How do I submit a data subject access request?

“My client asked me to submit a data subject access request (DSAR) to a limited company. It was on headed paper and stated I had my client’s authority. The company claims it’s defective and I failed to provide ‘sufficient evidence’ I act on the data subject’s behalf. It’s asked for ID to verify the data subject’s identity. Is the DSAR defective?”

Before responding to a data subject access request (DSAR), data controllers should make sure they are satisfied as to the data subject's identify.

However, it is not necessary in every case to require evidence of identity if, for example, the respondent has had previous dealings with the data subject.

Article 12(6) of the General Data Protection Regulation (GDPR) 2016 provides the data controller may request the provision of information necessary to confirm the identity of the data subject where the controller has reasonable doubts concerning the identity of the person making the request.

The validity of DSARs submitted by solicitors on behalf of clients was considered by the High Court in Gurieva v Community Safety Development (UK) Ltd [2016] EWHC 643.

In his judgment, Mr Justice Warby noted:

"Where the requester is not the data subject it may be reasonable to look for proof of authority. But if the requester is a firm of solicitors which confirms authority in the DSAR itself, no more should ordinarily be required."

Disclaimer

While every effort has been made to ensure the accuracy of the information in this article, it does not constitute legal advice and cannot be relied upon as such. The Law Society does not accept any responsibility for liabilities arising as a result of reliance upon the information given.

Have you got a practice question?

Call the Practice Advice Service on 020 7320 5675 or email practiceadvice@lawsociety.org.uk.

The Practice Advice Service is staffed Monday to Friday from 9am to 5pm.