UK employers have one calendar month from receipt of a subject access request to provide a full written response — no charge, no exceptions for inconvenience, and no extensions unless the request is genuinely complex or the employer receives multiple requests simultaneously. Get it wrong and the Information Commissioner's Office can issue fines up to £17.5 million or 4% of annual global turnover under the UK GDPR.
data processing agreement england wales — free, fillable template; download as PDF or Word.
What the law actually requires
The right of access sits in Article 15 of the UK GDPR, which came into force on 1 January 2021 as retained EU law under the European Union (Withdrawal) Act 2018, supplemented by the Data Protection Act 2018. A valid subject access request (SAR) does not need to mention "GDPR" or "Article 15" — any clear request for personal data the organisation holds about an individual counts, whether it arrives by email, letter, or even a social media message addressed to the HR account.
The response must include: confirmation of whether personal data is being processed; a copy of that data in an intelligible format; the purposes for processing; the categories of data involved; the recipients or categories of recipients to whom the data has been disclosed; the planned retention period; and information about the individual's rights to rectification, erasure, restriction, and complaint to the ICO.
The 30-day clock and when it starts
The clock starts on the day the request is received — not the day it is read, not the day HR decides it is a "formal" SAR. If a request arrives on a Friday afternoon, the month begins that Friday.
The one-month period runs calendar-month to calendar-month: a request received on 5 March is due by 5 April, or the last working day before that date if 5 April is a weekend or public holiday. Employers cannot pause the clock because an employee is on sick leave or because the person who handles data requests is unavailable.
The 90-day extension: narrow, documented, defensible
Article 12(3) of the UK GDPR allows an extension to three months total (an extra two months beyond the initial one) where requests are complex or numerous. The bar is higher than many HR teams assume.
An employer must notify the data subject within the original 30-day window that an extension is being taken, state the reasons, and give a revised completion date. "Complex" means, for example, that the request spans multiple internal systems across years of employment, involves significant third-party redaction work, or requires legal privilege review across a large volume of documents. The complexity must be genuine — ICO guidance is explicit that staff shortages or system limitations do not qualify.
Exemptions: what you can lawfully withhold
Three categories of information can legitimately be withheld, but each requires a documented decision.
Legal professional privilege. Communications between a solicitor and client that are confidential and prepared for the dominant purpose of litigation or legal advice can be withheld. The privilege belongs to the employer organisation, not the individual employee who wrote the email. If a document is part of ongoing litigation directly involving the data subject, take specific legal advice before withholding it.
Third-party personal data. Where responding in full would disclose personal data about another identifiable individual, the employer must weigh the rights of both parties. The Data Protection Act 2018 Schedule 2 paragraph 16 sets out this balancing test. In practice, redact names and identifying details of colleagues mentioned in appraisals, grievance records, and internal notes — but do not use the presence of third-party data as a blanket reason to withhold an entire document.
Manifestly unfounded or excessive requests. Under Article 12(5), an employer can refuse to act or charge a reasonable fee if a request is manifestly unfounded or excessive, particularly where it is repetitive. This exemption is narrowly applied by the ICO — the fact that a request is burdensome, voluminous, or arrives during a tribunal claim does not make it manifestly unfounded. Employers who rely on this exemption must be prepared to demonstrate why.
Five mistakes UK employers make with SAR responses
1. Treating the request as conditional on identity verification. Employers may ask for enough information to confirm who is making the request, but cannot demand formal ID as a prerequisite unless there is genuine doubt about identity. Asking a current employee to produce a passport before responding to a SAR they submitted from their work email address is unnecessary and delays the clock.
2. Sending data in an inaccessible format. The UK GDPR requires information to be provided in a "concise, transparent, intelligible and easily accessible form." A 4,000-page PDF dump of unindexed email threads, with no structure and no explanation, likely fails this standard. Organise the response: cover letter summarising what is included, the data itself in labelled sections, and a clear explanation of any exemptions applied.
3. Withholding entire documents instead of redacting. Legal professional privilege and third-party data protection justify targeted redaction, not blanket document suppression. Redact the protected sections and disclose the rest. Document your reasoning for each redaction in an internal log — if the ICO investigates, you will need to explain every withheld line.
4. Missing the extension notification deadline. Employers who decide to take the 90-day extension but forget to notify the data subject within the initial 30 days cannot retrospectively claim the extension. At that point the response is already late, and the ICO treats the failure to notify as a separate breach.
5. Overlooking informal data stores. SARs cover all personal data the employer holds, not only HR files. That includes Slack or Teams message histories, manager notes saved to personal drives, CCTV footage, vehicle tracking data, and records held by third-party payroll processors acting as data processors on the employer's behalf. Limiting the search to the main HR system and missing an entire category of data exposes the organisation to enforcement action even if the formal HR records were disclosed correctly.
What the response letter must contain
A compliant SAR response letter should open by confirming receipt of the request and the date it was received, state the scope of the search conducted, list any exemptions applied and the legal basis for each, attach or link the disclosed data, and advise the data subject of their right to complain to the ICO at ico.org.uk if they are dissatisfied with the response.
Keep a copy of the full response, the disclosed data, the internal redaction log, and any extension notification. The ICO expects organisations to demonstrate accountability under Article 5(2) — if you cannot show what was disclosed and why, you cannot defend a complaint.
ICO enforcement in practice
The ICO can issue reprimands, enforcement notices, and monetary penalty notices. In employment contexts, fines for SAR failures tend to arise from systemic non-compliance or deliberate obstruction rather than isolated late responses, but the ICO has issued civil monetary penalties against employers in the healthcare, local authority, and financial services sectors for repeated failures.
A data subject who receives no response within the statutory period can complain directly to the ICO without any further steps. The ICO's standard practice is to contact the organisation for an explanation — a well-documented internal process will significantly reduce the risk of escalation.
How a data processing agreement fits in
Employers who use third-party processors — payroll bureaus, occupational health providers, cloud HR platforms — to handle employee data must have a written data processing agreement in place under Article 28 of the UK GDPR. That agreement should specify the processor's obligations when the employer receives a SAR that covers data the processor holds. A compliant UK data processing agreement sets out these obligations in writing, ensuring the processor must assist the controller in responding to subject access requests within the timeframes required by law.
Without that contractual foundation, employers often discover — mid-SAR — that their payroll provider or HR platform has no documented obligation to return data on request within a set timeframe, leaving the employer in breach while the processor takes weeks to respond.
A practical 30-day timeline
- Day 1: Acknowledge receipt in writing; log the request date internally; begin mapping which systems hold the individual's data.
- Days 1–7: Search HR system, email archives, messaging platforms, shared drives, and any third-party processor records.
- Days 7–20: Review documents, apply exemptions with written justification for each, prepare redacted copies.
- Days 20–25: Prepare the response letter; have it reviewed by a data protection officer or legal adviser if any exemptions are contested.
- Day 28 at the latest: Send the response. Building in two days before the deadline gives a buffer if a final review raises issues.
If by day 25 it is clear the full response cannot be completed, send the extension notice immediately — do not wait until day 30.
Forms Legal provides document templates for UK employers and is not a law firm. For complex SARs involving litigation, criminal allegations, or large volumes of privileged material, take advice from a solicitor with data protection experience.
Need the document itself? Download the free template →
This article is general information, not legal advice — see our accuracy & editorial policy. Confirm the cited law is current before relying on it.