Subject Access Requests: How Irish Businesses Must Respond
A subject access request is one of the most common data protection issues Irish businesses face. Under GDPR, any person whose data you hold can ask to see it, and you must respond within one month. The Data Protection Commission has confirmed that SARs make up the largest category of complaints it receives. Getting this wrong means regulatory scrutiny, compensation claims, and reputational damage that no small business needs.
This guide explains what a subject access request is, how to handle one properly, and how to build a repeatable process that keeps your business compliant.
What is a subject access request?
A subject access request (SAR) is a request made under Article 15 of the GDPR by an individual to obtain a copy of the personal data an organisation holds about them. The individual is also entitled to information about why you are processing their data, who you have shared it with, how long you intend to keep it, and what rights they have in relation to it.
Anyone can make a SAR. Employees, customers, website visitors, former clients, job applicants, if you hold their personal data, they have the right to ask for it. There is no required format. A SAR can be made verbally, by email, through a web form, or even via social media. The request does not need to mention "subject access request", "Article 15", or the GDPR. If someone asks for their data, that is a SAR.
SARs are increasing in Ireland. The DPC's annual reports consistently show access requests as the most complained-about area. Employers in particular face a high volume of SARs, often in the context of employment disputes.
What is the one-month response deadline?
You must respond to a SAR without undue delay and at the latest within one calendar month of receiving the request. The clock starts the day after you receive the request, regardless of when you begin working on it.
If the request is complex or you have received a large number of requests from the same individual, you may extend the deadline by up to two further months. However, you must inform the requester within the original one-month period that you need more time, and you must explain why.
What counts as a valid reason for extension:
The volume of data is exceptionally large and requires significant search effort
The request involves data held across multiple systems or locations
You need to consult with third parties before disclosing certain information
Multiple simultaneous requests from the same individual
What does not count:
Being busy or under-resourced
Needing to consult internally about whether to comply
Waiting for legal advice on a routine request
The DPC has stated that a response may be considered untimely even before the maximum one-month term expires. "Without undue delay" means you should respond as soon as you reasonably can, not wait until the deadline.
Author's tip: Set an internal target of three weeks, not four. This gives you a buffer for unexpected complications and demonstrates good faith if the DPC ever reviews your response time.
How do you verify the requester's identity?
Before disclosing personal data, you must be reasonably confident that the person making the request is who they claim to be. It is important to be aware that disclosing data to the wrong person is itself a data breach.
However, identity verification must be proportionate. The IAPP and DPC guidance both emphasise that you should not request clearly more sensitive data for verification than the data being requested. For example, asking for a passport copy as standard practice for every SAR is excessive and should be avoided.
Proportionate verification approaches include:
Existing customers or employees: If the request comes from a known email address or account, this may be sufficient. You already have a relationship with the person.Unknown individuals: Ask for enough information to confirm their identity, name, date of birth, account number, or other details you hold that they would know.Third-party requests: If a solicitor or agent makes a request on someone's behalf, ask for written authorisation from the data subject. Confirm the agent's identity separately.Requests about children: A parent or guardian can make a SAR on behalf of a child, but consider the child's age and maturity. Older children may need to consent to the disclosure themselves.
If you genuinely cannot verify the requester's identity, you may ask for additional information. But the clock pauses only until you receive what you need to confirm identity, not indefinitely. We recommend that you document your verification steps in case of a complaint.
What must you provide in response?
A complete SAR response includes more than just a copy of the data. Under Article 15, you must provide the following:
Confirmation of processing: Whether or not you are processing their personal dataA copy of the personal data: All personal data you hold about them, across all systemsPurposes of processing: Why you are processing each category of dataCategories of data: What types of personal data you hold (contact details, financial, health, etc.)Recipients: Who you have shared the data with, or categories of recipientsRetention periods: How long you intend to keep the data, or the criteria for determining thisRights information: The individual's right to rectification, erasure, restriction, and to lodge a complaint with the DPCSource of data: If you did not collect the data directly from the individual, where it came fromAutomated decision-making: Whether you use automated processing, including profiling, and meaningful information about the logic involved
The data must be provided in a commonly used electronic format if the request was made electronically. PDF is acceptable. You must provide the first copy free of charge.
The DPC's guidance confirms that data subjects are entitled to "any and all of their personal data." You may ask the requester to specify what they are looking for, but they are not obliged to narrow their request. If they decline to specify, you must provide everything.
For a broader overview of your data protection obligations, see our GDPR compliance guide for startups .
What exemptions and restrictions apply?
The right of access is not absolute. Article 23 of the GDPR and Section 60 of the Data Protection Act 2018 set out circumstances where you can lawfully restrict disclosure.
Key exemptions for Irish businesses:
Legal professional privilege: Communications between a client and their solicitor for the purpose of obtaining legal advice are exempt. This is particularly relevant in employment dispute SARs.Third-party data: If disclosing the data would reveal personal data about another individual, you must consider whether disclosure is appropriate. You may need to redact third-party information unless that person has consented or it is reasonable to disclose without consent.Manifestly unfounded or excessive requests: If a request is clearly made in bad faith or is repetitive to the point of being unreasonable, you may refuse or charge a reasonable fee. The bar for this is high, you must be able to demonstrate why the request is excessive.Ongoing legal proceedings: Section 60(3)(a)(iv) of the Data Protection Act 2018 provides a restriction where disclosure would prejudice proceedings.Regulatory functions: Restrictions apply where disclosure would prejudice the prevention, detection, or investigation of offences.
If you apply any exemption, you must tell the requester which restriction you are relying on and why. In our experience, a blanket refusal without explanation will not satisfy the DPC.
Important: Exemptions must be applied on a document-by-document, paragraph-by-paragraph basis. You cannot refuse an entire SAR because one document is privileged. We recommend that you redact the exempt material and disclose the rest.
How do you build a SAR response process?
A repeatable, documented process is essential. Without one, you risk missed deadlines, incomplete responses, and inconsistent handling across your team.
Here is a practical framework:
Designate a SAR handler: Assign responsibility to a specific person or team. Every employee should know where to forward a SAR when they receive one.Log every request immediately: Record the date received, the requester's identity, what they asked for, and your response deadline. This log is your accountability record.Verify identity: Apply proportionate checks as described above. Document what you asked for and what you received.Search all systems: Personal data lives in email, CRM, HR systems, spreadsheets, shared drives, messaging platforms, paper files, and backups. Create a checklist of all systems that hold personal data so nothing is missed.Review and redact: Check every document for third-party data, privileged material, and other exempt content. Redact where necessary and document your reasoning.Compile and respond: Provide the data in a clear, organised format with the supplementary information required by Article 15. Send within deadline.Record the outcome: Log what you provided, any exemptions applied, and the date of response.
Your records of processing activities should already map where personal data is stored, this makes SAR searches significantly easier.
What are the consequences of getting it wrong?
Failing to respond to a SAR properly, or at all carries real consequences for Irish businesses.
DPC complaints: Individuals can complain to the DPC if you fail to respond within the deadline, provide an incomplete response, or refuse without valid grounds. The DPC will investigate and can compel you to comply.Compensation claims: Under Article 82 of the GDPR, individuals can claim compensation for material or non-material damage caused by a failure to comply with their data rights. Irish courts have awarded damages for SAR failures.Enforcement action: The DPC can issue enforcement notices requiring you to take specific action, including completing a SAR response. Failure to comply with an enforcement notice is a criminal offence under the Data Protection Act 2018.Reputational risk: SAR complaints are a signal to the DPC that your data protection practices may need broader scrutiny. A pattern of poor SAR handling can trigger a wider audit.
The DPC's approach is firm but practical. If you can demonstrate that you have a reasonable process in place, acted in good faith, and responded within the timeline, you are in a strong position even if a requester disagrees with your response.
Your next step
If you do not already have a SAR response process, build one now. Start by mapping every system where personal data is stored. Assign a SAR handler. Create a logging template. Set internal deadlines shorter than the statutory maximum.
The volume of SARs in Ireland is increasing, driven by greater public awareness and the rise of employment-related requests. The cost of handling a SAR properly is a few hours of work. The cost of handling one badly is a DPC investigation, a compensation claim, or both.
For guidance on your broader data protection obligations, see our GDPR compliance guide for startups . If you need help understanding your data processing agreements with vendors who hold personal data on your behalf, we have a detailed guide on that too.
Need help building your data protection processes? Get started with Open Forest
By Laura · March 2026 · 6 min read
If someone asks your business for a copy of the personal data you hold on them, you have a legal obligation to respond. A subject access request in Ireland under GDPR is one of the most common data protection rights exercised by individuals, and getting it wrong can lead to a complaint to the Data Protection Commission (DPC). This guide walks you through the process: what a SAR is, how to verify the requester, what you must hand over, and how to build a repeatable response process.
What is a subject access request?
A subject access request (SAR) is a request made by an individual to a data controller for a copy of their personal data. Under Article 15 of the GDPR, anyone whose data you process has the right to ask what information you hold on them, why you hold it, and who you share it with.
There is no required format for a SAR. A person can submit one by email, letter, phone call, or even verbally in person. They do not need to use the phrase "subject access request" or cite the GDPR. If someone asks for their data, that counts.
Employees, customers, website users, job applicants, and former clients can all make SARs. As data protection awareness grows in Ireland, the DPC has reported a steady increase in the number of access requests across all sectors.
Please note: A SAR does not need to be in writing. If a customer asks over the phone for a copy of their data, the clock starts ticking from that moment.
How long do you have to respond?
The GDPR gives data controllers one month from receipt of the request to provide a full response. This is a hard deadline, not a target.
If the request is particularly complex or you have received multiple requests from the same individual, you can extend the deadline by a further two months. You must notify the requester of the extension and the reasons for it within the initial one-month period. You do not need the requester's permission or DPC approval for this extension.
In most cases, you cannot charge a fee. The GDPR allows a reasonable administrative charge only where the request is "manifestly unfounded or excessive," and the threshold for that is high.
That covers the timeline. But before you start gathering data, you need to confirm who you are dealing with.
How do you verify the requester's identity?
Before disclosing personal data, you must take reasonable steps to confirm the requester's identity. The DPC's guidance is clear : verification must be proportionate to the type of data you hold and the context of the request.
If an existing customer emails you from their registered email address requesting their account data, additional verification may not be necessary. If a third party or solicitor submits a request on someone's behalf, you should ask for written authorisation from the data subject.
For requests involving sensitive data, such as health records or financial information, more rigorous verification is appropriate. The key principle is proportionality: do not demand excessive identification, but do not skip the step entirely.
In practice, this means: A customer emailing from their known address needs less verification than a stranger phoning your office asking for employee records.
What must you provide in your response?
A complete SAR response includes more than a data dump. Under Article 15, you must provide:
Confirmation that you are processing the individual's personal data
A copy of all personal data you hold on them
The purposes of processing
The categories of data concerned
Recipients or categories of recipients the data has been shared with
The retention period , or the criteria used to determine it
Information about the individual's rights, including rectification, erasure, restriction, and objection
The source of the data, if not collected directly from the individual
The data must be provided in a commonly used electronic format if the request was made electronically. Present the information clearly rather than sending raw database exports the requester cannot understand.
If your business uses a data processing agreement with third-party processors , review those arrangements to ensure you can locate all relevant data held on your behalf.
When can you refuse or restrict access?
The right of access is not absolute. The GDPR and the Data Protection Act 2018 provide several exemptions:
Legal professional privilege: Section 162 of the Data Protection Act 2018 exempts data covered by solicitor-client privilege from disclosureThird-party data: Where disclosing data would reveal information about another identifiable individual, you may redact that information unless the third party consentsManifestly unfounded or excessive requests: You can refuse or charge a fee, but you must demonstrate why the request meets this thresholdOngoing legal proceedings: Data processed for the purpose of legal proceedings may be restrictedCriminal investigations: Data held by law enforcement for investigation purposes is exempt where disclosure would prejudice the investigation
If you refuse a request in whole or in part, you must inform the requester of the reasons, their right to complain to the DPC, and their right to a judicial remedy.
Need help building your GDPR response processes? Open Forest helps Irish businesses set up compliant data protection workflows, from SAR handling to breach response. Talk to us about getting your processes in order.
How to build a SAR response process
A repeatable SAR process protects your business and ensures consistency. Here is a practical framework:
Designate a SAR handler: Assign responsibility to a specific person or team. For smaller companies, this might be the office manager or company secretary .Create a request log: Record every SAR with the date received, the requester's identity, the deadline, and the outcome. This log is your accountability record.Map your data: Know where personal data lives across your systems: CRM, email, HR software, paper files, cloud storage, and any third-party processors. If you have a document retention policy, this mapping should already exist.Build a response template: Standardise the cover letter that accompanies your response, listing the information required under Article 15.Set internal deadlines: Give yourself a buffer before the one-month deadline. Aim to complete data gathering within three weeks to allow time for review and redaction.Train your team: Everyone in your organisation should know what a SAR looks like and who to escalate it to. Remember, SARs can arrive verbally.
If your business is already working toward GDPR compliance , a SAR process fits naturally into your broader data protection framework.
What happens if you get it wrong?
Failing to respond to a subject access request properly is one of the most common reasons individuals complain to the DPC. The consequences can escalate quickly.
The DPC can investigate your handling of a SAR, issue enforcement notices, and impose administrative fines. Under the GDPR, fines for access right violations can reach up to €20 million or 4% of annual global turnover, whichever is higher.
Beyond fines, data subjects can bring compensation claims directly against your business for material or non-material damage caused by a failure to comply. We tend to see that reputational damage is harder to quantify but no less real, particularly for small businesses that depend on client trust.
Recent DPC enforcement activity in Ireland shows that SAR complaints are taken seriously. It is important to be aware that late responses, incomplete disclosures, and unjustified refusals have all resulted in formal findings against controllers.
Where this leaves you
Subject access requests are a routine part of doing business under the GDPR. The process is straightforward once you have a system in place: verify the requester, gather the data, check for exemptions, and respond within one month.
If your business does not have a SAR process yet, now is the time to build one. We recommend that you start by mapping where personal data sits in your organisation and assigning responsibility for handling requests. Open Forest can help you put the right data protection foundations in place so you are ready when the first request arrives.
