FAQ

Your right of access allows you to be aware of and enables you to verify the lawfulness of the processing of your personal data. For example, you might want to make a subject access request if you’re not convinced a company is processing your data lawfully. You might also want to ask about any logic involved in any automated decisions made about you or get confirmation that your data is being processed and request access.

GDPR gives you the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively.

The GDPR does not specify the way in which requests must be made, so requests may be made verbally or in writing. Some organisations may choose to provide a paper or online form for data subjects to make a request. However, as a data subject you within your rights to send in a request by some other means. This may be via our online web form, in person, or by sending a letter or email.

Even if a written request does not include an explicit reference to the GDPR or the words ‘subject access request’, that does not mean it is not valid.

Organisations are required to deal with subject access requests within one month of receiving them. This can be extended by two months where the request is considered complex and numerous.

Before the GDPR was introduced, organisations could charge up to £10.00 to deal with the request. However, now organisations cannot charge a fee unless the request is ‘manifestly unfounded or excessive’ or if the individual asks for additional copies (i.e. you have already received a free copy). The fee should only be to cover the administrative costs of providing this information.

A SAR will only relate to personal data about yourself. You’re not entitled to see information about other people, although this may be allowed in certain circumstances. Because of this, it’s possible that you won’t be provided with the full document containing your personal data, just the sections relating to you.

Organisations may require you to supply your ID so they can verify your right of access. We are committed to ensuring we do not share personal information with people who are not authorised access to it, which is why our web forms simply forward the data you submit to your desired organisation on your behalf.

Acceptable forms of ID typically include a copy of one or more of the following:

    -Passport
    -Driving License

If you believe that any information has been withheld, contact the organisation and remind them of what’s required. Some information may have been exempt from disclosure. Where this is the case, the organisation is required to explain why.

If you were not notified and the organisation's final response fails to explain why, you can submit a complaint to the Information Commissioner's Office (ICO). Our form for this can be found here.