FREE CHAPTER from ‘A Practical Guide to Managing GDPR Subject Access Requests’ by Patrick O’Kane


A Data Subject Access Request (which I will refer to as an ‘Access Request’ throughout the book for ease of reference) is a right to access personal data under Article 15 of the EU General Data Protection Regulation (GDPR).1

Individuals have a right to obtain a copy of their personal data as well as other supplementary information. It helps people understand how your company is using their data and whether you are doing so lawfully.

For example, Clare has an argument with her solicitor about the fees she was charged for her conveyance. She believes her solicitor has overcharged her for the work performed. She sends her solicitor an email asking to see copies of all the personal information that the solicitor holds about her. Clare has made an Access Request.

We discuss these concepts in more detail within the book.

Access Requests only entitle individuals to see their personal data. Individuals do not have a right to see non-personal data under the Right of Access.

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU Regulation which regulates the processing of personal data. The GDPR applies to companies processing personal data if those companies are either:

  1. In the EU or

  2. Outside the EU but:

    1. offering goods or services to individuals in the EU or

    2. monitoring the behaviour of those individuals in the EU (for example, by tracking their online behaviour).2

Both Processors and Controllers (see below) are caught by GDPR if they fall into 1. or 2. Above.

GDPR grants individuals in the EU a number of Rights including the Right to Access, Erase and even Rectify their personal data.

What is personal data?

The right to access relates to “personal data”.

Article 4(1) of GDPR states that ‘personal data’ means:

  • any information

  • relating to an identified or identifiable natural person (‘data subject’).

What is an identifiable person?

Personal data is information that relates to an identified or identifiable natural person.3You could identify someone from their name or ID number or you could perhaps identify them from something like their phone number or their computer IP address.

Sometimes, we can identify someone directly from the personal data, for example, from their full name.

On other occasions, we may not be able to identify the person directly from the data on its own. However we may be able to identify the person from the data by linking it to other data or through making further enquiries.

For example, we might have an email in which an employee ID number is mentioned. On its own, the ID number does not reveal anything. However, when enquiries are made it transpires that the employee number belongs to Sharon, a Doctor with London Medical . The ID number is therefore Sharon’s personal data. We could not identify Sharon directly from the ID number on its own, but we could identify her indirectly (i.e. after making further enquiries). Therefore, the ID number is personal data.

What kind of information can be personal data?

Personal data can come in a variety of forms. Remember, personal data is:

  • any information

  • relating to an identified or identifiable natural person (‘data subject’).

For example, David works as a manager at Silver Bank. He has been there for 15 years. Silver hold a lot of David’s personal data including:

  1. His name and address

  2. Location data relating to David

  3. Information about his performance at work

  4. Opinions about David expressed by his colleagues in emails

  5. David’s sickness record

  6. CCTV footage of David entering and leaving the building

  7. Call records of conversations David had with Human Resources

  8. Details of David’s browsing history at work

All of these things at A.- H. are David’s personal data because they:

  • Are data or information and

  • They relate to David.

Wide interpretation of personal data

The GDPR definition of personal data is very wide. Virtually any data that relates to an individual is likely to be their personal data.

What is a data subject?

The human being to whom the personal data relates and the person who has the right to make the Access Request.

What is a Controller?

A Controller is a company that ‘determines the purposes and means of the processing of personal data’.4 In other words, they decide how and why the person’s personal data is processed.5 If your company is a Controller, then they must comply with the Access Requests they receive from their employees, customers and anyone on whom they hold personal data.

What are Joint Controllers?

Joint Controllers are ‘two or more controllers jointly determining the purposes and means of the processing’.6 For example, two law firms working together on behalf of the same client on the same case.

What is a Processor?

Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.7

Many companies use third parties to help them carry out their business operations, for example, IT support businesses, couriers, payroll services, waste disposal etc.

If a company is hired by another company to help it with its operations, then that company may be a Processor. Processors must do what they are told with the personal data they receive from the Controller.

Processors must be careful not to step outside their instructions from the Controller. If they do , they may become a Controller.8

For example, Bling Car Sales use E-Z Payroll to process their employee payroll data. Bling is a Controller for Bling’s ’s employee personal data and E-Z is a Processor in respect of Bling’s employee personal data.

Do all companies caught by GDPR need to comply with Access Requests?

No. Controllers must comply with Access Requests. Controllers are the companies that bear the ultimate legal responsibility for the data processing under GDPR.

Can Processors ignore DSAR requests?

No. Processors may have responsibilities under their contract with the Controller to assist the Controller with Access Requests they receive. For example, the Processor might be storing or holding the individual’s data on the Controller’s behalf. The Controller may need assistance from the Processor in locating that data so the Controller can send it to the individual.9

For example, as we said above, Bling Car Sales use E-Z Payroll to process their employee payroll data. Bling is a Controller for the firm’s employee data and E-Z is a Processor. Bling receive an Access Request from Jim, a trainee Sales Manager at Bling. Jim wants access to all of his personal data. Some of Jim’s data is held by E-Z. Bling reach out to E-Z to ask them for a copy of the payroll data. They add that to the other data they hold on Jim and they send it on to Jim.

What does ‘processing’ personal data mean?

Processing means “any operation or set of operations which is performed on personal data”.10 Doing anything with personal data including deleting it or storing it falls under the definition of processing.

What are the special categories of personal data?

There are certain categories of personal data that require extra protection under GDPR. These categories of personal data are known as the special categories of personal data. They are sometimes referred to as ‘sensitive personal data’.

The special categories are personal data ‘relating to revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.11

The more sensitive the data, the more it is incumbent on the Controller to put appropriate security in place around the personal data.12

The potential consequences of failing to comply with GDPR Access Request obligations

There are three potential consequences:

  • A Regulatory Sanction – Breach of the rules on Access Requests can lead to a fine. The maximum fine under GDPR is up to 20 million EUR or 4% of total worldwide annual turnover, whichever is higher, although fines levied by Regulators must be ‘proportionate’.13 Failing to comply with Access Requests may not mean that your company is fined but it may encourage a Regulator to investigate your company or even issue another regulatory sanction such as an Enforcement Notice.14 In 2019/2020, 46% of the complaints received by the Information Commissioner’s Office related to Access Requests.15

  • Legal action – Any person who suffers damage as a result of a breach of any of their GDPR rights can sue the Controller or Processor for compensation.16 In other words, they can sue if their Data Subject Access Request is ignored or not fully complied with.

If a person’s Access Rights are not upheld then the person can:

  • Apply to court for an order forcing the Controller to comply with the Access Request and/or

  • Sue for compensation for breach of the person’s subject access rights.

  • Criminal OffenceIn some cases, failing to comply with the law on Access Requests can be a criminal offence. It is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the Access Request would have been entitled to receive.17

What is the Data Protection Act 2018?

The Data Protection Act 2018 (DPA 2018) is a UK Law which supplements and amplifies GDPR in the UK in a number of areas including in the area of Access Requests. GDPR allows national laws to include some exemptions or exceptions to GDPR. The DPA 2018 implements some of those exemptions including in the area of Access Requests. These exemptions are discussed in more detail in Chapter 11.

We need to talk about Brexit

The UK left the European Union on 31 January 2020. The UK then entered a transition period with the European Union until 31 December 2020. The DPA 201818 supplements GDPR during that period. After the end of the transition period, GDPR will form part of the UK domestic law under the European Union (Withdrawal) Act 2018. The DPA 2018 will continue to facilitate the application of GDPR standards in the UK after that point.


1GDPR – Article 15(1)–(4)

2GDPR – Article 3

3GDPR – Article 4(1)

4GDPR – Article 4(7)

5GDPR – Article 4(7)

6GDPR – Article 26(1)

7GDPR – Article 4(8)

8GDPR – Article 4(8)

9GDPR – Article 28(3)(e)

10GDPR – Article 4(2)

11GDPR – Article 9(1)

12GDPR – Article 32

13GDPR – Article 83(5)

14Data Protection Act 2018 – s149-153

15ICO Annual Report 2019/2020

16GDPR Article 82(1)

17Data Protection Act 2018 – s173.

18Data Protection Act 2018