Accessibility statement

Subject Access Requests

Q1. What information can I obtain?

Under the GDPR, you can obtain: 

  • confirmation that personal data is being processed; 
  • a copy of your personal data; 
  • supplementary information about the processing i.e. information outlining: 
    • the purpose of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; 
    • where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period; 
    • the existence of the right to request from the University rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; 
    • the right to lodge a complaint with a supervisory authority; 
    • where the personal data are not collected from the data subject, any available information as to their source; 
    • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
    • the safeguards in place for any data transfers to a third country or international organisation.   

Q2. How do I make a Subject Access Request?

Requests can be made verbally or in writing. They should include reasonable information to enable the University to identify and locate the information sought. They must also be accompanied by sufficient proof of identity. The University accepts the following forms of identification, photocopy:

  • birth certificate
  • drivers' licence
  • passport
  • university ID card

Please note, ID checks are designed to protect your personal data from unauthorised disclosure.

Requests should be sent to: 

Data Protection Officer, Legal Services, Corporate and Information Services, University of York, Heslington, York, YO10 5DD or emailed to


Q3. What will happen if the request is manifestly unfounded or excessive?

Where requests are manifestly unfounded, excessive or repetitive, the University will either: 

  • charge a reasonable administrative fee to provide the information, or; 
  • refuse to respond. 

Where a request is refused, the University will explain why and will inform you or your rights to complain to the supervisory authority and to a juidicial remedy without undue delay and at the latest within one month. 

Q4. Do I have to pay a fee?

Typically, no. The University will not charge a fee for routine subject access requests. However, in line with the GDPR, the University may charge a 'reasonable fee' where requests are manifestly unfounded, excessive or repetitive. An administrative fee may also be charged where requests for further copies of the same information are made. Where a fee is charged, the one-month time limit for compliance will not begin until the fee has been paid.

Q5. When will I receive the information requested?

Information will be provided as soon as possible and within one month of receipt of your Subject Access Request.

The University receives a subject access request on 15 May. The time limit for compliance starts same day. The deadline for compliance will be 15 June.   

Where the following month is shorter and there is no corresponding calendar date, the deadline for compliance will be the last day of the month. 

The University receives a Subject Access request on 31 January. The time limit for compliance starts same day. The deadline for compliance will be 28 February. 

If the corresponding date falls on a weekend of public holiday, the deadline will be the next working day. 

Please note, in certain circumstances, the University may extend the timeframe for compliance by a further two months where requests are complex or numerous. Where this is done, the University will inform you of the intended extension within one month of receipt of the request and explain why the extension is necessary. 

Q6. In what format will information be provided?

Where requests are made electronically, information will be provided in a commonly used electronic format, typically PDF. Requests received by post will be responded to in paper form unless an alternative means of communication is specified by the applicant. 

Q7. Where can I get further information?

In the first instance, have a look at the ICO's Subject Rights Guidance, available here. If things are still unclear, get in touch with the University's Data Protection Officer at or by telephone on extension 3869.