Can a SAR be refused?

Refusals are very narrow: 'manifestly unfounded or excessive' (rare and requires documented justification), or when fulfilment would disproportionately affect another person's rights. Bona fide SARs cannot be refused — only delayed by a further 2 months if 'complex or numerous'.

Can you charge for a SAR?

Generally no — the first copy is free under GDPR. Repeat or excessive requests can attract a reasonable administrative fee. In practice, most controllers absorb the cost rather than risk a regulator complaint over fees.

Home › Glossary › Subject Access Request (SAR)

Compliance

Subject Access Request (SAR) — Plain English Definition + Examples

Subject Access Request (SAR) is the legal right of a data subject to obtain confirmation of whether their data is being processed, a copy of that data, and information about the processing purposes, recipients, and retention.

Definition

A Subject Access Request (SAR), under GDPR Article 15, is the legal right of a data subject to obtain confirmation of whether their data is being processed, a copy of that data, and information about the processing purposes, recipients, and retention.

In day-to-day European MICE and procurement work, subject access request (sar) sits inside a broader workflow that includes the brief, the longlist, the shortlist, the contract negotiation, and the post-event reconciliation. Understanding it in isolation is not enough — what matters is how it interacts with the other levers a planner or procurement team can pull. The definition above is the textbook version; the sections below explain how it actually behaves in real sourcing.

Why Subject Access Request (SAR) matters

SARs are time-bound (30-day response) and labour-intensive (collecting data from multiple systems and processors). MICE buyers without a documented SAR process can spend 40-80 hours fulfilling a single request that touches event registration, hotel rooming lists, and post-event surveys.

The practical takeaway: planners and procurement teams who get subject access request (sar) right typically see measurable improvements in either cost, risk exposure, or cycle time — sometimes all three. Teams who default to the supplier's standard language usually leave 5-15% of total event value on the table, often without realizing it. The skill is recognising subject access request (sar) when it appears, knowing the market-standard range, and treating any deviation from that range as a negotiation point — not a take-it-or-leave-it.

Example

An attendee submits a SAR to the event organiser asking for all data held about them. The organiser pulls registration data, attendance logs, post-event NPS responses, and instructs the hotel (processor) to provide rooming-list data. Total response: a single PDF dossier of 24 pages, delivered within 27 days.

This example is representative of mid-to-large European corporate MICE — pharma, finance, tech, professional services. Smaller events (under 50 attendees) and very large events (1,000+) often follow different conventions, but the underlying logic of subject access request (sar) stays the same. The numbers move, the principle doesn't.

Where Subject Access Request (SAR) appears in contracts

The DPA must require the processor (hotel) to assist with SAR fulfilment — typically by providing the data subject's records within 14 days of controller instruction. Specifying this in advance turns a fire-drill into a documented process.

When reviewing a hotel proposal or contract draft, scan for subject access request (sar) early — it's often easier to negotiate before the supplier has anchored on their preferred position. Easy RFP surfaces these terms in every comparison view so planners can spot deviations from market-standard ranges at a glance, rather than reading 14-page proposals line by line.

Related terms

Deeper reading

Related guides on the blog

Put this into practice

Easy RFP builds subject access request (sar) thinking into every hotel RFP — so you negotiate from data, not from memory.

Operationalise SAR response →