Use our GDPR data subject access response letter to set out your reply to a data subject access request that’s been made under the UK GDPR.
Response requirements
The UK GDPR enables individuals to access the personal data that you hold about them by making a data subject access request (DSAR). In response to a DSAR, you must provide confirmation as to whether their personal data are being processed by you, access to copies of their requested personal data and other additional information. If the individual has submitted their DSAR by electronic means, you must provide the information in a commonly used electronic form, e.g. pdf copies supplied by e-mail, unless they request otherwise.
Other additional information
The other additional information that you must provide is:
You should be able to glean most of the information from your GDPR Privacy Notice for Job Applicants or GDPR Privacy Notice for Staff.
Response letter
Our GDPR Data Subject Access Response Letter includes sections for you to insert all the relevant information. It then goes on to provide copies of the documents containing the personal data that you’ve collated in response to the DSAR, together with an index. There are some statutory exemptions to information that must be disclosed in response to a DSAR. These include exemptions in relation to data covered by legal professional privilege, data processed for the purposes of management forecasting or management planning, material relating to negotiations and confidential employment references. In addition, you can redact or restrict disclosure where, for example, the information contains third-party personal data. So, our letter contains two optional paragraphs for use in these circumstances.