Table of Contents
In Short
- Individuals can access their personal data and understand how it is used through Subject Access Requests (SARs).
- Businesses must recognise and respond to SARs within one month, ensuring compliance with strict legal obligations.
- Train staff, set up a clear SAR policy, and track requests to meet deadlines and avoid errors.
Tips for Businesses
Prepare for SARs by creating a clear policy and training staff to handle requests efficiently. Implement a tracking system to stay organised and meet deadlines. If dealing with complex requests or applying exemptions, seek legal advice to avoid mistakes and ensure compliance with the UK GDPR.
Managing data protection rights correctly and effectively is vital for a business subject to the UK GDPR rules, particularly for data controllers. Under the UK General Data Protection Regulation (UK GDPR), individuals have the right to access and receive a copy of their personal data and details about how they use it. Subject Access Requests (SARs) under Article 15 of the UK GDPR are how people exercise this right. This article explores these key data subject rights under Article 15 of the UK GDPR, why they are essential, and how your business can manage them effectively.
What Rights Does Article 15 of the UK GDPR Give Individuals?
The UK GDPR (along with the Data Protection Act 2018) sets out rules for how businesses collect, use, and store personal data. These laws intend to give individuals significant control over their data and ensure businesses handle it responsibly.
A key part of these rules is the right of access. This right lets individuals know what personal data your business holds about them and how you use it. This includes supplementary information such as the purposes of processing, categories of personal data, data recipients, retention periods, and the data’s source (if not collected directly from the individual).
Subject Access Requests
People can make SARs verbally, in writing, or even through social media. For their request to be valid, they do not need to use specific terms like ‘subject access request’ or ‘Article 15’.
Your staff must recognise SARs urgently and act on them because any employee could receive one. It is also essential to document requests by recording details such as the date, the requester’s identity, and what they are asking for. You generally only have one month to respond (unless you can justify extension periods permitted by law), which means it is vital to handle requests efficiently.
You should also know that individuals can authorise a third party to make a SAR on their behalf. Before responding, you must ensure the third party provides proof of their authority to act for the individual.
In some situations, you can refuse a SAR, such as if the request is manifestly unfounded or excessive or if an exemption applies. However, you must clearly explain your reasons and let the individual know their right to complain to the ICO or take legal action. It is vital to handle any rejections with care and ensure your rejection is lawful. If you need support, you can seek advice from a data protection solicitor.
Why is It Important to Handle Article 15 Rights Correctly?
Ignoring or mishandling a SAR allows the individual to complain to the ICO or even take the matter to court. This can lead to fines, reputational damage, or compensation claims.
How your business handles SARs can show how seriously you take data protection, a vital requirement for businesses. Responding promptly and correctly demonstrates that you value people’s privacy and rights. Properly managing SARs also helps build trust with your stakeholders. It shows that your business is transparent, accountable, and committed to meeting its legal privacy obligations.
This factsheet sets out how your business can become GDPR compliant.
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
How Can Your Business Manage Article 15 Rights Effectively?
Handling SARs can be difficult, particularly for small businesses. Therefore, investing in a strong understanding of the SAR process and developing processes and procedures to handle them correctly is key.
Practical Steps
Here are some key practical steps that your business can take to manage Article 15 rights:
- Be ready for SARs in any manner. SARs can be made in various ways, including via social media. If you receive a request through social media, you must treat it as valid. As such, be ready to monitor and respond to requests through all channels;
- Create a clear SAR response policy. Your business can implement a clear policy to help your staff understand how to handle SARs. This policy can lay out clear rules to make it easier for staff to respond when someone submits a SAR;
- Train your staff. Ensure everyone in your business knows how to identify a SAR and what to do next when a request arises. Provide clear instructions so everyone knows what to expect. Training can help prevent critical mistakes and common pitfalls;
- Set up a tracking system to organise yourself. Logging each SAR can help you track deadlines and ensure you respond on time. Remember, you should respond within one month unless exceptions apply, such as if the request is particularly complex or the individual has made several requests. If you need more time, you can extend the deadline by another two months, but you must inform the person about the extension within the first month. Setting up a process to track SARs can allow you to comply with strict timeframes and keep on track; and
- Know when to seek legal advice. There may be instances where your business needs support with certain or all aspects of the SAR process, such as understanding and correctly applying any applicable exemptions or understanding what information you need to provide. Sometimes, you might need to withhold information to protect third-party rights. You must get SARs right and seek legal advice if you are unsure about how to respond or feel you cannot handle the request within strict legal timeframes due to capacity constraints. A data protection lawyer can help you handle the process effectively and meet your legal obligations.
Key Takeaways
Article 15 of the UK GDPR allows individuals to access their personal data and understand its use. Handling these requests properly is critical for compliance with the UK GDPR. In practice, however, dealing with such requests can be challenging and onerous. You can create efficient SAR management processes and ensure compliance with your mandatory legal obligations by training your staff, setting up clear SAR policies, and tracking and monitoring requests. If you are unsure how to handle an Article 15 request, seeking legal advice can help you avoid pitfalls and mistakes and ensure your business complies with its legal obligations.
If you need support understanding how to respond to an Article 15 request, our experienced data, privacy, and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
A Subject Access Request (SAR) is when an individual data subject asks your business for a copy of the personal data you hold about them and various other information about your processing. SARs can be made verbally, in writing, or through social media, and they do not need to follow a specific format.
Legal advice can help in various ways, especially when dealing with complex or unclear SARs. For example, a data protection lawyer can guide you on handling exemptions. They can also assist by redacting third-party information and ensuring your responses comply with the UK GDPR.
We appreciate your feedback – your submission has been successfully received.
