Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Account
Profile information Account settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Get guidance About us
Account
Sign up Log in
Help
Help Contact us
Make documents
Easily make legal documents
See all documents
Popular business documents
Popular employment documents
Popular property documents
Popular family documents
Terms and conditions Privacy policy Non disclosure agreement Shareholders' agreement
Employment contract Health and safety policy Environmental policy Consultancy agreement
Tenancy agreement Lodger agreement Eviction notice Declaration of trust
Affidavit Prenuptial agreement Last will and testament Power of attorney
Ask a lawyer
Get quick legal advice from a lawyer
Ask your question
Popular legal topics
COVID-19: Business legal help Brexit for businesses Startup legal help Run an online business
Hire employees Manage employees Discipline employees Dismiss employees
Rent residential property Rent commercial property Manage rented property Evict tenants
Get divorced Apply for probate IR35 status determination advice Bespoke legal drafting
Get guidance
Get reliable legal guidance
Read legal guides
Popular business guides
Popular employment guides
Popular property guides
Popular family guides
COVID-19: Business legal help COVID-19: Individual legal help Types of shares Ending a contract
Overpayment of wages Notice periods Summary dismissal Implied employment terms
Declaration of trusts Legal interests in property Section 21 notices Security of tenure
Affidavits Executing a will Changing your name Getting married
About us
Learn more about Rocket Lawyer
Contact us
Get more information
Pricing
Help
About us
Careers
  1. /gb/en
  2. Legal guides
  3. Data protection requests

Data protection requests

Under section 45 of the Data Protection Act 2018 (DPA), individuals are able to make data protection requests (also known as subject access requests or SARs) from businesses and other organisations.

Consumers and members of the public who make a SAR often simply want to find out what information is held on them by an organisation. However, they are also entitled to find out:

  • details of the personal data which is being processed (ie a copy of the data)
  • the reasons why this data is being processed
  • how this data was sourced (if available)
  • which other organisations or individuals have access to their data

Under the GDPR and DPA, they can additionally request information about data retention periods and have the right to have inaccurate data corrected. Individuals can also ask for data to be erased if there is no longer any legal basis for processing that data, or ask that the processing of that data is restricted.

Individuals can make data protection requests from both the data controller and data processor.

Individuals can request information (via a SAR) about the reasoning behind any automated decisions taken on the basis of data held about them (eg when applying for a credit card). Under GDPR they must be provided with a simple way of challenging automated decisions.

SARs must be made in writing - by post, email or social media (verbal requests may be considered if necessary due to a disability). A SAR does not need to mention any legislation or even identify itself as a SAR - and it can be sent to anyone at an organisation.

The recipient of a SAR must respond without undue delay and, in any event, within one month. They are required to provide the information requested in an 'intelligible form' - which essentially means in a form that most people would be able to understand and using clean, plain language.

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.

You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.

Certain SARs are subject to exemptions or restrictions, including:

  • if it is being processed in connection with crime, taxation or another regulatory activity
  • if it comprises a confidential reference given by an organisation in connection with education, training or employment, appointing office holders, or providing services
  • where personal data is processed for management forecasting or management planning (if the SAR would prejudice the business or other activity of the organisation)
  • if it would prejudice ongoing negotiations
  • where it could threaten freedom of expression in journalism, art and literature
  • if the data is being processed by an individual for their personal affairs

Under GDPR, if a request is 'manifestly unfounded or excessive' data controllers will be able to levy a fee or refuse to comply (but they will need to provide evidence).

Follow us

We use cookies to provide the best experience