Your browser does not support JavaScript

Subject Access Request (SAR) policy

£ 9
Get much more with our
Security and information policy bundle:

Our Subject Access Request (SAR) Policy Template outlines procedures for handling data requests, ensuring compliance with data protection regulations and safeguarding individuals' privacy rights.

Reading time
How long to understand and implement this policy?
5 mins
Word count
How many words in this policy?
We also have budget-friendly bundles featuring this template:

What is a Subject Access Request (SAR) policy?

The purpose of this Subject Access Request (SAR) policy is to provide you with a flexible and customisable document to serve as a robust and effective starting point for you.

By using our Subject Access Request (SAR) policy, you can streamline your process, maintain consistency and accuracy, and save time, and it can be easily adapted to fit your specific scenario.

Best practice timescale for this to be issued
When should this policy be issued?
During onboarding / after changes / planned refresher
Issued by who, to whom
Who should issue this policy, and to whom?
Internally issued to appropriate recipients in your Company
Applicable legal jurisdiction
In which jurisdiction can this policy be used?
Great Britain & NI (United Kingdom)

Subject Access Request (SAR) Policy


This Subject Access Request (SAR) Policy outlines the procedures and guidelines for handling SARs received by [Your Organization's Name]. The policy is designed to ensure compliance with data protection laws, including the General Data Protection Regulation (GDPR), and to safeguard the rights of individuals regarding their personal data.


This policy applies to all employees, contractors, and agents of [Your Organization's Name] who may handle SARs on behalf of the organization. It covers the process for receiving, assessing, and responding to SARs in a timely and efficient manner.

General Principles


  • Subject Access Request (SAR): A request made by an individual to obtain access to the personal data held about them by [Your Organization's Name].
  • Data Controller: The organization that determines the purposes and means of processing personal data.
  • Data Processor: An entity that processes personal data on behalf of the data controller.


  • Data Protection Officer (DPO): The DPO is responsible for overseeing compliance with data protection laws, including the handling of SARs, and ensuring that appropriate procedures are in place.
  • HR Manager/Officer: The HR Manager/Officer is responsible for receiving, assessing, and responding to SARs received by the organisation.
  • Employees: All employees are responsible for promptly forwarding any SARs they receive to the HR Manager/Officer and cooperating with the SAR process as required.

SAR Procedure

  • Receipt of SAR: SARs may be submitted in writing or verbally. Employees who receive a SAR must promptly forward it to the HR Manager/Officer.
  • Verification of Identity: The HR Manager/Officer must verify the identity of the individual making the SAR to ensure that personal data is disclosed to the correct person.
  • Assessment and Response: The HR Manager/Officer will assess each SAR to determine whether it is valid and whether any exemptions or limitations apply. A response will be provided to the individual within one month of receipt, unless an extension is necessary.
  • Record-Keeping: Records of SARs received and actions taken in response must be maintained in accordance with data protection laws.

Training and Awareness

All employees involved in handling SARs will receive training on their responsibilities under this policy and data protection laws. Regular updates and refresher training will be provided as necessary to ensure ongoing compliance.

Review and Monitoring

This policy will be reviewed and updated regularly to reflect changes in data protection laws and organisational practices. Compliance with the policy will be monitored through regular audits and assessments.


This SAR Policy demonstrates [Your Organisation's Name]'s commitment to protecting the privacy rights of individuals and ensuring compliance with data protection laws. By following the procedures outlined in this policy, we aim to handle SARs effectively and transparently while respecting individuals' rights regarding their personal data.

This policy [does not] form[s] part of your terms and conditions of employment.

Version: [1.0]

Issue date: [date]

Author: [name, job title]

This is a preview. Access to the remainder requires a purchase.

£ 9

Get much more with our
Security and information policy bundle:
Subject Access Request (SAR) policy
subject access request (sar) policy