Subject access request self serve

Individuals have the right to obtain the following from a controller:

• confirmation that you are processing their personal data;
• a copy of their personal data; and
• other supplementary information.

When most people make a subject access request (SAR) their focus is usually to obtain a copy of their personal data. However under the right of access individuals also have the right to receive additional information (which largely corresponds with the information that you should provide in a privacy notice):

• your purposes for processing;
• categories of personal data you’re processing;
• recipients or categories of recipient you have or will be disclosing the personal data to (including recipients or categories of recipients in third countries or international organisations);
• your retention period for storing the personal data or, where this is not possible, the criteria for determining how long you will store it;
• the individual’s right to request rectification, erasure or restriction or to object to processing;
• the individual’s right to lodge a complaint with the Information Commissioner’s Office (ICO);
• information about the source of the data, if you did not obtain it directly from the individual;
• whether or not you use automated decision-making (including profiling) and information about the logic involved, as well as the significance and envisaged consequences of the processing for the individual; and
• the safeguards you have provided where personal data has or will be transferred to a third country or international organisation.

When responding to a subject access request (SAR), you must remember to supply this information in addition to a copy of the personal data itself. If you provide this information in your privacy notice, you can include a link to or a copy of your privacy notice.

Find out more

• Right to be informed
• What is the right of access?