Documents for Business
- » Workplace and Environment
- » Employment law
- » Appraisals, promotion and training
- » Changing terms & conditions and TUPE
- » Contractual clauses
- » Data protection
- » Disciplinary, capability and dismissal
- » Flexible working
- » Grievances
- » Pay and pensions
- » Personnel management
- » Policies
- » Probation
- » Recruitment
- » Redundancy
- » Sickness absence
- » Termination
- » Time off and holidays
- » Trade unions
- » Work and parents
- Environment
- Fire safety
- HR
- Health and safety
- Risk assessment
- Safe systems of work
- Safety briefings
- Staff handbooks
- » Employment law
- Tax and Business
Documents for Business
In excess of 1,000 customisable documents covering every conceivable business issue.Introduction to this document
GDPR data subject access request form
The UK GDPR enables individuals to gain access, on request, to personal data that you hold about them. There’s no particular format in which such a request should be made, but you can use our form to assist them with making a request.
Form of request
Under the UK GDPR, individual data subjects have the right, on request, to obtain a copy of their personal data from you by making a data subject access request (DSAR). The UK GDPR doesn’t provide for any particular format in which a DSAR should be made but you can make available our GDPR Data Subject Access Request Form. It asks the applicant to provide their name, contact details and evidence of identity and then other information to enable you to identify both them and the personal data that they’re requesting. You must still respond though to DSARs made through other formats, e.g. by e-mail, so you can’t insist that a form be used. Where you have reasonable doubts concerning the data subject’s identity, you can request them to provide additional information necessary to confirm their identity before complying with the DSAR.
Information to be provided
Once the data subject has made their DSAR, they have a right to obtain: (a) confirmation as to whether or not their personal data are being processed by you, (b) access to copies of their specified personal data, and (c) other additional information. If the data subject makes their DSAR electronically, you must provide the information in a commonly used electronic form, unless they request otherwise. Note. Your obligation is to provide personal data, not to provide full copies of documents. However, it’s unlikely to be worthwhile for you to spend time extracting personal data from a document, unless the document is sensitive or only a small part of it constitutes personal data. The other additional information comprises:
- the purposes of the processing and the categories of personal data concerned
- the recipients, or categories of recipients, to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations, and where the personal data are transferred to a third country or to an international organisation, the appropriate safeguards in place relating to the transfer
- the envisaged period for which the personal data will be stored, or the criteria used to determine that period
- the existence of the data subject’s rights to request rectification or erasure of their personal data or restriction of processing of their personal data or to object to such processing and their right to lodge a complaint with the Information Commissioner’s Office
- where the personal data are not collected from them, any available information as to their source
- the existence of automated decision making, including profiling, and meaningful information about the logic involved, as well as the envisaged consequences of such processing for them.
