{"id":2111,"date":"2022-11-28T07:00:55","date_gmt":"2022-11-28T07:00:55","guid":{"rendered":"https:\/\/ie.amtivo.com\/resources\/%resource%\/https-ceurope-submerge-digital-insights-how-handle-subject-access-request-sar\/"},"modified":"2025-04-24T11:25:41","modified_gmt":"2025-04-24T10:25:41","slug":"how-handle-subject-access-request-sar","status":"publish","type":"resources-filter","link":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/","title":{"rendered":"How To Handle a Subject Access Request (SAR)"},"content":{"rendered":"<p><em>Under <\/em><a href=\"https:\/\/www.dataprotection.ie\/en\/individuals\/know-your-rights\/right-access-information\" target=\"_blank\" rel=\"noopener\"><em>GDPR guidance<\/em><\/a><em>, individuals are entitled to access their personal data stored by an organisation. These requests are known as <\/em><strong><em>Subject Access Requests (SAR)<\/em><\/strong><em> or <\/em><strong><em>Data Subject Access Requests (DSAR)<\/em><\/strong><em>. <\/em><\/p>\r\n<p>Many businesses and organisations will have customer information and data stored. Whether contact information, CCTV footage, location data or app profiles \u2212 an individual has the right to access anything you have stored that contains information about them.<\/p>\r\n<p>It can be challenging and time-consuming for companies to respond to SARs, but they must comply with GDPR.<\/p>\r\n<h2>What is a Subject Access Request?<\/h2>\r\n<p>A <strong>Subject Access Request<\/strong> (SAR) is a request made by an individual to access personal information an organisation may hold about them. It also includes information about how the data is used (processed) or stored. The individual has a right to know what the information is and how you use it, and you are required to provide them with all information as stated under <a href=\"https:\/\/www.dataprotection.ie\/en\/individuals\/know-your-rights\/right-access-information\" target=\"_blank\" rel=\"noopener\">article 15 of GDPR<\/a>.<\/p>\r\n<p>The request may include the following:<\/p>\r\n<ul>\r\n\t<li>what data and information is your organisation holding and using<\/li>\r\n\t<li>where the data came from and how it was collected<\/li>\r\n\t<li>who the data will be shared with<\/li>\r\n\t<li>why it&#8217;s being processed<\/li>\r\n\t<li>how long will the data be kept<\/li>\r\n<\/ul>\r\n<p><a href=\"http:\/\/www.citizensinformation.ie\/en\/government_in_ireland\/data_protection\/rights_under_general_data_protection_regulation.html\" target=\"_blank\" rel=\"noopener\">Citizen&#8217;s Information<\/a> has further information on what individuals can access.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8877\" src=\"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/how-to-deal-with-a-subject-access-request.jpg\" alt=\"How to deal with a Subject Access Request\" width=\"1280\" height=\"853\" srcset=\"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/how-to-deal-with-a-subject-access-request.jpg 1280w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/how-to-deal-with-a-subject-access-request-300x200.jpg 300w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/how-to-deal-with-a-subject-access-request-1024x682.jpg 1024w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/how-to-deal-with-a-subject-access-request-768x512.jpg 768w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/how-to-deal-with-a-subject-access-request-120x80.jpg 120w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/how-to-deal-with-a-subject-access-request-600x400.jpg 600w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/p>\r\n<h2>Why it&#8217;s important to get a SAR right<\/h2>\r\n<p>Dealing with a SAR can be complicated, time-consuming and costly.<\/p>\r\n<p>Due to legal time limits determining when you need to respond, you&#8217;re also under pressure to quickly and thoroughly search for all examples of an individual&#8217;s personal data and information as per their request.<\/p>\r\n<p>This can include data held over various platforms and record-keeping systems, including within email correspondence and paper-based records such as medical, employee or application forms.<\/p>\r\n<p>This process can be costly in terms of money, time, or any resources needed to ensure your organisation&#8217;s response to the subject access request is in line with GDPR requirements.<\/p>\r\n<p>If the individual is unhappy with the response, they can complain to the <a href=\"https:\/\/www.dataprotection.ie\/\" target=\"_blank\" rel=\"noopener\">Data Protection Commissioner<\/a>.<\/p>\r\n<p>They may complain if your organisation takes too long to respond, if they&#8217;re not satisfied with what you&#8217;ve given them or if you refuse to respond.<\/p>\r\n<p>Failure to comply may result in a fine.<\/p>\r\n<h2>Time limits when dealing with a SAR<\/h2>\r\n<p>An organisation has <a href=\"https:\/\/www.dataprotection.ie\/sites\/default\/files\/uploads\/2019-10\/FAQ%20Guide%20to%20Data%20Subject%20Access%20Requests_Oct19.pdf\" target=\"_blank\" rel=\"noopener\">one month<\/a> from the date of the request to respond.<\/p>\r\n<p>In situations where the request is complex, the organisation can extend the response by another two months but must let the individual know about the extension and why within the first month of receiving their request.<\/p>\r\n<p>It pays to ensure that your data is secure and accessible to the business and data management is robust.<\/p>\r\n<p>To ensure that employee and customer data is stored securely in the first place, achieving <a href=\"\/ie\/iso-certification\/iso-27001\/\" rel=\"noopener\">ISO 27001 certification<\/a> can help improve your information security management system (ISMS).<\/p>\r\n<p>An ISMS allows your organisation to manage security risks and comply with relevant legislation, such as GDPR.<\/p>\r\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-8878\" src=\"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/subject-access-request-GDPR.jpg\" alt=\"Subject Access Request GDPR\" width=\"1280\" height=\"853\" srcset=\"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/subject-access-request-GDPR.jpg 1280w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/subject-access-request-GDPR-300x200.jpg 300w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/subject-access-request-GDPR-1024x682.jpg 1024w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/subject-access-request-GDPR-768x512.jpg 768w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/subject-access-request-GDPR-120x80.jpg 120w, https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/07\/subject-access-request-GDPR-600x400.jpg 600w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/p>\r\n<h2>How to deal with a Subject Access Request<\/h2>\r\n<p>With the correct procedures and systems in place, responding to a SAR can be fairly straightforward.<\/p>\r\n<p>Here&#8217;s how to respond to a SAR.<\/p>\r\n<h3>1. Appoint a data protection lead<\/h3>\r\n<p>Ensure there is an appointed person to act as the data protection lead and who is responsible for organising and collating data and responding to the applicant. This helps keep the process streamlined and makes it easier to keep track of a SAR&#8217;s progress with one person dealing with the request.<\/p>\r\n<h3>2. Recognise and confirm receipt of the request<\/h3>\r\n<p>Under GDPR, there is<a href=\"https:\/\/www.dataprotection.ie\/sites\/default\/files\/uploads\/2019-10\/FAQ%20Guide%20to%20Data%20Subject%20Access%20Requests_Oct19.pdf\" target=\"_blank\" rel=\"noopener\"> no set method<\/a> for making a subject access request. A SAR can even be made by simply sending a Tweet to an organisation.<\/p>\r\n<p>It may be verbal or written, but the organisation needs to recognise that the individual is making a request.<\/p>\r\n<p>Once it is identified, confirm to the individual that you have seen their request and will start processing it.<\/p>\r\n<h3>3. Check the applicant&#8217;s identity<\/h3>\r\n<p>Check the identity of the individual sending the SAR, and don&#8217;t leave it to the last minute.<\/p>\r\n<p>Ask for formal ID when necessary, or ask questions only they can answer, such as reference numbers or appointment details.<\/p>\r\n<h3>4. Check the validity of the request<\/h3>\r\n<p>If someone makes a subject access request on behalf of someone else, ensure they have permission from the individual to do so.<\/p>\r\n<p>Children over 12 years old can make their own SAR, but if their parent or guardian makes a request on their behalf, you must get permission from the child first.<\/p>\r\n<h3>5. Check what information they want<\/h3>\r\n<p>Ensure you understand what information and data the individual wants. This can mean asking the individual to provide more information to help you search for the required data.<\/p>\r\n<p>This clarification may help you save time by focusing on the exact data they&#8217;re requesting. The individual is not obligated to explain why they are making the SAR, but they can help narrow down and filter out what they need.<\/p>\r\n<p>If they refuse to clarify, you will still need to comply with their original request and fulfil it.<\/p>\r\n<h3>6. Search for the information<\/h3>\r\n<p>Your organisation is expected to conduct adequate searches of digital and hard copies of documents to find the individual&#8217;s data, and this includes archived files and paper-based records.<\/p>\r\n<p>This search may include looking through emails, CCTV footage, external hard drives and audio files.<\/p>\r\n<p>Keep searching until you feel you&#8217;ve exhausted all files and areas that may hold any information.<\/p>\r\n<h3>7. Check the information and redact as needed<\/h3>\r\n<p>Before handing over the individual&#8217;s data, check everything thoroughly to ensure you&#8217;re not giving them someone else\u2019s information.<\/p>\r\n<p>For example, if other people are mentioned in documents, such as within email correspondence, redact or black out names or information that doesn&#8217;t relate to the individual making the request.<\/p>\r\n<p>You can also copy and paste relevant information into a new document to avoid disclosing other people&#8217;s data.<\/p>\r\n<h3>8. Send the response securely<\/h3>\r\n<p>Once you&#8217;re happy with the data you&#8217;ve collected, being sure it doesn&#8217;t disclose more than is requested, send it to the individual as securely as possible.<\/p>\r\n<p>Check with them regarding how they want the information and in what format, especially if the data is sensitive.<\/p>\r\n<h3>9. Keep records of everything<\/h3>\r\n<p>Always keep a record of the following:<\/p>\r\n<ul>\r\n\t<li>the initial request<\/li>\r\n\t<li>the documents sent<\/li>\r\n\t<li>the source of information<\/li>\r\n\t<li>any decisions or exemptions made<\/li>\r\n\t<li>proof of response<\/li>\r\n<\/ul>\r\n<p>Keeping a trail of all the correspondence will help show your compliance. It can also be helpful if the individual is unhappy with the response and decides to complain to the <a href=\"https:\/\/www.dataprotection.ie\/\" target=\"_blank\" rel=\"noopener\">Data Protection Commissioner<\/a>.<\/p>\r\n<p>Unsure of what GDPR means for your organisation? Read our guide on <a href=\"\/ie\/resources\/insights\/who-is-responsible-for-demonstrating-compliance-gdpr\/\" rel=\"noopener\">how to demonstrate GDPR compliance<\/a> to help ensure your organisation is compliant.<\/p>","protected":false},"excerpt":{"rendered":"Learn about the procedures and systems you need to handle a Subject Access Request \u2013 and the benefits of ISO 27001.","protected":false},"author":24,"featured_media":2112,"template":"","resource":[35],"resource-tag":[149],"class_list":["post-2111","resources-filter","type-resources-filter","status-publish","has-post-thumbnail","hentry","resource-insights","resource-tag-cyber-essentials"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>How To Handle a Subject Access Request (SAR) - Amtivo<\/title>\n<meta name=\"description\" content=\"Need to handle a subject access request? Learn about the steps for effective response and the benefits of ISO 27001 for GDPR compliance.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How To Handle a Subject Access Request (SAR)\" \/>\n<meta property=\"og:description\" content=\"Need to handle a subject access request? Learn about the steps for effective response and the benefits of ISO 27001 for GDPR compliance.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/\" \/>\n<meta property=\"og:site_name\" content=\"Amtivo Ireland\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-24T10:25:41+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/05\/Subject-access-request-guide-main-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2025\/04\/testimonialImage-placeholder.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How To Handle a Subject Access Request (SAR) - Amtivo","description":"Need to handle a subject access request? Learn about the steps for effective response and the benefits of ISO 27001 for GDPR compliance.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/","og_locale":"en_GB","og_type":"article","og_title":"How To Handle a Subject Access Request (SAR)","og_description":"Need to handle a subject access request? Learn about the steps for effective response and the benefits of ISO 27001 for GDPR compliance.","og_url":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/","og_site_name":"Amtivo Ireland","article_modified_time":"2025-04-24T10:25:41+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/05\/Subject-access-request-guide-main-image.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_image":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2025\/04\/testimonialImage-placeholder.jpg","twitter_misc":{"Estimated reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/#article","isPartOf":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/"},"author":{"name":"Julian Russell","@id":"https:\/\/amtivo.com\/ie\/#\/schema\/person\/2933ac821223894f855a462421886937"},"headline":"How To Handle a Subject Access Request (SAR)","datePublished":"2022-11-28T07:00:55+00:00","dateModified":"2025-04-24T10:25:41+00:00","mainEntityOfPage":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/"},"wordCount":1138,"publisher":{"@id":"https:\/\/amtivo.com\/ie\/#organization"},"image":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/#primaryimage"},"thumbnailUrl":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/05\/Subject-access-request-guide-main-image.jpg","inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/","url":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/","name":"How To Handle a Subject Access Request (SAR) - Amtivo","isPartOf":{"@id":"https:\/\/amtivo.com\/ie\/#website"},"primaryImageOfPage":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/#primaryimage"},"image":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/#primaryimage"},"thumbnailUrl":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/05\/Subject-access-request-guide-main-image.jpg","datePublished":"2022-11-28T07:00:55+00:00","dateModified":"2025-04-24T10:25:41+00:00","description":"Need to handle a subject access request? Learn about the steps for effective response and the benefits of ISO 27001 for GDPR compliance.","breadcrumb":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/#primaryimage","url":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/05\/Subject-access-request-guide-main-image.jpg","contentUrl":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2024\/05\/Subject-access-request-guide-main-image.jpg","width":1280,"height":853,"caption":"Subject-access-request-guide"},{"@type":"BreadcrumbList","@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/how-handle-subject-access-request-sar\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/amtivo.com\/ie\/"},{"@type":"ListItem","position":2,"name":"Resources","item":"https:\/\/amtivo.com\/ie\/all-resources\/"},{"@type":"ListItem","position":3,"name":"Insights","item":"https:\/\/amtivo.com\/ie\/resources\/insights\/"},{"@type":"ListItem","position":4,"name":"How To Handle a Subject Access Request (SAR)"}]},{"@type":"WebSite","@id":"https:\/\/amtivo.com\/ie\/#website","url":"https:\/\/amtivo.com\/ie\/","name":"Amtivo","description":"","publisher":{"@id":"https:\/\/amtivo.com\/ie\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/amtivo.com\/ie\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/amtivo.com\/ie\/#organization","name":"Amtivo","url":"https:\/\/amtivo.com\/ie\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/ie\/#\/schema\/logo\/image\/","url":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2025\/06\/amtivo-logo-new.png","contentUrl":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2025\/06\/amtivo-logo-new.png","width":400,"height":331,"caption":"Amtivo"},"image":{"@id":"https:\/\/amtivo.com\/ie\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/amtivo.com\/ie\/#\/schema\/person\/2933ac821223894f855a462421886937","name":"Julian Russell","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/us\/wp-content\/uploads\/sites\/18\/2025\/03\/julian-russell_avatar-96x96.jpg","url":"https:\/\/amtivo.com\/us\/wp-content\/uploads\/sites\/18\/2025\/03\/julian-russell_avatar-96x96.jpg","contentUrl":"https:\/\/amtivo.com\/us\/wp-content\/uploads\/sites\/18\/2025\/03\/julian-russell_avatar-96x96.jpg","caption":"Julian Russell"},"sameAs":["https:\/\/www.linkedin.com\/in\/juliandrussell\/?miniProfileUrn=urn3Ali3Afs_miniProfile3AACoAAALhzNsB8Wn7AqeQBGa8OxBIrtgXH_ceOB0&skipRedirect=true&miniProfileUrn=urnlifs_miniProfileACoAAALhzNsB8Wn7AqeQBGa8OxBIrtgXH_ceOB0"],"url":"https:\/\/amtivo.com\/ie\/technical-expert\/julian\/"}]}},"_links":{"self":[{"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resources-filter\/2111","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resources-filter"}],"about":[{"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/types\/resources-filter"}],"author":[{"embeddable":true,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/users\/24"}],"version-history":[{"count":0,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resources-filter\/2111\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/media\/2112"}],"wp:attachment":[{"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/media?parent=2111"}],"wp:term":[{"taxonomy":"resource","embeddable":true,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resource?post=2111"},{"taxonomy":"resource-tag","embeddable":true,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resource-tag?post=2111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}