A Subject Access Request (SAR) is a formal request made by an individual to an organisation to obtain a copy of the personal data held about them, as well as an explanation of why the data is being processed and who it has been shared with.
A Subject Access Request, commonly referred to as a SAR, is a written request made by an individual to an organisation to find out what personal data that organisation is holding about them. Under data protection laws such as the GDPR, individuals have a legal right to receive a copy of their personal information and to understand how and why their data is being used.
When you receive a Subject Access Request, your company is legally obligated to respond. This involves searching your databases, emails, and physical files to identify any information that relates to the person making the request. You must describe why you are processing the data, who else has seen it, and how long you intend to keep it. This transparency is a cornerstone of modern privacy rights.
For founders, a Subject Access Request is a serious compliance matter that requires a structured response. It is not something you can simply ignore; failing to provide the requested information within the statutory timeframe can lead to complaints to the Data Protection Commission and potentially significant fines. Handling a SAR correctly demonstrates that your company takes its legal obligations and customer privacy seriously.
In the Irish legal system, and across the EU, the standard deadline for responding to a Subject Access Request is one month from the date you receive it. This period can be extended by a further two months if the request is particularly complex or if you have received a large number of requests from the same person simultaneously. If you do need an extension, you must inform the individual within the first month and explain why the delay is necessary.
The "one month" deadline means that the response should be provided by the same day in the following month. For example, a request received on 5 June must be fulfilled by 5 July. If the date doesn't exist in the following month (e.g., 31 August), the deadline is the last day of that month. Because the window is relatively tight, it is vital to have an internal process in place to identify and log a SAR as soon as it arrives.
Generally, you cannot charge a fee for a Subject Access Request. Under the GDPR, individuals are entitled to receive a copy of their personal data free of charge. This ensures that the cost of accessing information does not become a barrier to people exercising their legal rights.
However, there are very limited exceptions. If a request is "manifestly unfounded or excessive"—for example, if a person repeatedly asks for the same information every week—you may be permitted to charge a reasonable administrative fee based on the cost of providing the data. Alternatively, you may be able to refuse the request entirely. Be cautious here: the burden of proof is on your company to demonstrate that the request is actually excessive, and the threshold for this is very high.
A complete response to a Subject Access Request must include more than just a copy of the raw data. You must provide a "privacy notice" style summary that explains the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the data has been or will be disclosed. This gives the individual the full context of their digital footprint within your organisation.
You must also inform the individual of their right to request rectification or erasure of their data, and their right to lodge a complaint with the Data Protection Commission. If you are using automated decision-making or profiling, you must provide meaningful information about the logic involved. Providing a clear and comprehensive response helps prevent follow-up queries and potential escalations to regulators.
While the right of access is broad, it is not absolute. You are generally not required to disclose information that would adversely affect the rights and freedoms of others. For example, if a document contains personal data about two different people, you must redact the information relating to the third party before sending it to the individual making the request.
There are also specific exemptions for legal professional privilege. If the data consists of correspondence between your company and its solicitors for the purpose of getting legal advice, you do not have to disclose it. Other exemptions exist for data processed for the prevention or detection of crime. However, these exemptions must be applied narrowly and justified on a case-by-case basis.
In a typical startup, the responsibility for handling a Subject Access Request usually falls to the operations manager or the legal counsel. If your company is large enough to require a Data Protection Officer (DPO), they will oversee the process. However, every employee should be trained to recognise a SAR, as it does not have to be formal and can even be sent via social media or a verbal request.
The key is to have a central point of contact who understands the procedural requirements. Because a SAR often involves sensitive internal communications, it is important that the search is thorough but controlled. Many founders choose to use privacy management software to help track requests, manage deadlines, and securely redact documents before they are issued.
Ignoring a Subject Access Request is a serious breach of the GDPR. The Data Protection Commission has the power to issue enforcement notices requiring you to provide the data, and they can also impose administrative fines. For a company, these fines can be significant—up to 4% of annual global turnover or €20 million, whichever is higher, though for startups, the focus is usually on corrective measures first.
Beyond the legal penalties, failing to respond to a SAR can create a public relations disaster and signal to investors during due diligence that your company has poor internal controls. In some cases, individuals can also sue for "non-material damage" if the failure to provide their data caused them distress or inconvenience. Promptly and professionally handling these requests is the best way to mitigate these risks.
