Manage Data Subject Access Requests (UK)

Note: Links to our free templates are at the bottom of this long guide.
Also note: This is not legal advice

Introduction

Data Subject Access Requests (DSARs) are a key aspect of the General Data Protection Regulation (GDPR), and an incredibly valuable tool for individuals to ensure their personal data is protected. DSARs enable individuals to request information that an organization holds about them, check its accuracy, and even have it rectified if it is incorrect. However, with such power comes responsibility - organizations must ensure they adhere to GDPR requirements when responding to DSARs, or face significant penalties from the Information Commissioner’s Office.

At Genie AI, we understand the importance of DSARs which is why our team has created the world’s largest open source legal template library. Our millions of datapoints teach our AI what a market-standard DSAR looks like, allowing anyone to customize and draft high-quality legal documents without paying a lawyer. Using this guide does not require you to have a Genie AI account; we just want to help make sure your data is safe and secure.

To respond effectively and efficiently to DSARs, organizations should first establish dedicated teams who can manage them competently with adequate training and support in place - all backed up by adequate processes and procedures that encompass the specific requirements of the GDPR.

In today’s ever-evolving digital landscape it pays for companies to take their employees’ safety seriously - both legally and ethically - so why not read on below for step-by-step guidance from us on how best practice this? Also find out how you can access our template library today – free of charge!

Definitions

Data Subject Access Request (DSAR) - A request for access to personal data held about an individual by a controller.
Data Protection Act 2018 - A law in the UK that requires organisations to provide individuals with access to their personal data.
General Request - A request where the individual does not specify what type of data they would like to access.
Specific Request - A request where the individual specifies what type of data they would like to access.
Redacting - Removing or concealing part of a document or record.
Logs - Records of events or activities.
Documenting - Recording information in written or digital form.
Verifying - Checking the accuracy or truth of something.
Gathering - Collecting data or information.
Notifying - Informing someone of something.
Identifying - Recognizing or determining something.
Complex - Involving many different and connected parts.
Unclear - Not easy to understand or explain.
Appropriate - Suitable or right for a particular situation.
Accurate - Free from error or mistakes.
Format - The way something is arranged or presented.
Complaint - An expression of dissatisfaction or annoyance.
Appeal - A request to change an official decision.
Regulations - Rules that have been agreed upon by a group.
Monitoring - Observing or checking something over time.

Contents

1. Understanding Data Subject Access Requests (DSARs)
2. Definition of a DSAR
3. What Data Can be Requested
4. Types of DSARs and the Data Protection Act 2018
5. General Requests
6. Specific Requests
7. How to Respond to a DSAR
8. Timely and Accurate Response
9. Redacting Information
10. Keeping a Record of DSARs
11. Keeping Logs
12. Documenting the Process
13. Making Sure Your Response is Accurate and Timely
14. Verifying the Identity of the Data Subject
15. Gathering Appropriate Data
16. Meeting Deadlines
17. Notifying Third Parties when Handling DSARs
18. When to Notify Third Parties
19. Tracking Notifications
20. Dealing With Challenges That Arise During a DSAR
21. Identifying Complex Requests
22. Handling Unclear Requests
23. Providing Information Accurately and in an Appropriate Format
24. Format of the Response
25. Ensuring the Data is Accurate
26. How to Handle Complaints and Appeals
27. Responding to Complaints
28. Making Appeals
29. Ensuring Compliance With Data Protection Regulations
30. Compliance Standards
31. Documenting Compliance
32. Monitoring Compliance

Get started

Understanding Data Subject Access Requests (DSARs)

• Understand what a DSAR is and what rights it offers to individuals
• Learn the scope of a DSAR and what it covers
• Understand the time frame for responding to a DSAR
• Familiarize yourself with the laws and regulations governing DSARs in the UK
• Know which data you need to provide when responding to a DSAR
• Be aware of any exemptions that may apply

Once you have a firm understanding of what a DSAR is, what it covers, and the laws and regulations surrounding it, you can move on to the next step.

Definition of a DSAR

• A Data Subject Access Request (DSAR) is a request from a data subject (e.g. an individual) for access to their personal data that is being processed by a data controller (e.g. a company).
• DSARs can be made verbally or in writing, and are free of charge.
• DSARs must be responded to within one month of receipt.
• DSARs should be responded to with the data subject’s personal data and an explanation of how it is being processed.

You will know when you can check this step off your list when you have identified what a DSAR is and understand when it should be responded to.

What Data Can be Requested

• Identify what type of data the individual can request from you
• Understand what personal data you need to provide in response to a DSAR
• Check your data protection policies, procedures and records to ensure you are handling DSARs correctly
• Document which data you are legally obliged to provide
• Document any data that you are not legally obliged to provide

When you have identified the data that can be requested and documented your process, you can move on to the next step.

Types of DSARs and the Data Protection Act 2018

• Understand the types of data subject access requests (DSARs) and the Data Protection Act 2018 that applies to all requests
• Know the eight individual rights of data subjects and the requirements for each one
• Be aware of the potential exemptions and conditions that may apply to certain requests
• Be able to determine which requests are subject to the Data Protection Act 2018 and which requests are exempt
• Be able to identify any legal requirements and restrictions that apply to the data subject rights
• Have a process in place to handle DSARs
• Understand the timeframes and deadlines for responding to DSARs
• Have the necessary resources to respond to DSARs

Once you have a good understanding of the types of DSARs and the Data Protection Act 2018, you can check this step off your list and move on to the next step.

General Requests

• Review the data subject access request you have received and ensure that it meets the requirements of the Data Protection Act 2018.
• Check to see if the data subject has provided sufficient information to enable you to locate the data they are requesting access to.
• Make sure the data subject has provided proof of identity, such as a copy of their passport, driving license or national identity card.
• Contact the data subject if you need more information or clarification before you can process their request.
• Establish a timeline for responding to the request and ensure that you respond within this timeframe.
• Check to ensure you have all the necessary resources and tools to carry out the request.

How you’ll know when you can check this off your list and move on to the next step:

• When you have reviewed the data subject access request, checked to see if the data subject has provided sufficient information, established a timeline for responding, and ensured that you have all the necessary resources and tools to carry out the request.

Specific Requests

• Identify the specific request: make sure that the request is specific enough to allow you to locate the relevant personal data;
• Assess the request: review any exemptions that may apply and check whether the request is manifestly unfounded or excessive;
• Gather the data: locate the relevant personal data and check that the data is accurate and up-to-date;
• Review the data: review the data to check whether it is relevant to the request;
• Prepare the response: prepare the response including any exemptions and explanations;
• Provide the response: provide the response to the Data Subject;
• Document the response: record the response and any documents provided in the response.

How you’ll know when you can check this off your list and move on to the next step:

Once the response has been provided to the Data Subject and the response and any documents provided in the response have been recorded, you can check this step off your list and move on to the next step: How to Respond to a DSAR.

How to Respond to a DSAR

• Create a process for responding to DSARs, including nominating a team member to be the point of contact for such requests
• Establish a timeline for responding to DSARs, which should be no more than one calendar month
• Ensure that the response to the DSAR is accurate and timely
• Ensure that the data subject is adequately informed of the progress of their request
• Check that the data subject has provided sufficient information to identify them and the data they are requesting
• Check that the data subject has provided evidence that they are entitled to make the DSAR
• Obtain the requested data or confirm why the data cannot be provided
• Provide the data subject with the requested data
• When responding to a DSAR, ensure that any third parties (such as sub-processors) are notified and that the data subject is provided with details of those parties

This step is complete when the requested data is provided to the data subject and they are aware of any third parties who have processed the data.

Timely and Accurate Response

• Respond to DSARs within a month of receipt, unless there is a valid reason for an extension
• For complex requests, you may need to seek legal advice
• Provide as much information as possible to the data subject, including any information excluded from the request
• Ensure that all data provided is accurate, up to date and relevant
• Check that any third parties that data has been shared with are also responding in a timely manner
• When the response is complete, inform the data subject and provide the information in the format requested
• Check off this step when all data has been provided and the data subject has been informed of the response.

Redacting Information

• Review the data subject’s access request to determine the specific information the individual has asked for.
• Identify any personal data that you must redact in order to comply with the data subject’s request.
• Redact the personal data requested.
• Ensure that the redacted data is not sent to the data subject.
• When you have completed the redacting process, you can move to the next step of keeping a record of the data subject access request.

Keeping a Record of DSARs

• Maintain a secure log of all DSARs received, including contact details and the date received
• For each DSAR received, record the request, the response, and the date of response
• Any additional notes should be included in the log, such as if a request was complicated or if additional information was requested
• Ensure that the log is regularly reviewed and maintained
• When the DSAR is complete and the response has been sent, the log entry can be marked as closed
• After the response has been sent, keep a record of it for at least 6 years

Keeping Logs

• Keep a log of all DSARs received, including the data subject’s name, contact info, and the date the request was received
• Take note of the date you respond to the request and any other relevant information about the request
• Ensure the log is detailed enough to allow for an audit trail to be followed
• Keep the log secure and ensure it is only accessible to those with a legitimate need to know
• When you have completed the log and ensured it is up to date, you can move on to the next step of documenting the process.

Documenting the Process

• Document the process for responding to data subject access requests (DSARs).
• Create a record of the process you will use to respond to DSARs, including the information you will need to provide, the timescales you will adhere to and any other relevant information.
• Update your documentation as necessary, to ensure it remains up-to-date with any changes in data protection law and your internal procedures.
• Make sure you document any relevant changes to the process you use to respond to DSARs.
• Keep a record of any changes made to the process.
• You will know this step is complete when you have documented the process for responding to DSARs and updated the record of changes made to the process.

Making Sure Your Response is Accurate and Timely

• Ensure that the response you provide is accurate and timely by regularly reviewing the accuracy of the data you hold
• Update the data if incorrect or out-of-date information is found
• Ensure that the response is given in the format requested by the data subject
• Respond to the data subject within the timescales set out in the Data Protection Act 2018
• Respond to the data subject within one month of receiving their request, or within a longer period if you have agreed to do so
• When you have provided the response, check that the data subject is satisfied with the result and that you have answered all of their questions
  You can check this off your list and move on to the next step once the response is accurate and timely and the data subject is satisfied with the result.

Verifying the Identity of the Data Subject

• Ensure the individual making the request is the Data Subject by verifying their identity
• Use a form of ID that is satisfactory, such as passport, driver’s license, or utility bill
• Check the photograph and other personal details of the ID to verify the individual
• If the Data Subject is unable to provide satisfactory ID, have them answer questions about their personal details that only they should know
• Upon successful verification, record the method used and details of the ID
• Once the individual’s identity is verified, you can move onto the next step, Gathering Appropriate Data.

Gathering Appropriate Data

• Identify all systems and services containing personal data of the data subject
• Collect all the relevant personal data about the data subject from each of these systems and services
• Prepare the personal data for disclosure in a secure, appropriate and legally compliant manner
• Check the personal data for accuracy and whether there’s any information that you don’t have the right to disclose (e.g. third-party data)
• You can check this step off your list when you’ve gathered all the relevant personal data about the data subject and prepared it for disclosure.

Meeting Deadlines

• Establish the deadline for responding to the DSAR: the deadline must be no later than one month after the request is received
• Set an internal deadline - ideally two weeks before the response is due, to allow enough time to respond
• Have a designated team member responsible for tracking the progress of the DSAR
• Set up an internal reminder system to ensure that the response is sent on time
• Make sure all relevant stakeholders are aware of the deadline, and their roles in meeting it
• Once the response has been sent out, document that the deadline has been met and make a note of it in the relevant records.

Notifying Third Parties when Handling DSARs

• Make a list of any third parties that have been sent any data about the data subject, such as third parties that have been sent a copy of the data subject’s records
• For each third party, decide whether the data must be sent to them in order to fulfil the data subject’s request
• If you have decided that the data must be sent, then notify the third party of the subject access request and provide them with details of the data subject’s request
• Once notified, the third party must provide the requested data to you within one month
• Keep records of any notifications sent to third parties and the response received
• When you have received the data from all third parties, you can check this off your list and move on to the next step (### When to Notify Third Parties).

When to Notify Third Parties

• Identify if any third parties need to be notified when handling DSARs
• Determine whether the third party is a data processor or joint controller, as this will affect the process and the timeline for notification
• Assess the potential impact of the DSAR on the third-party and consider whether additional information is needed
• Provide the third party with the necessary notice in a timely manner
• Keep a log of all notifications sent
• Once you have notified the third parties, you can check this off your list and move on to the next step of tracking notifications.

Tracking Notifications

• Create a log of all DSARs received, including the date received, the data subject’s name and contact information, the scope of the request, and the response plan.
• Track the progress of each request and the action taken by your organization.
• Keep copies of any documents or evidence you send in response to the DSAR.
• Record the date the DSAR was completed, and the date the data subject was notified.
• Monitor the response times for DSARs and identify any areas of improvement.

When you can check this off your list and move on to the next step:

• Once you have created a log, are tracking the progress of each request and have recorded the date the DSAR was completed and the date the data subject was notified, you can move on to the next step.

Dealing With Challenges That Arise During a DSAR

• Familiarize yourself with the UK data privacy laws and the rights of data subjects to make DSARs
• Develop a DSAR procedure that employees can use to ensure that any DSARs received are handled quickly and efficiently
• Train data controllers and other relevant personnel on how to effectively respond to DSARs
• Make sure that necessary data is easily accessible to fulfill DSAR requests
• If a DSAR is complex, identify which data controllers are responsible for handling the request
• If a DSAR is overly broad or excessive, consider seeking legal advice
• If a DSAR is unclear or incomplete, contact the data subject for clarification
• If a DSAR is unfounded or excessive, consider seeking legal advice

You’ll know when you can check this off your list and move on to the next step when you have trained relevant personnel on how to effectively respond to DSARs, identified which data controllers are responsible for handling complex requests, and made sure that necessary data is easily accessible to fulfill DSAR requests.

Identifying Complex Requests

• Consider the amount of time needed to respond to the DSAR request and identify any complex requests that require additional time
• Assess the complexity of the request and determine the information needed to be collected and reviewed
• Identify any third parties who need to be consulted and any additional measures that need to be taken
• Make sure the data subject is aware of the complexity of their request and the additional time it may take to respond
• Document the steps being taken and the additional time needed to respond
• When the complexity of the request has been identified and documented, you can move on to the next step of handling unclear requests.

Handling Unclear Requests

• Review the request to determine if it is unclear.
• Contact the data subject to clarify the request.
• Provide the data subject with an estimate of the time needed to respond to the request.
• Ask the data subject if they are willing to narrow the scope of the request.
• If the data subject does not provide clarification or narrow the scope of the request, consider consulting a legal advisor for advice.
• Once the request is clear, you can move on to the next step.

Providing Information Accurately and in an Appropriate Format

• Ensure that all information you provide is accurate and up-to-date.
• Provide the data subject with all the information they have requested.
• Ensure that the information you provide is provided in an appropriate format.
• Provide the data subject with a copy of the information they have requested in a readable format.
• Check that the information you have provided is easily understandable and accessible.
• Ensure that any automated decision-making information is provided in a readable format.

When this step is completed, you can be sure that you have provided all the information requested in an accurate and appropriate format.

Format of the Response

• Provide the requested data in a format that is easily accessible and understandable to the data subject, such as a PDF or CSV file.
• Explain any technical terminology used in the document so that it is easily understood by the data subject.
• If the data subject has requested a copy of the data, provide it in the same format and language as the original.
• If the data subject has requested an explanation of the data, provide an explanation that is clear and concise.
• Ensure the response is easy to read and navigate, such as providing an index or table of contents.

How you’ll know when you can check this off your list and move on to the next step:

• You will know you can move on to the next step when you have provided the data subject with a response that is in a format that is easily accessible and understandable, and that any technical terminology used is explained.

Ensuring the Data is Accurate

• Check that the data you are providing is accurate and up-to-date
• Ensure that any data that is being withheld is properly marked and justified
• Check that any data that is being provided is accurate and up-to-date
• Check that the data is being provided in the correct format
• Ensure that all the requested data is provided in a timely fashion

Once you have checked that the data is accurate and up-to-date, as well as any data being withheld is properly marked and justified, you can move on to the next step.

How to Handle Complaints and Appeals

• Establish the complaint process, including who is responsible for responding and handling appeals
• Record the details of the complaint or appeal, including all relevant information
• Assess the complaint or appeal and determine whether data subject access rights have been breached
• Draft a response to the complaint or appeal, taking into account the applicable data protection laws
• Review the response to ensure accuracy, consistency and compliance with the applicable data protection laws
• Communicate the response to the data subject, ensuring that it is clear, concise and easy to understand
• Monitor the complaint or appeal to ensure that it is adequately resolved

You’ll know when you can check this step off your list and move on to the next when you have received a satisfactory response from the data subject.

Responding to Complaints

• Contact the individual who made the complaint to acknowledge their complaint and discuss their concerns
• Establish a timeline for responding to the complaint
• Gather any relevant documents or evidence that could be used to respond to the complaint
• Investigate the complaint and assess any potential breach of data protection rights
• Decide if any action needs to be taken to remediate the complaint
• Respond to the complaint in writing, outlining any action taken and the outcome of the investigation
• Keep a record of the complaint and the response
• Check off this step when you have responded to the complaint and all necessary action has been taken.

Making Appeals

• Determine who should handle appeals: Depending on the size of your organization, it may be useful to assign an individual or team to handle appeals.
• Understand the appeals process: Familiarize yourself with the appeals process, including the timeline for responding to appeals and the criteria for overturning a decision.
• Document appeals: Create a system to properly document appeals and their outcomes, to ensure the appeals process is transparent and accountable.
• Respond to appeals quickly: Respond to appeals within the required timeline, and address each appeal on its own merits.
• Make an informed decision: Ensure you have all the necessary information to make an informed decision on the appeal before deciding the outcome.
• Notify the data subject: Once you have reached a decision on the appeal, notify the data subject of your decision.

You’ll know you can check this off your list and move on to the next step when you have responded to all appeals and notified the data subject of the outcome.

Ensuring Compliance With Data Protection Regulations

• Understand the Data Protection Regulations and how they apply to the data subject access request
• Make sure all personal data is compliant with the regulations and GDPR
• Ensure all data processes are documented and fully transparent
• Monitor any changes to the data protection regulations and update processes accordingly
• Review the request for access and any additional information needed to comply with the regulations
• Respond to the request in a timely manner with the required information

Once you have reviewed the request, have ensured all personal data is compliant with the regulations and GDPR, and have responded with the required information, you can check this step off your list and move on to the next step.

Compliance Standards

• Become familiar with the current UK data protection legislation.
• Understand the rights of the data subjects under the current legislation.
• Put in place the necessary policies and procedures to ensure compliance with the regulations.
• Ensure that all staff members understand and adhere to the policies and procedures.
• Develop processes to ensure that data subjects are informed of their rights.
• Monitor, review, and update the policies and procedures regularly.

You’ll know that you can check this off your list and move on to the next step when you have familiarised yourself with the current UK data protection legislation, have put in place the necessary policies and procedures to ensure compliance, have ensured that all staff members understand and adhere to the policies and procedures, have developed processes to ensure that data subjects are informed of their rights, and have monitored, reviewed, and updated the policies and procedures regularly.

Documenting Compliance

• Document the methods used to verify the identity of the data subject making the request
• Record the information that you have disclosed in response to the request
• Put in place procedures to enable the data subject to exercise their right to rectification
• Document any instances where you have refused a request, and the reasons why
• Ensure that records are kept up to date and accurate
• Make sure that any changes to personal data records are logged
• When the request has been completed, document the process and the outcome
• When complete, sign off on the request
• Ensure that records are securely stored and only accessible to those with a legitimate need to view them
• Update your policies and procedures as needed to better reflect your approach to data subject access requests
• Monitor and audit your data subject access request process to ensure that it is followed and updated as needed

When you have completed the above steps you can check off documenting compliance and move on to the next step: monitoring compliance.

Monitoring Compliance

• Monitor and review the data subject access request process to ensure it is compliant with the GDPR.
• Track and document data subject access requests to ensure that they are responded to in a timely manner and that appropriate access is provided.
• Check that data subject access requests have been responded to by the appropriate individual and within the required timeframe.
• Ensure that the data subject can exercise their rights in an effective manner.
• Monitor the effectiveness of the data subject access request process, and make changes as necessary to ensure compliance with the GDPR.

How you’ll know when you can check this off your list and move on to the next step:

• When you have reviewed the data subject access request process, tracked and documented data subject access requests, and ensured that the data subject can exercise their rights in an effective manner, you can move on to the next step.

FAQ

Q: How does data subject access request (UK) differ from other jurisdictions?

Asked by Dominique on 19th April 2022.
A: A data subject access request (UK) is a legal right granted to UK citizens that gives them the right to access, view and receive copies of the personal data that an organisation holds about them. It is similar in nature to rights in other jurisdictions, such as the USA’s Freedom of Information Act and the EU’s General Data Protection Regulation, but there are some key differences. For example, the UK’s Data Protection Act 2018 requires organisations to respond to a subject access request within one month, while the GDPR allows organisations up to two months. Additionally, the UK’s Act specifies that organisations must provide copies of personal data free of charge, while GDPR allows organisations to charge a ‘reasonable fee’ for responding to a subject access request.

Q: What is the scope of data subject access requests (UK)?

Asked by Makenzie on 8th August 2022.
A: The scope of data subject access requests (UK) is wide-reaching and covers all types of personal information held by an organisation about an individual. This includes information such as name and address details, employment records, medical history, financial records and any other information that can be used to identify an individual. It is worth noting that this includes both active data (data that is currently held) as well as archived or deleted data. Organisations must provide copies of all personal information they hold upon request, regardless of whether it is active or archived.

Q: What are the legal requirements for responding to a data subject access request (UK)?

Asked by Isaiah on 10th October 2022.
A: UK organisations have binding legal obligations when responding to a Data Subject Access Request. Under the UK Data Protection Act 2018, organisations must provide copies of all personal data they hold upon request within one month of receipt of the request. Furthermore, they must provide this data free of charge and in an easily accessible format. Organisations should also be aware that they may be required to delete any confidential or sensitive information from their records upon request from a data subject.

Q: What responsibilities do organisations have when dealing with data subject access requests (UK)?

Asked by Alicia on 2nd February 2022.
A: Under UK law, organisations have a number of responsibilities when dealing with data subject access requests (UK). Firstly, they must ensure that they have adequate systems in place for responding to requests in a timely manner – as per the Data Protection Act 2018, organisations must respond within one month of receipt of the request. Secondly, organisations must ensure that they are able to provide copies of all personal information held upon request, regardless of whether this is active or archived data – this includes confidential and sensitive information such as medical records or financial details. Finally, organisations must ensure that they provide all requested information in an easily accessible format and free of charge.

Q: How can businesses protect themselves when responding to data subject access requests (UK)?

Asked by Juan on 21st December 2022.
A: When responding to a data subject access request (UK), businesses should take steps to protect themselves from any potential legal action or financial liability by ensuring that they are compliant with relevant laws and regulations. This means having robust systems in place for responding to such requests within one month of receipt – as per the Data Protection Act 2018 – and providing copies of all requested personal data free of charge and in an easily accessible format. Additionally, businesses should consider engaging external legal advice if necessary in order to ensure that their response is both compliant with relevant laws and meets the needs of the individual making the request.

Q: Are there any exceptions which apply when responding to a data subject access request (UK)?

Asked by Dean on 4th June 2022.
A: Yes, there are some exceptions which apply when responding to a Data Subject Access Request (UK). For example, under certain circumstances organisations may be permitted to delay or refuse a response if there are legitimate grounds for doing so – such as if providing requested information would prejudice national security or reveal confidential commercial information – although this will depend on the specific circumstances surrounding each case. Furthermore, organisations may also be permitted to redact certain confidential or sensitive information from their response if required – although again this will depend on the specific circumstances surrounding each case.

Q: How can an organisation determine whether it needs a data subject access request (UK)?

Asked by Emily on 25th November 2022.
A: In order to determine whether an organisation needs a data subject access request (UK), it first needs to assess whether it holds any personal information about individuals within its systems or databases - this includes both active and archived/deleted records - and if so what type(s) of personal information it holds. If it is determined that personal information is held then it is important that steps are taken to ensure compliance with relevant laws and regulations regarding its collection, storage and handling - including responding appropriately to any incoming Data Subject Access Requests within one month as per the requirements set out in the UK Data Protection Act 2018

Example dispute

Suing Companies for Not Responding to Data Subject Access Requests

• A plaintiff could raise a lawsuit against a company for not responding to a data subject access request in a timely manner or for not providing the requested information.
• The plaintiff would need to prove that the company failed to comply with the requirements of the applicable regulations, such as the GDPR, or that the company failed to comply with its own stated data protection policies.
• The plaintiff could seek a court order requiring the company to provide the requested information or to provide compensation for any damages caused by the company’s failure to comply.
• Settlement could be reached through an agreed-upon payment or the provision of the requested information.
• If damages are to be awarded, they can be calculated based on the value of the data requested, the duration of the delay, and the expense of obtaining the data elsewhere.

Templates available (free to use)

Controllers Detailed Response Letter Dpa Data Subject Access Request
Controllers Request For Additional Information In Response To Data Subject Access Request Uk Eu Gdpr
Controllers Response To Data Subject Access Request Uk Eu Gdpr
Data Subject Access Request Letter Dpa 1998
Dpa Controllers Acknowledgement Letter Data Subject Access Request
Dpa Data Subject Access Request 3Rd Party Request On Behalf Of Subject
Dpa Data Subject Access Request Form
Employers Acknowledgement Letter Dpa Data Subject Access Request
Employers Detailed Response Letter Dpa Data Subject Access Request
Employers Detailed Response To Employees Data Subject Access Request Uk Eu Gdpr
Letter Acknowledging Data Subject Access Request Uk Eu Gdpr

‍