A Data Protection Subject Access Request (SAR) is a request for information made by or on behalf of an individual under Article 15 of the UK GDPR.
Data Protection Subject Access Request: Are There any Formal Specifications?
No. The GDPR in the United Kingdom does not provide any formal requirements for a legitimate request. As a result, a SAR can be made vocally or in writing, including through social media. They don’t have to direct it to a specific person or contact point, and they can go to any portion of your organization.
The terms “subject access request,” “right of access,” and “Article 15 of the UK GDPR” are not required in a request. It only needs to be stated that the individual is requesting their own personal information.
Even if a request relates to other legislation, such as the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOISA). They are eligible to request access.
Should Organizations Provide Formal Forms to Submit Requests?
Standard forms can help you recognize a SAR and encourage people to provide all of the information you’ll need to locate their information.
Organizations should “offer means for requests to be made electronically, especially if personal data is processed by electronic means,” according to Recital 59 of the UK GDPR. As a result, you should consider creating an electronic subject access form that people may fill out and submit to you.
You should keep in mind, however, that a SAR is acceptable whether it is submitted by letter, email, or verbally. You should make it clear that filling out the form is optional, and simply ask people to do so.
Is Requesting Access Via Social Media Allowed?
Yes. Individuals can file a SAR on any social media site where your company is active. Although it may not be the most efficient method of delivering the request, nothing prevents an individual from doing so.
As a result, you should be aware of the possibility of people making SARs through your social media channels. And consequently, take reasonable and proportionate actions to react to these requests effectively.
For information security considerations, it is not appropriate to use social media to provide information in response to a SAR. Instead, request that the response be sent to a different address. See ‘How can we provide the information securely?’ for further information.
Is Submitting a Request on the Behalf of Another Allowed?
Yes. A person may desire that a third party file a SAR on their behalf. For instance, it could be their relative, friend, or solicitor. The UK GDPR does not prohibit this. However, you must be satisfied that they have the authority to act on the individual’s behalf. It is the responsibility of the third party to supply you with proof of this. For instance, by submitting a formal authority signed by the individual authorizing the third party to file a SAR on their behalf.