Subject access requests: how do I retrieve my data from an organisation?

Under the EU General Data Protection Regulation (GDPR), as an individual (known as the ‘data subject’), you have eight rights.

Your ‘right of access’, set out in Article 15 of the Regulation, requires data controllers (organisations that control the processing of your data) to confirm whether they are processing your personal data and, if they are, provide you with a copy of that data – as long as doing so doesn’t adversely affect the rights and freedoms of others.

Requesting a copy of your data is known as a subject access request (SAR).

What information can you ask for?

As well as a copy of your personal data, you have the right to certain information, including:

  • A description of what the personal data is;
  • The reasons for processing that data;
  • Who that data will be, or has been, shared with;
  • A copy of the personal data; and
  • The source of that data and any details pertaining to it.

Where your personal data is transferred to a third country (i.e. one outside the EU) or to an international organisation, you also have the ‘right to be informed’ of the safeguards in place to such a transfer.

The GDPR does not specify how you should make a valid SAR. However, it is clear that organisations will need to check your identity; as such, it would be sensible to submit a form of identification with any SAR.

Who can you request your data from?

If you live in the EU, regardless of your nationality, you can submit a SAR to any organisation processing your data – whether commercial businesses, charities or public authorities. It does not matter where that organisation is based.

Also note that ‘processing’ is defined by Article 4(2) of the Regulation as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. In particular, merely collecting or storing your data is considered “processing” under the GDPR.

Is there a fee to pay for requesting your personal data?

No, in most cases organisations are not allowed to charge a fee for your requests. However, there are exceptions for reasonable administrative costs when multiple copies of personal data are requested, or where requests are “manifestly unfounded or excessive”, such as providing translations of personal data or explanations of an organisation’s notes found within your data.

Educate yourself or your staff about the GDPR

Our GDPR Staff Awareness E-learning Course provides clear, interactive education on the principles, roles, responsibilities and processes under the GDPR. Complex concepts are explained using practical and non-technical terminology, making it easier for individuals with a non-technical background to understand.

Spend over £250 and save 15% on this product and more from our GDPR Compliance Checklist.