Subject access code of practice - Dealing with requests from individuals for personal information (EU)


Key Questions: What do I when faced with a subject access/personal information request? Who does subject access apply to in the EU?

This code of practice explains the rights of individuals to access their personal data. It also clarifies what you must do in this regard to comply with your duties as a data controller.

Any organizations that hold personal data should use the code to help them understand their obligations to provide subject access to that data and to help them follow good practice when dealing with subject access requests. The good practice advice in the code will help all organizations – whether they are in the public, private or third sector. 


  • About this code of practice 
  • Overview of subject access
  • Taking a positive approach to subject access
  • Recognizing a subject access request
  • Responding to a subject access request - general considerations
  • Finding and retrieving relevant information
  • Dealing with subject access request involving other people's information
  • Supplying information to the requester
  • Exemptions
  • Special cases
  • Enforcing the right of subject access
Contact Person/Organization: 

Information Commissioner's Office (ico.)

Type of Tool:

Publication Date: 

Subject Access Requests