Data Protection – How to deal with Subject Access Requests?

Rudd v Bridle

Following the arrival of GDPR there has been a notable increase in the number of subject access requests (SARs) whereby individuals have made formal requests to receive details of the personal data held on them by a business. As these requests can be time-consuming and expensive to deal with, it is no surprise that businesses have been seeking to minimise their efforts responding to a SAR.

The recent important decision in Rudd v Bridle has examined the whole area of SARs and a number of important principles have been confirmed:

  • Who is the data controller in relation to personal data? The simple answer is that this is the party who ultimately decides the purposes and manner in which personal data is being processed – in this case, the court decided that the facts pointed clearly to Mr Bridle being the data controller and not his company – his had important implications as the final court order made was against Mr Bridle personally;
  • No right to receive documentation – the person making a SAR has no right to receive documents, but only a right to receive the information comprising his/her personal data -accordingly, businesses can feel emboldened to reject requests for documents;
  • What type of information is covered by the term “personal data”? The court decided that the identity of recipients of information relating to the individual making a SAR can be part of the relevant personal data and subject to disclosure where this information is significant in a biographical sense and where its main focus is the individual making the SAR – consequently, “personal data” can be an elastic concept and is not limited to the personal attributes of an individual;
  • Withholding information relating to third parties – although the relevant legislation allows certain information relating to third parties to be withheld in certain circumstances, the court was at pains to point out that this did not provide a blanket ban on any third party information being disclosed at all and criticised Mr Bridle for his attempts to do so;
  • Exemptions from responding to a SAR – Mr Bridle’s attempts to avoid responding further to the initial SAR were based on the journalistic, regulatory activity and legal privilege exemptions and, in each case, the court held that the exemptions did not apply and that in order to rely upon them, the recipient of a SAR had to have clear evidence that they applied;
  • Was the initial SAR response adequate? This was the only issue where the court found in favour of Mr Bridle: as long as the SAR is reasonably intelligible, there was no additional requirement to provide complete paragraphs or sentences in making a response – short, factual statements/comments would be sufficient.

Businesses on the receiving end of a SAR need to be particularly aware of the fact there is a potential risk to directors who could incur personal liability if found to be the data controller and they also need to realise that “personal data” can have a surprisingly wide scope. At the same time, businesses should be comforted by the fact that there is a clear ruling that the SAR does not entitle the individual to receive actual documents.

For further advice and information on SAR, please contact Commercial Solicitor, John Warchus on 020 8332 8631 or email:

You can also find out more about how our commercial solicitors can help your business.