Information to Include in a Subject Access Request

You have 30 days to respond to a subject access request and you must also log details for all subject access requests.

Don’t forget to validate the requestor!

Include the following in subject access responses;

  1. Identity and contact details of the data controller (and/or the controller’s representative);
  2. Contact details of the Data Protection Officer (person with responsibility for data protection matters within your organization);
  3. Purpose(s) of the processing and the lawful basis for the processing;
  4. Where processing is based on the legitimate interests of the controller or a third party, the legitimate interests of the controller.
  5. Any other recipient(s) of the personal data;
  6. Where applicable, details of any intended transfers to a third country (non-EU member state) or international organization and details of adequacy decisions and safeguards;
  7. The retention period (how long your organization holds onto data) or, if that is not possible, the criteria used to determine the retention period;
  8. Their rights;

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object – and to request these from the data controller.

9. Where processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

10. The right to lodge a complaint with a supervisory authority;

11. Whether the provision of personal data is a statutory or contractual requirement, necessary to enter into a contract, an obligation, and the possible consequences of failing to provide the personal data;

12. The existence of any automated decision-making processes that will be applied to the data, including profiling, and meaningful information about how decisions are made, the significance and the consequences of processing.

Where the personal data has not been obtained directly from the data subject

The data controller for your organization should provide:

1. The information at 1 – 10 & 12 above;

2. Information on the types of personal data that we hold about you;

3. Information on how we obtained the personal data and whether it came from publicly accessible sources.