GDPR: right of access (aka subject access requests)

Under the GDPR, individuals have the right to obtain:

  • Confirmation that their personal data is being processed.

  • Access to their personal data.

  • Other supplementary information (which largely corresponds to the information that should be included in a privacy notice).


Is a fee payable?

Unlike the £10 fee allowed under the DPA, the GDPR specifies that a copy of the information must be provided free of charge.

However, a “reasonable fee” can be charged when a request is manifestly unfounded or excessive, particularly if it’s repetitive.

As the ICO identified in its guidance, the fee must be based on the administrative cost of providing the information.


Length of time to comply

Unlike the 40 days allowed by the DPA, information must be provided without delay and at the latest within 1 month of receipt of the subject access request.

This can be extended by a further 2 months where requests are complex or numerous.