Subject Access Request (SAR)


NRU Heed
15 Mar 2012
Falkirk, United Kingdom
Any corporation operating within the EU needs to comply with data protection regulations. Any data collected on an identifiable individual needs to be relevant and appropriate. That means that if they are gathering info on a person it should be appropriate for the purpose and shouldn’t be excessive. For example, a bank obviously need to retain financial information about a client but doesn’t need to know what shoe size they are as it is irrelevant to that person having a banking account.

A life assurance society however may require additional information about an individual’s health because the insurance premium will be calculated on those and other factors. In that case health information is relavent but if they were asking if you liked BF4 or BFV that would not.

Companies are required to also ensure that information is accurate and up to date. They have a duty to ensure that is so which is why you will get requests to confirm email addresses and telephone numbers are still correct.

The related data protection legislation also allows for individuals access to data through a process called SAR or subject acccess requests. SAR. On receiving a request, which may require a nominal fee to cover administrative costs, the data holder is required to provide all data to the requestee that is related to the identifiable individual. Depending on the organisation that should include not only central database details but also emails and other sources where the individual is referenced.

So in the case of a ban it should be possible to request all information that is held by within an individuals account.

Whilst this may not ultimately help get a ban removed it may actually point to what caused the ban to be triggered. The fact the information is being requested could also trigger a more formal review of what happened. It may be a long shot but could be worth the effort. A ban through one of the independent stat collectors may be different but if it is a ban through EA though, where you have a relationship through purchasing a product there should be some formal method of appeal and having the information may help with arguing that a ban is unreasonable or unjustified.

Whilst an organisation like PB may not be a commercial entity they will be holding information to an identifiable individual too. They may not know who player xyz is but there is a link through BF and EA to an individual and therefore should also be subject SARs.

Ultimately it may not help to get a ban lifted but if you feel that a ban is unjustified or just wrong getting information that they have could help.

Whilst it may seem like a pain to do it may be worth the effort. The laws are there to protect us too. For example those people who were using our logo a while back were dealt with. Took a little time but we won in the end using the appropriate procedures.

I used to be the Data Protection Officer for a UK based recognised Trade Union. Ensuring that we only had relevant information on members was a significant part of the function in order to maintain compliance with DP laws. That was a little while ago and some of the laws and wording have changed but the basic structure is still there. You may need to read local data protection rules for details but most EU countries should be the same.

Hope this is of help.
  • Like
Reactions: lakaelo