Consumers and members of the public who make a SAR often simply want to find out what information is held on them by an organisation. However, they are also entitled to find out:
- details of the personal data which is being processed (ie a copy of the data)
- the reasons why this data is being processed
- how this data was sourced (if available)
- which other organisations or individuals have access to their data
Under the GDPR and DPA, they can additionally request information about data retention periods and have the right to have inaccurate data corrected. Individuals can also ask for data to be erased if there is no longer any legal basis for processing that data, or ask that the processing of that data is restricted.
Individuals can make data protection requests from both the data controller and data processor.