UK GDPR

This page explains, in plain English, how UK GDPR relates to Subject Access Requests and how GetMySAR helps users make those requests.

It should be read alongside our Privacy Policy, Data Protection page and Your Rights.

UK GDPR is the UK's main data protection framework for the handling of personal data. It works alongside the Data Protection Act 2018.

It gives people certain rights over their personal data and places obligations on organisations that collect and use that data.

One of those rights is the right to ask an organisation for a copy of the personal data it holds about you. This is commonly called a Subject Access Request, or SAR.

A Subject Access Request is a request made by an individual, or by someone authorised to act for them, asking an organisation for access to personal data it holds about them.

A SAR can be used to ask for copies of personal data, information about how that data is being used, and related details required by data protection law.

The organisation receiving the SAR is usually responsible for deciding how to respond and for complying with UK GDPR.

GetMySAR helps users prepare and submit Subject Access Requests to organisations in the UK.

Our role includes:

• helping users complete the SAR form;
• sending the request to the target organisation;
• sending supporting documents where provided; and
• following up with organisations about the request.

The organisation's substantive SAR response goes directly to the user or data subject. GetMySAR does not receive or store the organisation's actual SAR response.

Under UK GDPR, organisations usually have one calendar month to respond to a valid Subject Access Request.

In general, the time limit begins when the organisation has received the request and, where reasonably required, enough information to confirm the requester's identity or clarify the request.

The exact timing can depend on the circumstances, but the one-month period is the general rule most people will hear about.

An organisation may ask for information or documents to confirm the identity of the person making the request, especially where sensitive personal data is involved or where someone is acting on another person's behalf.

This may include proof of identity or proof of authority to act for someone else.

Requests for ID should be reasonable and proportionate to the circumstances.

In some cases, an organisation may be allowed extra time to respond. For example, a request may be complex or involve a large amount of information.

An organisation may also refuse a request, or refuse part of it, in certain limited circumstances permitted by law.

For example, a request may be considered manifestly unfounded or excessive, or some information may be exempt from disclosure.

If an organisation refuses a request, it should usually explain why and tell the requester about their right to complain.

If an organisation does not respond within the expected timeframe, the first step is usually to follow up with that organisation and ask for an update.

GetMySAR may help with follow-up reminders as part of the service.

If the issue is not resolved, the requester may wish to consider making a complaint to the Information Commissioner's Office (ICO).

ICO guidance and complaints information can be found here: https://ico.org.uk/make-a-complaint/

• UK GDPR rights apply in different ways depending on the organisation and the circumstances.
• The target organisation is responsible for its own compliance with UK GDPR and the Data Protection Act 2018.
• GetMySAR helps users make and follow up Subject Access Requests, but does not decide how the target organisation responds.
• The organisation receiving the request may ask for more information if it reasonably needs it to identify the person or locate the data.

For more information about how GetMySAR handles personal data, please see our Privacy Policy and Data Protection page.

You can also read more about your data protection rights on our Your Rights page.