DPC Update on handling Subject Access Requests
March 18, 2025
On 7 March 2025, the Data Protection Commission (DPC) published a blog post on handling Subject Access Requests (SARs). The post illustrates the DPC's approach to managing complaints received from individuals following SARs and the considerations involved.
The post is provided to supplement the existing guidelines on SARs available on the DPC website namely; the Data Subject Requests FAQ and the Guide for Data Controllers on Subject Access Requests.
Article 15 Information |
The DPC emphasises the importance of organisations providing information in line with GDPR Article 15(1), such as:
This information is essential for individuals to assess the lawfulness of the processing and to exercise other rights under the GDPR, such as the right to erasure or rectification. |
Restrictions on Data Access |
The DPC advises that organisations may restrict the release of personal data under SARs if they can rely on specific provisions in the GDPR and/or the Data Protection Act 2018. Organisations must provide a clear rationale for any restrictions. Any restriction of the right of access must be justified based on the specific context of the case. Where a case involves “mixed records” containing data of both the requesting individual and third parties, an identified risk of harm to the third parties can justify withholding information. In highly sensitive situations, where the release of personal data is likely to result in significant harm, the general presumption is that access can be restricted. When records contain personal information of both the requesting individual and others, the rights of those other parties must be balanced against the right of the requesting individual to access their data. The right to access does not automatically outweigh the rights of third parties. Any decision to withhold certain data in SARs should be adequately documented, and organisations are required to provide this evidence in confidence to the DPC when requested. |
Handling of Complaints by the DPC |
The DPC frequently handles complaints from individuals who believe their SARs have not been appropriately addressed by organisations. In such cases, the DPC examines the restrictions applied by the organisation to determine their validity. The DPC contacts the organisation and poses investigative questions to assess whether the restrictions have been correctly applied. |
DPC Confidentiality and Support to Organisations |
The DPC reiterates its commitment to protecting sensitive information received and confirms that such data is kept strictly confidential within the DPC. The DPC advises organisations of its availability to provide support where SARs relate to particularly sensitive matters to determine the best approach in handling such data disclosure while balancing the rights of individuals involved. |
The post serves as a reminder to organisations of the importance to balancing an individual’s access rights with the need to protect the privacy and safety of third parties, especially when sensitive information is involved. Organisations are encouraged to carefully consider the implications of SARs and the crucial role that proper documentation plays when justifying restrictions to access following a complaint to the DPC.
Key contacts
Latest Events
- virtual | June 09, 2026UK employment law training
- virtual | June 16, 2026Nordic (Denmark, Finland, Norway and Sweden) employment law training
- virtual | June 23, 2026Introduction to Swiss employment law
- virtual | September 10, 2026UAE - Employment law in the Dubai International Financial Centre
virtual
UK employment law training
June 09, 2026
1pm - 4pm (BST)
Virtual
virtual
Nordic (Denmark, Finland, Norway and Sweden) employment law training
June 16, 2026
12.45pm - 4pm (BST)
Virtual
virtual
Introduction to Swiss employment law
June 23, 2026
2pm - 5pm (GMT)
Virtual
virtual
UAE - Employment law in the Dubai International Financial Centre
September 10, 2026
9.30am - 1.30pm (GMT)
Virtual