Subject access request

A subject access request is the right of a data subject — the natural person to whom personal data refers — to obtain from a data controller (a) confirmation that personal data concerning them is being processed, (b) a copy of that data, and (c) the information surrounding the processing: the purposes, the categories of data, the recipients or categories of recipients, the retention period or the criteria used to determine it, the source of the data where it was not collected from the subject, and the existence of any automated decision-making.

The right is codified at GDPR Article 15 in EU law, at revFADP Article 25 in Swiss law, and at analogous provisions in the modernised Council of Europe Convention 108+. The instrument is the principal civil mechanism through which an individual can establish what an operator holds about them — and in jurisdictions with a developed adequacy posture, it is enforceable in court if the controller fails to respond.

Operationally, a subject access request is a different procedural creature from a law-enforcement demand. The requester is the data subject themselves, not the state; the response is owed to that subject directly; the legal review is civil and the supervisory authority (in the EU, the national data-protection authority; in Switzerland, the FDPIC) is the principal escalation path. The timing standard is one month from receipt for most regimes, with an extension possible for complex requests. The format is the data subject’s choice within reason; electronic formats are the default.

For an offshore-hosting operator the right of access is a discipline more than a burden. It compels the operator to know what it actually holds, to retain only what it can justify, and to be able to produce it on demand. The publication’s Privacy policy sets out how subject access requests are processed; counsel review is open on the procedural detail.