Economic Crime Supervision Handbook

ECSH151500 - Subject access request

A subject access request (SAR) is a request made by or on behalf of an individual to an organisation asking to know what personal information is held about them and what data is being processed.  Article 15 of the General Data Protection Regulation (GDPR) gives individuals the right to ask for this information.  

Everyone needs to be aware that, under the GDPR, SARs can be made verbally, in writing, or in electronic format including social media. A request also does not have to include the phrase 'subject access request' or ‘Article 15 of the GDPR’, as long as it is clear that the individual is asking for their own personal data. 

A response to the SAR must be provided without delay and at the latest within one month of receiving the request.HMRC therefore aim to deal with all SARs within 28 days of receipt. 

Anyone who deals with customers should be aware that any request for personal data has the potential to be a SAR. Staff also have the right to make a SAR. 

Guidance and links 

Customer Compliance Group (CCG) Guidance on how to identify Subject Access Requests, what to do when you receive one and how to contact the correct SAR team is found here. 

HMRC Legal Group Guidance on how to identify Subject Access Requests, what to do when you receive one and how to contact the correct SAR team is found here. 

Information on SARs can be found at the ICO website.