Create a bespoke document in minutes, or upload and review your own.
Get your first 2 documents free
Your data doesn't train Genie's AI
You keep IP ownership of your information
Subject Access Request
I need a subject access request template to request personal data held by a company, ensuring it includes sections for identifying information, specific data requested, preferred format for receiving the data, and a deadline for response in compliance with GDPR regulations.
What is a Subject Access Request?
A Subject Access Request is your legal right to ask any organization about the personal data they hold about you. Under Irish data protection law, you can request copies of this information and learn how it's being used. This right comes from both the GDPR and the Irish Data Protection Act 2018.
Organizations must respond within one month of receiving your request, though they can extend this by two months for complex cases. You can make these requests verbally or in writing, and companies can only charge a fee in rare cases where requests are excessive. The request lets you see everything from basic contact details to any opinions or decisions made about you.
When should you use a Subject Access Request?
Use a Subject Access Request when you need to understand exactly what personal information an Irish organization holds about you. Common situations include checking your medical records before changing healthcare providers, reviewing your employment file before a workplace dispute, or investigating why you've been denied credit or insurance.
It's particularly valuable when dealing with data accuracy concerns, preparing for legal action, or investigating suspected discrimination. Many people submit these requests to banks, employers, or social media companies to gain clarity on automated decisions affecting them. The request gives you concrete evidence of how your data is being processed and shared.
What are the different types of Subject Access Request?
- Subject Access Request Settlement Agreement: Used when requesting personal data as part of a legal settlement process, typically involving employment disputes or compensation claims. This variation includes specific terms about data handling during settlement negotiations.
- General Subject Access Request: A standard format requesting all personal data an organization holds, commonly used for regular data audits or general information gathering.
- Detailed Subject Access Request: Includes specific categories of data and date ranges, often used when investigating particular incidents or decisions.
- Emergency Subject Access Request: Used in urgent situations requiring faster response times, such as medical emergencies or time-sensitive legal proceedings.
Who should typically use a Subject Access Request?
- Data Subjects: Any individual in Ireland can submit a Subject Access Request to see their personal data. This includes employees, customers, patients, and citizens.
- Data Controllers: Organizations that hold personal data must respond to these requests, including companies, government agencies, healthcare providers, and schools.
- Data Protection Officers: Responsible for managing and coordinating responses to Subject Access Requests within their organizations.
- Legal Representatives: Often help draft requests or responses, especially in complex cases involving multiple data sources or legal disputes.
- The Data Protection Commission: Ireland's supervisory authority that enforces compliance and handles complaints about request handling.
How do you write a Subject Access Request?
- Identity Verification: Gather official ID like your passport or driving licence to prove who you are.
- Organization Details: Identify the correct legal entity and their Data Protection Officer's contact information.
- Data Specifics: List exactly what personal information you're seeking and any relevant time periods.
- Previous Contact: Note any reference numbers or previous interactions with the organization.
- Format Preference: Specify how you want to receive the information (email, post, or digital copy).
- Document Generation: Use our platform to create a legally-compliant request that includes all required elements under Irish law.
What should be included in a Subject Access Request?
- Personal Details: Your full name, address, and any account numbers or identifiers used by the organization.
- Request Scope: Clear statement specifying which personal data you're requesting access to.
- Time Period: The specific timeframe for which you want information.
- Identity Confirmation: Declaration confirming you are the data subject, with proof of identity reference.
- Response Format: Your preferred method of receiving the information.
- Legal Basis: Reference to Article 15 GDPR and the Data Protection Act 2018.
- Response Timeline: Mention of the statutory one-month response period.
What's the difference between a Subject Access Request and an Access Agreement?
A Subject Access Request differs significantly from an Access Agreement in both purpose and legal framework. While both deal with access rights, they serve distinct functions under Irish law.
- Legal Basis: Subject Access Requests are a fundamental data protection right under GDPR, while Access Agreements are contractual arrangements governing physical or digital resource access.
- Purpose: Subject Access Requests focus exclusively on obtaining personal data an organization holds about you, whereas Access Agreements establish terms for ongoing access to facilities, systems, or services.
- Time Frame: Subject Access Requests require response within one month and are typically one-time requests. Access Agreements usually establish longer-term, continuous arrangements.
- Negotiation Scope: Subject Access Requests are non-negotiable statutory rights, while Access Agreements can be negotiated between parties to suit specific needs.
Download our whitepaper on the future of AI in Legal
Genie’s Security Promise
Genie is the safest place to draft. Here’s how we prioritise your privacy and security.
Your documents are private:
We do not train on your data; Genie’s AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
Our bank-grade security infrastructure undergoes regular external audits
We are ISO27001 certified, so your data is secure
Organizational security
You retain IP ownership of your documents
You have full control over your data and who gets to see it
Innovation in privacy:
Genie partnered with the Computational Privacy Department at Imperial College London
Together, we ran a £1 million research project on privacy and anonymity in legal contracts
Want to know more?
Visit our Trust Centre for more details and real-time security updates.
Read our Privacy Policy.