Subject Access Request (SAR) Procedure

1. Purpose and Scope

This procedure establishes the framework for handling Subject Access Requests (SARs) and other data subject rights requests under the General Data Protection Regulation (GDPR) and applicable privacy laws. It covers requests for access, rectification, erasure, portability, and restriction of processing of personal data.

2. Types of Data Subject Requests

2.1 Right of Access (Article 15 GDPR)

• Request to view personal data we hold

• Information about how data is processed

• Details of data sharing with third parties

2.2 Right to Rectification (Article 16 GDPR)

• Request to correct inaccurate personal data

• Request to complete incomplete personal data

2.3 Right to Erasure/"Right to be Forgotten" (Article 17 GDPR)

• Request to delete personal data

• Subject to legal grounds and exemptions

2.4 Right to Data Portability (Article 20 GDPR)

• Request to receive personal data in structured, machine-readable format

• Request to transmit data directly to another controller

2.5 Right to Restriction of Processing (Article 18 GDPR)

• Request to limit how we process personal data

• Temporary suspension of processing

2.6 Right to Object (Article 21 GDPR)

• Objection to processing based on legitimate interests

• Objection to direct marketing

3. Receipt and Initial Processing

3.1 Request Channels

Requests may be received through:

• Email to designated privacy contact

• Written letter to registered office

• Online privacy portal/form

• Phone (must be followed up in writing)

• In-person submission

3.2 Initial Assessment (Within 72 hours)

1. Log the request in the SAR tracking system

2. Verify it's a valid SAR - contains sufficient information to identify the individual

3. Acknowledge receipt via secure communication

4. Assign case reference number

5. Determine request type and complexity level

3.3 Acknowledgment Template

Subject: SAR Acknowledgment - Reference [CASE_NUMBER]

Dear [NAME],

We acknowledge receipt of your data subject request dated [DATE]. 
Your request has been assigned reference number [CASE_NUMBER].

We will respond to your request within one month of receipt as required 
by applicable data protection laws. If we require additional time due to 
complexity, we will notify you within the initial month.

If you have any questions, please contact our Data Protection Officer 
at [CONTACT_DETAILS].

Regards,
[PRIVACY TEAM]

4. Authentication and Identity Verification

4.1 Standard Authentication

• Government-issued photo ID (driver's license, passport, national ID)

• Proof of address (utility bill, bank statement - within 3 months)

• Signature verification (if applicable)

4.2 Enhanced Authentication (for sensitive requests)

• Notarized identity confirmation

• Video call verification

• Multi-factor authentication through existing account

4.3 Third-Party Requests

• Legal guardian: Court documentation required

• Power of attorney: Valid POA document required

• Legal representative: Formal authorization letter required

• Deceased individual: Death certificate + proof of legal authority

4.4 Insufficient Authentication Response

If identity cannot be verified:

• Request additional documentation

• Explain what is needed and why

• Pause processing until verification complete

• Document all authentication attempts

5. Processing Timelines

5.1 Standard Timeline

• 1 month from receipt of valid request

• Clock starts when we have sufficient information to process

• Calendar days, not business days

5.2 Extension Criteria

May extend by 2 additional months when:

• Request is complex

• Multiple requests from same individual

• Large volume of data involved

5.3 Extension Notification

• Must notify data subject within 1 month of original request

• Explain reasons for delay

• Provide new expected completion date

6. Data Collection and Review

6.1 Data Location Assessment

Identify all systems containing personal data:

• Primary databases (CRM, HR systems, financial records)

• Backup systems and archives

• Email systems and communication platforms

• Cloud storage and third-party services

• Physical files and paper records

• CCTV footage and security systems

6.2 Data Extraction Process

1. Search all identified systems using individual's identifiers

2. Extract relevant data in native format

3. Review for accuracy and completeness

4. Identify third-party data that may need redaction

5. Check for privileged information (legal, confidential)

6.3 Data Review Checklist

• All personal data identified and extracted

• Third-party personal data redacted

• Privileged information protected

• Data accuracy verified

• Metadata and audit trails included (if requested)

• Backup and archived data searched

7. Response Preparation

7.1 Access Request Response Package

Cover Letter including:

• Explanation of data categories provided

• Sources of data collection

• Purposes of processing

• Legal basis for processing

• Retention periods

• Rights information

• Contact details for questions

Data Package containing:

• Structured data export (CSV, JSON, XML)

• Document copies (PDF format)

• Metadata information

• Processing history (if available)

7.2 Other Request Types

Rectification Response:

• Confirm changes made

• Identify systems updated

• Notify relevant third parties

• Provide updated data copy

Erasure Response:

• Confirm deletion completed

• List systems/locations cleared

• Explain any data retention requirements

• Document legal basis for any retained data

Portability Response:

• Structured, machine-readable format

• Commonly used format (CSV, JSON, XML)

• Include metadata and field descriptions

• Secure transmission method

8. Secure Delivery Methods

8.1 Delivery Options (in order of preference)

1. Secure portal access with multi-factor authentication

2. Encrypted email with password protection

3. Registered mail to verified address

4. In-person collection with ID verification

5. Secure file transfer service with access controls

8.2 Delivery Security Requirements

• Encryption in transit and at rest

• Access logging and audit trails

• Automatic expiration of access links

• Download confirmation and receipt acknowledgment

• Secure disposal of physical copies

8.3 Large Data Sets

For responses exceeding 25MB:

• Use secure file transfer service

• Split into multiple encrypted archives

• Provide detailed file inventory

• Include technical support contact

9. Fees and Charges

9.1 Free Provision

• First request is free of charge

• Reasonable requests are processed without fee

• Standard complexity requests are free

9.2 When Fees May Apply

• Excessive or repetitive requests (same individual, short timeframe)

• Clearly unfounded requests (frivolous, harassment)

• Additional copies of same information

• Complex technical formats requiring significant resources

9.3 Fee Structure

• Administrative fee: $25-50 per hour for excessive requests

• Technical processing: $100-200 for complex data exports

• Third-party costs: Pass-through charges for external services

• Physical delivery: Actual postage and handling costs

10. Refusal Grounds and Process

10.1 Valid Refusal Grounds

• Manifestly unfounded or excessive requests

• Identity cannot be verified after reasonable attempts

• Disproportionate effort required

• Legal privilege or confidentiality restrictions

• Rights of others would be adversely affected

10.2 Refusal Process

1. Document reasoning with specific legal basis

2. Provide written explanation to data subject

3. Inform of complaint rights to supervisory authority

4. Offer alternative solutions where possible

5. Legal review of refusal decision

10.3 Refusal Response Template

Subject: SAR Response - Reference [CASE_NUMBER]

Dear [NAME],

Following review of your data subject request dated [DATE], we are unable 
to fulfill your request for the following reasons:

[SPECIFIC LEGAL BASIS AND EXPLANATION]

You have the right to lodge a complaint with the supervisory authority 
if you believe this decision is incorrect. You may contact [REGULATOR] 
at [CONTACT_DETAILS].

If you wish to discuss this decision, please contact our Data Protection 
Officer at [CONTACT_DETAILS].

Regards,
[PRIVACY TEAM]

11. Quality Assurance and Review

11.1 Internal Review Process

• Peer review of all responses before delivery

• Legal review for complex or refusal cases

• Technical review of data extraction accuracy

• Senior management approval for sensitive cases

11.2 Quality Checklist

• All requested data identified and included

• Third-party data properly redacted

• Response within required timeframe

• Secure delivery method confirmed

• Documentation complete and accurate

• Data subject rights information provided

12. Record Keeping and Documentation

12.1 Required Documentation

• Request details and communication history

• Authentication evidence and verification steps

• Data extraction logs and system searches

• Response content and delivery confirmation

• Review decisions and approvals

• Complaints or follow-up communications

12.2 Retention Period

• SAR documentation: 7 years from completion

• Refusal records: 10 years from decision

• Complaint records: Per regulatory requirements

• Authentication evidence: 3 years after case closure

13. Training and Awareness

13.1 Staff Training Requirements

• Annual privacy training for all staff

• Specialized SAR training for privacy team

• System-specific training for data extraction

• Legal update training for regulation changes

13.2 Training Topics

• Data subject rights overview

• Authentication procedures

• Data extraction techniques

• Secure communication methods

• Escalation procedures

• Regulatory requirements...