Data Subject Access Requests: How We Help You Respond

Data Subject Access Requests: How We Help You Respond

Under UK GDPR, individuals have the right to request a copy of personal data held about them (a Subject Access Request, or SAR). If you receive a SAR that involves data held in systems we built or manage, here is how we can help you respond.

The 30-Day Requirement

UK GDPR requires you to respond to a SAR within one calendar month (30 days) of receipt. In complex cases, you can extend this by a further two months — but you must notify the data subject within the first month. This timeline is your responsibility as Data Controller.

What We Can Help With

• Data extraction: We can extract all personal data held about a specific individual from systems we built, in a readable format
• Identifying data locations: We can help you understand where personal data is stored across your systems
• Reviewing third-party subprocessors: We can advise on what data is held by third-party services used in your system
• Redaction support: Where a SAR response requires redaction of third-party data, we can assist with technical aspects of redaction

How to Request Our Assistance

1. Raise a support ticket (subject line: "SAR Assistance — [Individual Identifier]")
2. Provide the date you received the SAR and the individual's identifier (name, email, user ID)
3. Specify which systems or data sets are in scope

We aim to provide data extracts within 5 business days of request — allowing you sufficient time to review and respond within the 30-day window.

Your Responsibilities

Progressive Robot provides technical assistance — you remain responsible as Data Controller for: verifying the identity of the requestor, reviewing the extracted data before sharing it, applying any applicable exemptions, and delivering the response to the individual.