How to handle a Subject Access Request under EU GDPR
A Subject Access Request (SAR) is a formal request from an individual for a copy of all personal data a controller holds about them. Under Article 15 of EU GDPR, you must usually respond within one calendar month. Failure to respond is one of the most complained-about issues across all EU national data protection authorities, and it attracts consistent enforcement action.
What a SAR is
Under Article 15 of EU GDPR, any individual (data subject) can ask a controller whether it processes their personal data and, if so, receive a copy of that data with supplementary information. A SAR does not need to use any specific language or reference any legislation. A verbal request, an email, a social media message — all are valid. The one-month response clock starts from the date of receipt regardless of format.
What you must provide
Article 15(1) requires confirmation of whether processing occurs, and if so: the purposes; categories of data; recipients or categories of recipients; retention periods; the data subject’s rights to rectification, erasure, restriction, and objection; the right to complain to a supervisory authority; the source of the data where not collected directly; and whether automated decision-making is used including meaningful information about the logic. Article 15(3) requires a copy of the personal data itself, typically in electronic form.
Deadlines and extensions
Response must be provided without undue delay and within one calendar month. The period is calculated from the date of receipt. Where you have reasonable doubt about the requester's identity, the period may be paused while verification information is sought — but only where genuinely necessary and proportionate, not used as a reason to delay responding. An extension of two further months is available for complex or numerous requests — but the data subject must be notified of the extension within the first month, with reasons. Applying an extension without notification is itself a breach.
Fees
Responses must be provided free of charge. A fee may be charged only where a request is manifestly unfounded or excessive. The fee must be reasonable and based on administrative cost. Routinely charging for SARs or using fee requirements as a deterrent is not permitted.
Member state exemptions
EU GDPR Article 23 permits member states to restrict the right of access where necessary to safeguard specific interests — national security, defence, public security, prevention of crime, judicial independence. Member states have implemented these restrictions differently. Organisations operating across member states must be aware of the specific exemptions available in each jurisdiction where they process data.
AML-regulated organisations — tipping off
For organisations regulated under EU Anti-Money Laundering Directives (AMLD4/5), a SAR from an individual who is the subject of a Suspicious Activity Report presents a tipping-off risk. Responding fully could disclose the existence of the STR. The approach mirrors the UK position: the crime and taxation exemption available under member state law implementing Article 23 may permit withholding STR-related information. The procedure for checking STR records on receipt of every SAR, escalating to the MLCO, and managing the response must be documented in advance.
Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.