RSM Malta

Don’t Underestimate the Subject Access Request

Show original post

Thanks to the coming into force of the European Union’s General Data Protection Regulation EU 2016/679 (hereinafter “the GDPR” or “the Regulation”), data security and personalisation incidents, like the recent Facebook/Cambridge Analytica scandal, helped raise consumer awareness on the amount of information held by public bodies and private organisations about individuals (hereinafter “data subjects”, “they”, “them”), especially the manner in which such data is or could be processed.

The above-mentioned scandal provides a real working answer to the much-asked GDPR question of “how much will this affect consumer behaviour on the whole?” In other words, while the Regulation gives data protection laws teeth, the Facebook/Cambridge Analytica saga gives the public a reason to bite.

The Right of Access[1] is a prevailing and often less discussed aspect of the GDPR. By exercising this right, data subjects are now able to check whether the personal data held about them is correct and whether it is being handled in accordance with the wider data protection rules.

Definition and Consideration of a subject access request (“SAR”)

An SAR is a request made by or on behalf of an individual to an organisation (hereinafter “the entity”, “the Data Controller”) or to any part of it to obtain:

     i.       a confirmation that their data is being processed;

   ii.       a copy of their personal data; and

  iii.       other supplementary information (as stipulated within Articles 12-14 of the GDPR).

The GDPR does not specify how a valid SAR is to be made. Therefore, it can be made verbally or in writing and can also be addressed to anyone within the organisation, meaning that it does not have to be addressed to a specific person or contact point.

Moreover, an SAR does not have to include the phrase “subject access request” or Article 15 of the GDPR, as long as it is clear that the data subjects are asking for their own personal data. The Data Controller may wish to check with the requestor that they have understood their request, so as to avoid later disputes relating to the interpretation of such request.

Data covered by the Request

The SAR covers personal data relating to the data subject and which is being processed by the Data Controller or someone else on its behalf.

In this respect, an SAR may refer to:

  • any personal data held in hard copy which is very easy to locate (e.g. a personnel file);
  • any data held in hard copy, but is intended to be transferred on a computer; and
  • any data held on a computer (e.g. emails to or from the data subject or between other individuals) including backups.

What is the data subject entitled to?

On making a request, data subjects have a right to know:

  • why their data is being processed;
  • the categories of personal data concerned;
  • to whom the data has been disclosed, especially in the event of a national or international transfer;
  • where possible, for how long the data will be stored or, if the precise period is not known, how the period can be calculated;
  • their right to request erasure or rectification of their personal data or request that the processing be restricted or stopped;
  • their right to lodge a complaint with a supervisory authority (in Malta this would be the Office of Information and Data Protection Commissioner (IDPC));
  • where the data was not supplied by the data subjects themselves, the source of the data; and
  • whether their data is used in any automated decision-making process and if so, the logic involved, significance and envisaged consequences to them of that processing.

The GDPR further provides that the information should be provided in a transparent, concise, intelligible, and easily accessible form, using clear and plain language. Although it may be quite challenging and time-consuming, the obligation to provide access to personal data is merely limited to the information and not the documents containing such information.

Time-limit to respond to a SAR

The statutory response time is of one (1) calendar month starting from the day after the request is made, irrespective of whether it is a working day or not, until the corresponding calendar date of the following month. If there is no corresponding calendar date (because the following month is shorter), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, the response may be submitted on the next working day. For practical purposes, if a consistent number of days are required (e.g. for operational or system purposes), it may be helpful to adopt a twenty-eight (28) day period to ensure compliance is always within a calendar month.

Finding and retrieving relevant information

Since the provisions of the Regulation apply to everyone (clients, employees, agents, contractors, and third parties), organisations must ensure that all personal data is quickly and easily accessible.

Moreover, in dealing with an SAR, one must not lose sight of the confidentiality requirement. Thus, in order to ensure compliance and not to fall victim of the common method employed by fraudsters, it is important for the Data Controller to verify the identity of the person making the request using reasonable means and information relating to the data subject must only be disclosed to them or to a third party on their behalf, provided that a prior written authorisation is given by the data subject acknowledging this.[2]

In the event that:

i.             the Data Controller holds a huge amount of information about an individual; or

ii.            the requestor asks for all the information held about them or claims that not all data has been disclosed,

the Data Controller cannot refuse to supply the information but may, before doing so, request the data subject to specify the data or processing activities to which the request relates[3] which would reasonably help to locate the personal data covered by the request. Nevertheless, albeit the Data Controller need not comply with the request until the information is received, it may still be perceived as unacceptable to delay the response.

This does not automatically extend the stipulated 30-day period for a Data Controller to respond to an SAR. However, if the request is complex or multiple requests were received from the particular data subject, the Data Controller shall have the power to extend the time limit by a further two (2) months. In this case, the Data Controller must, within one (1) month of receiving the request and without undue delay, inform the data subject and explain why the extension is necessary.

Third-party information

Responding to an SAR may entail providing information relating to a third-party individual. Hence, as a safeguard, the GDPR stipulates that the right of a data subject to obtain a copy of their personal data undergoing processing “shall not adversely affect the right and freedoms of others.”[4]

On that account, unless the third-party individual has already consented to the disclosure or it is rational in all circumstances to disclose without consent, the Data Controller may decide not to proceed with the request if doing so entails disclosing identifiable information relating to another person.

For this reason, meticulous consideration must be given as to how disclosure takes place and as to whether any third-party personal data should be redacted prior to the disclosure. Wrongly disclosing confidential data would not only constitute a data breach, but would also form the basis of a potential claim in negligence from the person whose data was disclosed.[5]


The Right of Access is not absolute. The Data Controller may be exempt from providing all or some of the information requested, depending on the circumstance. If challenged, the organisation must be prepared to defend to the Supervisory Authority or a Court of Law the decision to apply an exemption.

Some of these exemptions include:

A.  Confidential References;

B.  Publicly available information;

C.  National Security, Crime and Taxation;

D.  Management Information;

E.  Negotiations with the Requestor;

F.   Legal advice and proceedings

G.  Information used for Research, Historical or Statistical purposes;

H.  Trade secrets, Intellectual Property & Copyright Protections for Software.

The Data Controller may also refuse to comply with an SAR if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

Furthermore, if the Data Controller decides not to proceed with the request, it must without undue delay and within one (1) calendar month of receipt of the request inform the data subjects about:

  • the reasons for not taking action;
  • their right to lodge a complaint with the relevant Supervisory Authority; and/or
  • their ability to seek to enforce this right through a judicial remedy.


Overall, it can be concluded that although SARs must be treated separately and present numerous challenges within tight time constraints, the Right of Access ultimately opens the door for individuals to exercise further rights such as rectification, objection, restriction and erasure of processing.

Moreover, complying with the GDPR improves the entity’s reputation, maximises the quality of the personal information held, helps manage data efficiently and transparently as well as reduces the risk of data breach.

[1] The General Data Protection Regulation (EU) 2016/679, Article 15

[2] Handling GDPR Subject Access Requests <> accessed 26 December 2018

[3] The General Data Protection Regulation (EU) 2016/679, Recital 53

[4] The General Data Protection Regulation (EU) 2016/679, Article 15(4)

[5] (n2)