Complying with a subject access request

Receiving a subject access request

A subject access request may be made verbally or in writing, including via electronic means.

Controllers may take ‘reasonable measures’ to identify the person making the request if they are not known. 

No fee can be levied, unless the request is manifestly unfounded or excessive, in particular due to their repetitive nature (see general rules applying to rights).

Responding to an access request

Compliance with an access request must be without undue delay, but within one month (see Calculating "one month").  This is subject to an extension of up to two months in some limited circumstances.

The controller must:

The right of access can be restricted where "such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society". The controller must be able to demonstrate that any restriction imposed is necessary in the circumstances.

The restrictions on rights are set out in Schedule 9 of the Implementing Regulations.  

Non-compliance with requests to exercise rights

If the controller is not taking action on the request of the individual to exercise a right, it must inform the individual “without delay” (and within ONE month of receipt of the request) about:

All guidance about complying with subject access requests is available in the "Subject Access Request document library"