Introduction to this document

GDPR data subject access response letter

Use our GDPR data subject access response letter to set out your reply to a data subject access request that's been made under the GDPR.

Response requirements

The EU General Data Protection Regulation (GDPR) enables individuals to access the personal data that you hold about them by making a data subject access request (DSAR). In response to a DSAR, you must provide confirmation as to whether their personal data are being processed by you, access to copies of their requested personal data and other additional information. If the individual has submitted their DSAR by electronic means, you must provide the information in a commonly used electronic form, e.g. pdf copies supplied by e-mail, unless they request otherwise.

Other additional information

The other additional information that you must provide is:

  • the purposes of the processing and the categories of personal data concerned
  • the recipients, or categories of recipients, to whom the personal data have been or will be disclosed, in particular recipients in non-EEA countries and, where the personal data are transferred to a non-EEA country, what appropriate safeguards are in place relating to the transfer
  • the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the individual's rights to request rectification or erasure of their personal data or restriction of processing of their personal data or to object to such processing, and their right to lodge a complaint with the Information Commissioner's Office
  • where the personal data are not collected from them, any information as to their source
  • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the envisaged consequences of such processing for them.

You should be able to glean most of the information from your GDPR Privacy Notice for Job Applicants or GDPR Privacy Notice for Staff.

Response letter

Our GDPR Data Subject Access Response Letter includes sections for you to insert all the relevant information. It then goes on to provide copies of the documents containing the personal data that you've collated in response to the DSAR, together with an index. There are some statutory exemptions to information that must be disclosed in response to a DSAR. These include exemptions in relation to data covered by legal professional privilege, data processed for the purposes of management forecasting or management planning, material relating to negotiations and confidential references that you've given. In addition, you can redact or restrict disclosure where, for example, the information contains third-party personal data. So, our letter contains two optional paragraphs for use in these circumstances.