GDPR process - Subject Access Requests (SARs)

Subject Access Requests – myhrtoolkit Users FAQ

What is a Subject Access Request (SAR)?

Under the GDPR, individuals have the right to obtain confirmation that their data is being processed and access to their personal data. A Subject Access Request (SAR) is the statuary mechanism by which individuals may exercise these rights to access their personal data and verify the lawfulness of the processing.


What is a User?

A User of myhrtoolkit is a person whose employer or organisation currently or previously subscribed to the myhrtoolkit online software system.


Who can raise an SAR?

Any individual who may reasonably believe that we hold their data.


Who should it be sent to?

We are advised by the Information Commissioner’s Office (ICO), that any SAR should be initially sent to the applicable Data Controller. This is most likely to be your employer or organisation. Myhrtoolkit does not act as Data Controller for any customer data.
In cases where it is demonstrated the Data Controller is unable or unwilling to respond, myhrtoolkit may be approached with an SAR. It should be noted that before we are only able to release information with the permission of the relevant Data Controller.


How do you submit an SAR?

You can email us at or alternatively you can write to us at our registered address.
Any SAR needs to be reasonable in scope. We consider it to be unreasonable to approach us, as we are a data processor, before exhausting all other lines of enquiry with your Data Controller. In the event that we receive an SAR from you, we reserve the right to liaise with your Data Controller to fulfil any request.


What happens next?

Before we can respond, we will need to validate that the person making the request is who they say they are. We may require details of your passport or another acceptable identity document. We may also liaise with your Data Controller.
A request is then assessed to ensure it is a valid SAR. If so, we will acknowledge receipt and registration your request. If not, we will respond to you, explaining why we cannot treat your request as an SAR.


What does GDPR say about response times?

An SAR should be responded to within 1 month of receipt.
Where requests are complex or numerous, the above timescale may be extended to three months. However, you should still receive a response to the request within a month, explaining why the extension is necessary.
In certain circumstances, a request may be refused on the grounds that it is ‘manifestly unfounded or excessive’. Refusing a request cannot be done lightly. In these cases, you would normally expect to be advised of this within a month.


What information do we provide?

In cases where myhrtoolkit fulfils the SAR, we will provide the personal information that we hold on you as an individual. We do not provide uploaded documents nor are we currently able to provide transactional or audit based data.


Organisations who no longer use the myhrtoolkit system

Shortly after an organisation stops using myhrtoolkit, all identifiable user data is automatically archived and then subsequently deleted.


Previous employers / organisations

If you leave your current organisation, you may be processed as a ‘leaver’ with some personal information deleted and the remainder archived and / or anonymised. The level of personal information removed in this process is governed by system settings made by your Data Controller.


How can I access my own information?

If your organisation uses the myhrtoolkit system, you can access a lot of your own information via the myhome screen and functions. If you do not have login access, your organisation’s myhrtoolkit Controller can grant this.


free data migration
unlimited free support
3 month MOT