Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

Email SARs

by Adam Brogden
in Blog

07-Aug-2019 11:52

So, you have received a Subject Access Request asking for copies of ALL emails sent to/from a customer/ex-employee/other data subject, what do you have to do. This is a really tricky question and really not as simple as you might think. The first thing to remember is that you really must respond in time - don’t ignore the request and make sure you respond courteously.

The GDPR is really not clear here and there is little in the way of case law to give you any better clues so rather than try to give you a simple [and probably incorrect] answer - here are a set of guidelines that should help you determine how to respond.

  1. You must reply - a SAR is a SAR even if you don't like the request or the person making the request and are too busy!

  2. The data subject does not have an absolute right to request ALL emails ever sent - in fact you can reject requests that you consider excessive, vexatious, malicious, or unfounded. However rather than reject the request we would recommend you talk to the data subject and ask them what information they actually need.

  3. You must respond within 30 days - the actual calculation is 30 days after the day you received the request unless that falls on a weekend and then you have to reply on the next working day. These extra days might just save your life if you have left your response too late.

  4. You need to redact the data of anyone that is included in the information unless you have their consent or unless you can reasonably assume they would not object.

  5. Where the request is particularly complicated or involves a high volume of data you can claim an extension of unto 2 months after the 30 days. You would need to be sure that this is a reasonable decision and that you are not just being lazy!

  6. Do not under any circumstances delete the emails to avoid this - you would need to be able to prove that they were deleted prior to receiving the request or could end up in big trouble!

  7. The data you need to supply is anything that relates to them - not just their name, address, email etc…. This is a tricky area so think carefully. You would generally need to supply the entire content of the email not just their email address - remembering to redact the details of anyone else.

Here are a few useful links:

ICO guide to right of access.

Definition of “Relates To”.

GDPR Recitals.

As you can see this is a very tricky area. Please call to discuss any cases and we will try to help! As ever, we also suggest you call the ICO for complicated cases.

Good luck all.