Grasping SAR: Your Rights to Data Access


In today’s digital age, the protection of personal data has become a major concern for individuals and organisations alike. The General Data Protection Regulation (GDPR) was introduced in 2018 to strengthen the rights of individuals and ensure the proper handling of their personal data. One of the key rights granted to individuals under the GDPR is the right of access, which allows them to obtain a copy of their personal data held by organisations.

This blog post will guide you through the process of making a Subject Access Request (SAR) and help you understand your right of access under GDPR.

Understanding Your Right of Access


What is the right of access?

The right of access under the General Data Protection Regulation (GDPR) is a fundamental data subject right that grants individuals the ability to obtain confirmation from data controllers (organisations or entities that collect and process personal data) whether their personal data is being processed, and if so, to access that personal data. In essence, it allows individuals to inquire about and review the personal information that organisations hold about them.

The right of access under the General Data Protection Regulation (GDPR) is of significant importance to individuals for several reasons:

  1. Transparency: It promotes transparency by giving individuals the ability to know what personal data is being collected, processed, and stored about them by organisations. This transparency is essential for building trust between individuals and the organisations that handle their data.
  2. Control over Personal Information: The right of access empowers individuals to take control of their personal information. They can review the data held by organisations, ensuring its accuracy and relevancy. This control is vital in an age where personal data is used for various purposes, including marketing and decision-making.
  3. Verification and Correction: Individuals can use the right of access to verify the lawfulness of data processing and request corrections to inaccuracies in their personal data. This ensures that the information used by organisations to make decisions about individuals is accurate and up-to-date.
  4. Preventing Unauthorised Processing: It helps prevent unauthorised or unlawful processing of personal data. Individuals can request information about how their data is being used, making it more challenging for organisations to engage in data processing without consent or legal basis.

What information can you request?

The right of access under the General Data Protection Regulation (GDPR) covers various types of personal data. Here are four common types of personal data that are covered by the right of access:

  1. Basic Identifying Information: This includes data such as full names, addresses, phone numbers, and email addresses. Individuals have the right to access this type of personal data to ensure its accuracy and to know how it is being used by organisations.
  2. Financial Information: Personal financial data, including bank account numbers, credit card information, and transaction history, is covered by the right of access. Individuals may want to review this data to verify financial transactions and detect any unauthorised activities.
  3. Health and Medical Records: The right of access extends to health and medical data, such as medical history, prescription records, and diagnostic reports. Individuals may access this information to understand their medical history, share it with healthcare providers, or ensure the accuracy of their records.
  4. Online Activity and Behavioral Data: GDPR also covers online identifiers and behavioural data that can be linked to an individual, such as IP addresses, cookies, and website usage history. Individuals have the right to access this data to understand how their online behaviour is tracked and how it may influence personalised content or advertising.

Under the right of access (Subject Access Request) granted by the General Data Protection Regulation (GDPR), individuals have the right to request access to various types of personal data that organisations hold about them.

How to make a Subject Access Request (SAR)


What to Expect After Submitting a SAR

Acknowledgment of your request is a crucial step in the Subject Access Request (SAR) process. After submitting your SAR to an organisation or data controller, receiving an acknowledgment serves as a confirmation that your request has been received and is being processed. It provides peace of mind for individuals, assuring them that their request has not gone unnoticed. Furthermore, this acknowledgment typically includes essential details, such as a reference number and an estimated timeline for the response, which helps manage expectations. Understanding what to expect after submitting your SAR, including the importance of receiving this acknowledgment, is vital. It ensures transparency and accountability in the handling of personal data, fostering trust between individuals and organisations, and facilitating a smoother SAR experience.

Processing of your request

Organisations typically follow a structured process when handling Subject Access Requests (SARs) to ensure compliance with the General Data Protection Regulation (GDPR) and to protect individuals’ data privacy rights. The processing time for SARs can vary depending on several factors.

Here’s an overview of how organisations handle SARs and the factors that may affect the processing time:

Handling SARs:

  1. Receiving the SAR: When an organisation receives a SAR, the first step is to acknowledge its receipt, as mentioned in the previous response. This acknowledgment informs the individual that their request is being processed.
  2. Verification of Identity: To prevent unauthorised access to personal data, organisations typically verify the identity of the requester. This step may involve requesting additional information or documents to confirm the requestor’s identity.
  3. Data Retrieval: Once the requestor’s identity is verified, the organisation starts gathering the requested personal data. This may involve searching databases, archives, and systems to compile the relevant information.
  4. Review and Redaction: Before providing the data to the requester, organisations review the collected information to ensure it doesn’t contain third-party information or sensitive data that should not be disclosed. Redaction, if necessary, is performed to protect the privacy of other individuals.
  5. Response Preparation: Organisations prepare a response to the SAR, which includes the requested personal data, an explanation of how the data is processed, and any relevant supplementary information.
  6. Response Delivery: The response is delivered to the individual, typically in writing or electronically, depending on the format of the original SAR. Organisations must provide the response within one month from the date of receipt, although this can be extended in certain cases.

Factors Affecting Processing Time:

Several factors can influence the processing time for SARs:

  1. Complexity of the Request: The complexity of the SAR can significantly impact processing time. Requests that involve a large volume of data or data from multiple sources may take longer to fulfil.
  2. Verification Process: The time required to verify the requestor’s identity can vary, especially if additional documentation is needed.
  3. Data Availability: The ease of accessing and retrieving the requested data can affect processing time. Data stored in multiple systems or in archived formats may take longer to retrieve.
  4. Volume of SARs: The number of SARs an organisation receives can impact processing time. A high volume of requests may lead to resource constraints and longer response times.
  5. Legal Complexity: In some cases, legal complexities, such as issues related to legal privilege or ongoing investigations, can extend the processing time as organisations need to ensure compliance with applicable laws.
  6. Extension Requests: Organisations can request an extension of up to two additional months if the SAR is complex or numerous. However, they must inform the requester of this extension within the initial one-month timeframe.

It’s essential for organisations to prioritise the timely processing of SARs to meet GDPR requirements and uphold individuals’ rights. Additionally, clear communication with the requester about any delays or extensions is crucial to maintaining transparency and trust throughout the process.

Receiving your personal data

When organisations respond to Subject Access Requests (SARs) and provide access to your personal data, they are committed to safeguarding your privacy and data security. The format in which your personal data may be provided is designed to ensure both accessibility and security. Typically, organisations provide the data in a structured and easily readable format, such as a PDF or digital document. This format ensures that you can review the information conveniently.

However, it’s important to note that the chosen format also takes into account data security and confidentiality. Organisations take measures to protect your data during transmission and delivery, ensuring that it remains confidential and does not fall into the wrong hands. Your privacy and the security of your personal information are paramount throughout the SAR process.


The right of access is a powerful tool that empowers individuals to take control of their personal data. By understanding the process of making a Subject Access Request (SAR) and exercising your right of access under GDPR, you can gain valuable insights into how your personal data is being used and ensure its proper handling. Remember, your data belongs to you, and it is your right to access and protect it.

Making a SAR is a straightforward process that requires you to provide detailed information about your identity and the nature of your request. It is important to ensure that you provide accurate and up-to-date information as this helps organisations to process your request in a timely manner. Furthermore, you should be aware that some organisations may require additional information or evidence to verify your identity. Once you have submitted your SAR, you should expect to receive a response within one month, although this may vary depending on the complexity of your request and the organisation in question.


The ability to access personal data is an influential resource that enables individuals to assert authority over their own information. By comprehending the steps involved in submitting a Subject Access Request (SAR) and exercising your right of access in accordance with GDPR, you can acquire valuable knowledge about the utilisation of your personal data and guarantee its appropriate management. Keep in mind that your data is your own, and you have the entitlement to access and safeguard it.

Click, read, and hear more about data and artificial intelligence  with our blogs on our website.