Request & Update your information

Data Subject Access Request (DSAR)

1. Overview

Under EU and UK law, individuals have the right to know what personal data an organisation processes about them and how it is used. You can exercise this right for review and update by submitting below

Update information

The rules for DSARs are outlined in the GDPR (General Data Protection Regulation), and these have been carried over into UK data protection law with only a few exemptions, which are detailed in Section 45(4) of the DPA (Data Protection Act) 2018.

DSARs as a concept were not created with the GDPR, but the legislation standardised several processes that make it easier for individuals to submit requests and place a greater burden on organisations to complete them.

2. What are data subject access requests?

DSARs are the result of the GDPR’s right of access – one of eight data subjects enshrined in the Regulation.

The right to be informed (Article 13 and Article 14)

We need to tell our customer:

  • What personal data you’re collecting from them
  • How we are using it (or will be using it)
  • How long you’re keeping it for; and
  • Various other information.

Most data controllers choose to communicate this information via a privacy notice (but this isn’t your only way to facilitate this right).

The right of access (Article 15)

Data subjects may request a copy of the personal data we are processing (on that data subject), as well as information we must also share under Articles 13 and 14 (the right to be informed).

This includes:

  • The purpose(s) of processing;
  • The categories of personal data;
  • The recipients of the personal data;
  • Whether automated decision-making is taking place, its significance, and envisaged consequences for the data subject; and
  • Whether you’re transferring the data internationally, and if so, what safeguards are in place.

We must also inform data subjects of their other GDPR rights. That includes the right to lodge a complaint with the supervisory authority. In the UK, that’s the ICO (Information Commissioner’s Office).

When a data subject exercises their right of access, we usually refer to this as a DSAR (data subject access request). But they’re not obliged to use that (or any other) specific phrase for their request to be valid.

When someone exercises this right, we must respond within one month.

The right to rectification (Article 16)

One of the key GDPR principles (Article 5(1)(d)) is ‘accuracy’.

Related to that principle is the ‘right to rectification’. If exercised – meaning that a data subject alerts us to incorrect personal data on them – we (the data controller) must correct it.

The right to rectification also means that if a data subject points out that, within the purposes of data processing, the data on them is incomplete, you must complete it.

When someone exercises this right, we have one month to, if applicable, make the corrections and respond to the data subject.

When an individual submits a data subject access request (or SAR, as it was known under the Data Protection Act), AB PLUS must provide them with a copy of any relevant information about them.

The right to erasure (Article 17)

The right to erasure is also known as the ‘right to be forgotten’. It obliges you to erase someone’s data if they ask you to, where any of the following applies:

  • The processing was unlawful to begin with.
  • The data subject has withdrawn their consent.
  • We need to destroy the data to comply with a legal obligation.
  • We no longer need the personal data for the purpose(s) for which you collected it.
  • We were collecting the data to offer information society services directly to a child.
  • The data subject can legitimately object to the processing (see ‘the right to object’ below).

This right isn’t absolute, and we don’t need to delete the data if we still need the data to comply with a legal obligation, for example, or need it for reasons of public interest or archiving purposes.

If we receive a request to be forgotten, we must respond within one month – either having actioned the request, or to explain why you need to keep (some of) their data.

The right to restrict processing (Article 18)

If a data subject exercises this right, we may store their data but not process it. (The restriction normally only applies for a limited time.)

Someone may exercise this right because:

  • They’re contesting the accuracy of the personal data;
  • The processing is unlawful, but the subject doesn’t want their data destroyed;
  • They’re challenging whether your legitimate grounds for processing override their interests; or
  • We don’t need the personal data anymore, but the subject needs it to establish, exercise or defend a legal claim.

Again, if exercised, we must respond within one month.

The right to data portability (Article 20)

This right allows people to obtain their data from us in a “structured, commonly used and machine-readable format”, so they can easily reuse their data for other purposes.

Someone will typically exercise this right when they’re changing providers – for their mobile phone contract, for example. That said, this right may be exercised in any circumstances where the data subject wants to have their personal data transferred to a different controller.

Data subjects can only exercise this right if:

  • They provided their data under the lawful basis of consent; and
  • Where the processing is carried out by “automated means”.

Put differently, they can only exercise it where the transfer is “technically feasible” (Article 20(2)).

The right to object (Article 21) Article 21(1) of the GDPR says

‘’The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1) [to perform a task in the public interest or for a legitimate interest], including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims’’

Article 21(2) also specifies that data subjects can object to their data being used for direct marketing purposes “at any time” – meaning that this is an absolute right.

Where someone objects to a processing activity, and we can’t provide good grounds for overriding that objection, we must stop that processing (but we can keep the data if we’re using it for a different, lawful activity).

Whether or not we comply with a data subject exercising their right to object, we must inform them of your decision within one month of receiving the objection.

Rights related to automated decision-making, including profiling (Article 22)

People have the right not to be subject to any automated decision-making with potentially legal or similarly significant consequences for them, unless:

We need to conduct the processing to enter into a contract with the data subject;

We’re required or authorised by law to conduct the processing; or The data subject has explicitly consented to the processing. Where we may proceed with the processing,

we must:

  • Inform the data subject about the processing;
  • Enable them to easily request human intervention or challenge a decision; and
  • Regularly review your systems to make sure they’re working as intended.

3. What is included in a data subject access request?

A request might refer to specific personal details or processes for which the AB PLUS processes that information. In these cases, we only need to provide relevant information.

However, customer may ask to see a complete list of the personal data that AB PLUS stores on the customer profile.

This will undoubtedly be burdensome because it’s not merely a case of pulling up everything we store on that person.

If we did that, we’d end up with large volumes of information that aren’t considered personal data – such as internal memos about the data subject’s files – which don’t need to be shared.

Our first tasks, therefore, are to determine what information related to the individual is considered personal data under the definition of the GDPR, and whether it’s part of the data that they requested.

This information must be provided alongside other supplementary material, such as the relevant details provided in the organisation’s privacy notice.

4. Can information be redacted?

Although the GDPR promotes openness to the public, AB PLUS can and, where relevant, should redact anything that’s not within the scope of the DSAR.

For example, we might have documents that include that individual’s personal data alongside other people’s personal details.

In these circumstances, we are required to redact all personal data that isn’t about the person making the request, because otherwise we’d be committing a data breach.

Likewise, we might have records where the individual’s personal data is stored alongside sensitive company data. We are within our rights to redact that information.

5. data subject access request flowchart

We are following the steps when responding to a data subject access request. Take a look at our infographic for a handy guide on the DSAR response process:

DSAR_flowchart_EU_May_23

6. Customers have to give a reason for a DSAR?

Customer don’t need to state why they are submitting a DSAR. The only questions an organisation may ask when a DSAR is submitted concern verifying the individual’s identity or helping them locate the requested information.

7. Does a request have to be in writing?

You can either to submit Update information or email to info@ab-money.co.uk for make a request or call 0203 355 9660 while speaking with a member of staff.

It’s also worth noting that individuals aren’t required to use the technical term for a request (‘DSAR’ or ‘data subject access request’).

Just simply say that you would like to see a copy of the information the AB PLUS stores the information.

That requests are most likely to be submitted in writing, as it’s the most convenient method.

It gives you and us a record of the request, the date that it was made and other relevant information, such as the specific personal information that you want a copy of and the format that it should be delivered via email.

8. Can you submit a DSAR on behalf of someone else?

Yes, you can authorise someone else to make a request on their behalf. This is most likely to happen when:

  • Someone with parental responsibility asks for information about a child;
  • A court-appointed individual is managing someone else’s affairs;
  • A solicitor is acting on their client’s instructions; and
  • The data subject requests help from a relative or friend.

Once it satisfied by our compliance that the person making the request really is doing so on behalf of the data subject.

As such, they are entitled to request supporting evidence, such as written authorisation from the data subject or a more general power of attorney.

9. How long does AB PLUS have to respond to a DSAR?

here is a subject access request time limit. DSARs must be fulfilled “without undue delay”, and at the latest within one month of receipt.

Where requests are complex or numerous, we are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary.

10. Who is responsible for responding to a subject access request?

Our support team will generally be responsible for fulfilling a DSAR on your request.

We will oversee the process and ensure that it is being completed in line with the GDPR’s requirements.

11. How much can be charged for a subject access request?

Under the GDPR’s predecessor, the DPA (Data Protection Act) 1998, organisations could charge a fee for fulfilling a DSAR, but that’s no longer the case in most instances.

AB PLUS do not charge a fees for fulfilling a DSAR for our customers.

12. What’s the difference between a freedom of information request and a DSAR?

DSARs might sound a lot like freedom of information (FOI) requests, but in practice, they are a lot different.

Whereas DSARs grant EU residents access to copies of their personal data, FOI requests are specific to the UK and relate to recorded information held in the public sector.

This generally refers to government departments, local councils and regulators, such as the Financial Conduct Authority.

Additionally, personal data is not covered by the FOI Act, so there are no restrictions on who can make a request.

13. The process for handling a DSAR

Like many aspects of the GDPR, access requests have a formal name that AB PLUS must be aware of for compliance purposes, but that doesn’t mean you need to know the terminology.

As the ICO (Information Commissioner’s Office), the UK’s data protection supervisory authority, notes, there’s no specific process for making a request, so someone could simply say “I’d like to see what data you have on me”, and that would be considered a legitimate request.

Therefore, Support Team or (Anyone) in AB PLUS who may receive such a request must know what to look out for and who to pass the message on to.

Since time is of the essence when responding to a DSAR, We have an established DSAR process beforehand, so that we can deal with such requests quickly.

Verify the identity

One of the first steps is to verify the identity of the requester so that we can determine whether we have all the information we need to fulfil the request.

Clarify what the request is

Following that, find out a bit more about the request itself. Is it merely a request for access, or are they invoking other rights, such as rectification of the personal data being held?

Is the request valid?

Establish whether the request is valid and if it can be completed within the one-month period. If not, we can take further steps to request an extension (read more in our downloadable guide).

Inspect the data

Once we start collecting the data, check whether the data needs to be amended and if we need to protect the personal information of any other data subjects.

Choose the format

Once you’ve collected all the data, determine the most appropriate format in which to provide the information.

Add extra information

Lastly, before sending the information, ensure the data subjects know their rights, including the right to lodge a complaint.

14. How to ensure data subject access request success

There are many steps we can manage DSARs. Our first task is to create a flowchart to make sure we respond promptly, thoroughly and in line with the GDPR’s requirements.

There are also ways you can make our organisation more resilient to the challenges that come with responding to DSARs. For example, you should implement measures addressing:

Staff training

Data subjects can theoretically submit a DSAR whenever they’re communicating with a member staff. We must, therefore, make sure that all relevant employees can recognise a request and know how to respond.

DSAR responsibilities

We appoint someone or a team of people to take responsibility for responding to DSARs who is familiar with the GDPR’s compliance requirements.

We make sure multiple employees know how to complete a request so that they can fill in during holidays or other absences.

back to top