Under GDPR, a data subject has the right to obtain confirmation as to whether or not their personal data is being processed. The right to receive data under a subject access request must not adversely affect the rights and freedoms of others. You cannot comply with a subject access request if it would adversely affect someone else’s rights. If the information is subject to legal privilege or concerns a third party, it may not be able to be released.
What is a subject access request?
Data subjects are entitled to find out what personal data is held about them by an organisation, why the organisation is holding it and who else knows the information. The process of finding this out is known as a subject access request, or SAR.
A subject access request is not the same as a Freedom of Information (FOI) request. An FOI request covers all information held only by public authorities, but not personal information about the person making the request. If you are not a public body or otherwise covered by FOI legislation, an FOI request cannot be made to you.
Continue reading