To enlarge video please either pause the video and then press the F key on your keyboard or select full screen button option located on the bottom right of the video.

You are currently not logged in. Any progress made will be lost.

Subject Access Requests and Other Rights

New individual rights 

The key new individual rights are:

  • Right to port personal data: this is the right to ask a data controller to transfer their personal data to another data controller.  This is for data which is collected by informed consent or contract.  This is largely about things like switching banks or utility providers but could be used by panellists wishing to move to another panel provider
  • Right ‘to be forgotten’ – the right of erasure: this is the right to ask for personal data to be erased, although it is not an absolute right
  • Right to restrict processing: this is the right to restrict personal data and for individuals to ask for data to only be used for specific purposes


Strengthened individual rights

The strengthened individual rights are:

  • The right to access personal data (see below)
  • Right to be informed – lots of information needs to be relayed to individuals to ensure that they are ‘informed’ and understand the impact of agreeing to provide their personal data.  Examples of the kinds of information includes:

o    Contact details of Data Protection Officers (if applicable)

o    Data retention periods

o    Contact details of data processors, controllers and third parties

o    Purpose for collecting personal data

o    Whether personal data is transferred

o    Categories of personal data collected

One way to communicate this information is via Data Protection Policies, notices and also recruitment documentation.

  • Right to object – this supplements the right to withdraw that participants have always had. The right to object to processing is absolute for direct marketing
  • Right to rectification of inaccurate personal data - individuals have the right to have inaccurate personal data rectified
  • Rights on automated processing and decision making – individuals have the right to understand if automated processing and decision-making is being applied to their personal data, for example via the use of algorithms.  Individuals have a right to understand the logic and impact of the automated processing and decision making

All of these rights need to be promoted and proactively communicated to individuals (via recruitment documentation for example), and how individuals can easily exercise their rights.

Individuals have the right to access their personal data.  This is commonly referred to as subject access. Individuals can make a subject access request verbally or in writing. You have one month to respond to a request. You cannot charge a fee to deal with a request in most circumstances.

The data subject must make a subject access request in writing for it to be valid – this includes letters, email and also social media. If the data subject is physically unable to make the request in writing then an exception can be made to accept a verbal request under the Disability Discrimination Act 1995. Even if the data subject does not explicitly mention the Data Protection Act you must still treat their request as a valid claim if it is clear they are asking for their personal data.

Individuals have the right to confirmation that you are processing their personal data; a copy of their personal data; and other relevant information such as the purposes of the processing, recipients of the data, retention periods, categories of data being collected (e.g. special category data); plus the right to complain to the ICO, have the data rectified (if wrong), erased or restricted.

An individual is only entitled to their own personal data and not to other people's data (unless they are making the request on someone else's behalf).  If an individual makes a request electronically you should provide the information in a commonly used digital format, unless the individual requests another format i.e. paper copies.  

If sending participant data electronically remember the information must be sent securely e.g.  using SFTP.

Transparency requirements

In order to be prepared for meeting any request for these rights you should consider for example:

  • If using consent, ensure processes are well documented with verifiable records of when and how you obtained consent
  • Use clear language in your notices and your recruitment documentation so that individuals who agree to participate in your projects understand from the beginning what they are agreeing to


Subject Access Request Form template