SAR Response Template | The DPO Diary

1

Request Details

SAR Reference Number

Received By

Date Received

Response Deadline (1 month)

Calculate: Receipt date + 1 calendar month

How Was the Request Received?

Email Letter Verbal Online Form Other

Remember

A SAR does not need to mention "subject access request", "GDPR", or "data protection". Any request for personal data from an individual should be treated as a SAR.

2

Requester Details

Requester Name

Email Address

Postal Address

Is the Requester the Data Subject?

Yes — Request is from the data subject themselves No — Request is from a third party on behalf of the data subject

Third Party Details (if applicable)

Third Party Requests

If the request is made by a third party, you must have evidence of authorisation (e.g., signed authority, power of attorney) before disclosing any personal data.

3

Identity Verification

Is the Requester's Identity Confirmed?

Yes — Identity has been verified No — Additional verification required Already Known — Requester is known to the organisation (e.g., employee, existing customer)

Verification Method(s) Used

Already known to organisation Photo ID (passport, driving licence) Proof of address (utility bill, bank statement) Security questions / account verification Other (specify below)

Verification Details

Date Verification Requested

Date Verification Received

Deadline clock stops until ID is provided

Proportionate Verification

Only request verification if you have reasonable doubts about identity. The level of verification should be proportionate to the sensitivity of the data. Don't use ID checks as a barrier to legitimate requests.

4

Scope of Request

What Has Been Requested?

Type of Request

All personal data held Specific data or time period Confirmation of processing purposes Information about recipients Retention periods Source of personal data Information about automated decision-making

Did You Need to Seek Clarification?

No — Request was clear Yes — Clarification was requested

Clarification Details (if applicable)

5

Search and Retrieval

Systems / Locations Searched

HR / Personnel systems CRM / Customer database Email systems File shares / Document management Finance / Payroll systems CCTV / Security systems Paper records / Archives Backup systems Third-party processors

Search Details

Personal Data Found

6

Exemptions and Redactions

Are Any Exemptions Being Applied?

No — All requested data is being disclosed Yes — Some data is being withheld or redacted

Exemptions Applied (if applicable)

Third party data — Disclosure would reveal information about another individual Legal professional privilege — Confidential legal communications Confidential references — References given in confidence Management forecasting — Prejudice to management planning Negotiations — Prejudice to negotiations with requester Crime prevention/detection — Would prejudice crime prevention Regulatory functions — Would prejudice regulatory activities

Exemption Justification

Third Party Data

Before disclosing information that identifies other individuals, consider whether they have consented, whether it's reasonable to disclose without consent, or whether you can redact their details.

7

Response Decision

Response Outcome

✓ Full Disclosure

All requested personal data is being provided

◐ Partial Disclosure

Some data withheld under exemption

○ No Data Held

No personal data found relating to requester

✗ Request Refused

Request is manifestly unfounded or excessive

Response Format

Email Post Secure Portal Collection in Person

Date Response Sent

Within Deadline?

Yes No

Response Must Include

Copy of the personal data (in an accessible format)
Information about purposes of processing
Categories of personal data concerned
Recipients or categories of recipients
Retention period or criteria
Right to rectification, erasure, restriction, and objection
Right to lodge a complaint with the ICO
Source of data (if not collected from data subject)
Information about automated decision-making (if applicable)

8

Sign-off and Record Keeping

Completed By (Name)

Role / Title

Signature

Date

Reviewed By (if required)

Review Date

Record Keeping

Retain this completed form and copies of all correspondence for at least 6 years. Do not retain copies of the personal data disclosed — only retain records showing that a response was provided and when.

Subject Access Request (SAR) Response Template

Key Deadlines