Submitting a GDPR subject access request (SAR) is a straightforward process designed to empower individuals to access their personal data held by Organisations.
Here’s a step-by-step guide on how to file a GDPR subject access request:
1. **Identify the Data Controller**: Determine which organisation or entity is responsible for processing your personal data. The Data Controller is usually the company or organisation that you directly deal with; it is not usually any other companies or organisations that they may need share your data with (these 3rd-party companies are known as Data Processors). For example, if you buy a product online the retailer is the Data Controller. They will need to share your information with their delivery company and payment processor – the delivery company and payment processor are only Data Processors. Your SAR should be submitted to the Data Controller, it is then the their responsibility to collect your information from their Data Processors, you should not need to contact the Data Processors yourself.
2. **Find the Contact Information**: Locate the contact details of the data controller or their designated Data Protection Officer (DPO). This information is often available on the organisation’s website or within thier privacy policy. If you can’t find it, you may need to reach out to the organisation directly to inquire about the appropriate contact for GDPR requests.
3. **Submit Your Request**: Prepare a written request that clearly states your intention to exercise your rights under the GDPR. Include the following information in your request:
– Your full name and contact information.
– Any relevant details that can help the organisation identify you in their records, such as account numbers, reference numbers, or dates of interaction.
– Specify that you are making a subject access request under the GDPR.
– Clearly state that you are requesting access to your personal data held by the organisation.
– If applicable, specify the time period for which you are requesting data or any particular types of information you are interested in (e.g., emails, account statements, medical records, or everything).
– Send your written request to the Data Controller or their data protection officer (DPO) using the contact information you obtained above. You can usually submit your request via email or postal mail, depending on the organisation’s preferred method of communication.
4. **Verify Your Identity**: In some cases, the organisation will request additional information to verify your identity and proof of address before processing your request. This could involve providing a copy of your photo ID, passport or answering security questions related to your account. Be prepared to provide this information in order for the request to go ahead.
5. **Wait for a Response**: Under the GDPR, Organisations are required to respond to subject access requests without undue delay and usually within one month of receiving the request. However, this period can be extended by an additional two months for complex requests or if the organisation receives multiple requests from the same individual. If the organisation needs more time to fulfil your request, they should inform you of the reasons for the delay within one month of initially receiving your request.
6. **Review the Response**: Once you receive a response from the organisation, review the information provided carefully to ensure it meets your expectations. The organisation should provide you with access to your personal data in a clear and understandable format. If you have any concerns or believe that information is missing or inaccurate, you can follow up with the organisation to seek clarification or request corrections.
7. **Seek Redress if Necessary**: If you are dissatisfied with the organisation’s response to your subject access request or believe they have not complied with their obligations under the GDPR, you have the right to lodge a complaint with the relevant supervisory authority, such as the Information Commissioner’s Office (ICO) in the UK (see the link at the top of this page). The supervisory authority will investigate your complaint and may take enforcement action against the organisation if they find that GDPR violations have occurred.
By following these steps, you can exercise your rights under the GDPR and gain access to your personal data held by Organisations, helping you better understand how your information is being used and processed.
