Definition
A formal request made by an individual under Article 15 of the UK GDPR to obtain a copy of the personal data an organisation holds about them. Employers must respond to a SAR within one calendar month.
UK Context
SARs are governed by Article 15 of the UK GDPR and Section 45 of the Data Protection Act 2018. The ICO provides detailed guidance on handling SARs, including worked examples for the employment context. Employers cannot charge a fee for SARs (except in cases of manifestly unfounded or excessive requests). The one-month deadline runs from receipt of the request.
Best Practices
- Have a documented SAR process with assigned responsibilities and templates for responses
- Acknowledge receipt of the SAR promptly and verify the identity of the requester
- Search all relevant systems comprehensively — emails, HR software, shared drives, messaging platforms, and paper files
- Apply exemptions and redactions carefully and document the reasons for any information withheld
- Respond within one calendar month, or extend by two months for complex requests with notification to the individual
Frequently Asked Questions
How long does an employer have to respond to a SAR?
One calendar month from the date the request is received. For complex or voluminous requests, this can be extended by a further two months, but the individual must be informed of the extension and the reasons within the first month.
Can an employer refuse a SAR?
Only in limited circumstances. An employer can refuse if the request is manifestly unfounded or excessive (for example, repetitive requests with no new purpose). The employer can also redact information where disclosure would adversely affect the rights of others or where legal professional privilege applies.
Does a SAR cover emails about the employee?
Yes. Emails that contain the individual's personal data are within scope, including emails between managers that discuss the individual. This is often the most time-consuming element of a SAR response. Employers should search email systems thoroughly and apply redactions where third-party personal data would be disclosed.