998).  One thing the Court made clear is that there is no presumption that the SAR cannot be complied with simply because the third party denies consent.  Also, the fact the requester may have issued the SAR with a view to litigate should not sway the data controller’s decision.  The Court also stated that the controller could insist the requester signs a confidentiality agreement which states the information regarding the third party should not go any further.

Each situation must be decided on its own facts.  You should redact information if doing so means you can meet some of the SAR without disclosing the identity of the other individual.


What if the SAR means I have to disclose inappropriate comments made about a customer?

Unfortunately, if no third party is involved and/or the SAR is not “manifestly unfounded or excessive” you may have no choice but to hand over the data or risk a penalty.

To avoid this situation, all staff should be made aware of the risk of making derogatory comments, or comments which could be construed as rude or hurtful about any customer, client, or supplier of the business.  Staff should be instructed only to include factual descriptions of customers, suppliers etc and their interactions with them and not to add their own opinions or subjective thoughts or comments.

Final words

To ensure you are in full compliance with your SAR obligations, it is essential you have up-to-date policies and procedures relating to the fulfilment of SARs and systems to capture the actions taken in the handling of a request.

If you require advice on GDPR or any other privacy or data protection matters, please get in touch with Ann-Maree Blake, a Partner in our Data Protection team.


Please note – this article does not constitute legal advice.