Subject access requests · Controllers · Processors
A controller can use a processor to help with a subject access request. It cannot use that processor to escape responsibility. The UK GDPR right of access is exercised against the controller, and the controller must be able to explain the search, the scope, the role of the processor, the safeguards, the response and any refusal or redaction. Outsourcing may improve capacity. It does not dilute accountability.
Publication snapshot
This article explains when and how a data controller may use a processor to assist with subject access requests. It focuses on UK GDPR accountability, processor contracts, transparency to the requester, due diligence, search discipline, conflict management and oversight. The core point is practical: a processor can help retrieve, organise and review personal data, but the controller remains responsible for the final legal response and must keep an audit trail capable of withstanding challenge.
The controller-processor distinction
UK data protection law depends heavily on role clarity. A controller decides why and how personal data is processed. A processor processes personal data on the controller’s behalf and on the controller’s documented instructions. That distinction is not a label chosen for convenience. It is a factual and legal analysis of who controls the purpose and means of the processing.
Subject access requests expose the importance of that distinction. The requester is asking for access to personal information held by, or on behalf of, the controller. If the controller uses a processor to run searches, review material, host data, prepare redactions or assemble a response pack, the controller still has to decide how the request is handled and what the requester is entitled to receive.
A processor may have direct responsibilities under the UK GDPR, particularly if it acts outside or against instructions. But the ordinary outsourcing model does not make the processor the owner of the response. The controller must keep control of the legal judgment.
Controller
Determines purpose and means, receives the SAR, directs the response and remains accountable.
Processor
Acts on documented instructions and assists with search, retrieval, review, security and administration.
Requester
Is entitled to a clear response, not an explanation hidden behind internal outsourcing arrangements.
Why SAR outsourcing happens
Subject access work can be resource-intensive. A single request may require searches across email, HR systems, complaints files, case-management platforms, archived records, messaging tools, call recordings, finance systems, customer databases, cloud services and third-party platforms. The material may include mixed personal data, confidential business information, health data, employment records, special category data, privileged material and information about other people.
Controllers may therefore turn to external support. A law firm may be used for privilege, exemptions, litigation sensitivity or dispute strategy. A specialist SAR provider may assist with review workflows and redaction. An e-disclosure provider may help collect, de-duplicate and search large datasets. A cloud provider may hold systems from which information must be extracted.
There is nothing inherently wrong with that. The risk is the assumption that outsourcing itself proves compliance. It does not. It only creates another layer of governance which must be controlled, documented and explained.
Responsibility remains with the controller
The ICO’s right of access guidance makes the position direct: controllers are responsible for complying with SARs. If a controller uses a processor, the controller must have a contractual agreement that enables it to deal with SARs properly, whether the request is sent to the controller or to the processor. The processor must help the controller meet its SAR obligations.
That duty has practical consequences. The controller should know where the processor holds data, how quickly the processor can retrieve it, which systems are in scope, how identity and authority issues will be handled, how searches will be logged, how redactions will be proposed, and how uncertainty will be escalated.
The controller also remains responsible for deciding whether material is personal data, whether it relates to the requester, whether third-party data needs redaction, whether an exemption applies, whether clarification is reasonably required, and whether the response is complete enough to satisfy the right of access.
Transparency to the requester
Transparency does not require the controller to give the requester a running commentary on every internal review step. It does require the controller’s privacy information and SAR communications to be honest about who processes personal data and for what purpose. If a processor handles data in connection with SAR administration, the arrangement should be consistent with the controller’s privacy notice, processor records and contractual framework.
The requester should not be misled into thinking their data is being handled only internally where an external provider is doing substantive work. Nor should the processor become a shadow decision-maker without a clear route back to the controller. The controller should remain the accountable point of contact unless the arrangement clearly and lawfully provides otherwise.
Transparency also matters where the SAR is made during a dispute. If an external law firm or adviser is involved, the controller should be clear internally whether that adviser is providing legal advice, acting as a processor, reviewing exemptions, handling litigation risk, or doing more than one of those things. Unclear roles can create confusion, conflict and complaint risk.
Processor contract controls
Whenever a controller uses a processor, there must be a written contract or other legal act in place. For SAR outsourcing, that contract must be operational rather than decorative. It should identify the processing subject matter, duration, nature, purpose, types of personal data, categories of data subject, and the controller’s rights and obligations.
The contract should also require processing only on documented instructions, confidence obligations for people handling the data, appropriate security, controls over sub-processors, help with individual rights, assistance with breach and DPIA obligations, deletion or return at the end of the contract, and audit or inspection rights.
Those clauses need to be connected to the SAR workflow. The agreement should set out how requests are escalated, how data is transferred securely, how searches are run, how logs are kept, who may review special category or privileged material, how proposed redactions are recorded, how deadlines are monitored, and how information is returned or deleted after the matter closes.
The contract should make the SAR workable
A controller-processor contract is not just a compliance exhibit. It should allow the controller to obtain the information it needs, on time, securely and with enough evidence to justify the final response.
Due diligence and vetting
A controller should only use processors that can give sufficient guarantees that they will implement appropriate technical and organisational measures, meet UK GDPR requirements and protect the rights of data subjects. In SAR work, that assessment has to be practical. It is not enough to ask whether the provider has a polished policy.
The controller should test whether the processor can identify relevant systems, retrieve personal data, handle archived material, work securely, preserve confidentiality, manage sub-processors, review mixed datasets, support redaction, flag exemptions, document uncertainty and return or delete data when instructed. If the processor is a law firm, e-disclosure platform or SAR provider, the controller should also consider competence, role clarity and independence.
Due diligence should be stronger where the SAR involves employment disputes, whistleblowing, safeguarding, health information, litigation, regulatory complaints, children’s data, protected characteristics, legal professional privilege or allegations of wrongdoing. Those requests require more than mechanical extraction. They require judgment, escalation and supervision.
Capability
Can the provider search, retrieve, review and package relevant personal data securely and within time?
Safeguards
Are access controls, confidentiality duties, sub-processor controls and audit rights clear?
Escalation
Does the processor know when to pause and refer privilege, third-party data or conflict issues back?
Scope, search and deadlines
The right of access gives people the right to obtain a copy of their personal information and supplementary information. The search must therefore be directed at personal information, not simply every document where the person’s name appears. Emails are a common problem: some emails contain the requester’s personal data; others merely copy them in or mention them without the wider content being their personal information.
The ICO’s search guidance now states that controllers must make a reasonable and proportionate search. The controller should make reasonable efforts to find and retrieve requested information, but is not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access. If the controller says a search would be unreasonable or disproportionate, it must be able to show why.
Deadlines must be actively controlled. A SAR must usually be answered without undue delay and at the latest within one month, subject to identity, authority and limited fee rules. The response period can be extended by a further two months if the request is complex or if the person has made a number of requests. The ICO guidance also makes clear that a request is not complex just because the controller has to rely on a processor to provide information needed for the response.
Since the 2025 reforms, clarification can stop the clock where further information is reasonably required to identify the personal information or processing activity the SAR relates to. That is a useful tool, but not a blanket delay mechanism. Controllers should document why clarification was reasonably required, what was asked, when time paused and when it resumed.
Conflicts and objectivity
The draft raises a legitimate concern about impartiality. Outsourcing can improve objectivity, but only if the processor’s role is clear and the provider is not placed in a conflicted position. A processor with a close commercial, legal or strategic relationship with the controller may not appear neutral to the requester, especially where the SAR arises from a dispute.
This does not mean a law firm or adviser can never assist. It means the controller must manage the role carefully. Legal advice, SAR administration and adversarial strategy should not be blurred. If a provider is reviewing material connected to its own conduct, a dispute it advised on, or allegations involving its client, the controller should consider whether additional independent review is needed.
Conflicts should be handled in the same disciplined way as other SAR risks: identify the relationship, record the issue, define the processor’s task, restrict access where necessary, create escalation routes, and keep the controller responsible for final decisions.
Oversight and evidence
Outsourced SAR handling should leave a clear audit trail. The controller should be able to show the date of receipt, identity and authority checks, the search plan, systems searched, processor instructions, search terms, review method, redaction approach, exemption reasoning, clarification requests, deadline calculation, response pack and complaint route.
Where exemptions are relied upon, the ICO guidance requires case-by-case analysis. Exemptions should not be applied routinely or in blanket fashion, and the controller should document the reasons and be able to justify the position. If the controller refuses to comply, it must usually tell the requester why, explain the right to complain to the controller and the ICO, and refer to the ability to enforce rights through the courts.
The practical standard is whether the response can be reconstructed later. If a complaint reaches the ICO or court, the controller should not be dependent on memory, vague assurances from a processor, or an undocumented review process.
For controllers
Keep the processor contract, instructions, search plan, review log, exemption reasoning and final response.
For processors
Keep retrieval logs, reviewer allocation, access records, redaction notes, escalation records and deletion confirmation.
For requesters
Keep the SAR, acknowledgements, clarification exchanges, response pack, redaction concerns and complaint history.
Source anchors
These sources support the legal and regulatory framework used in this article. They do not prove any disputed complaint, breach or organisation-specific failure.
ICO controllers and processors guidance
Role analysis, controller responsibility, processor role and governance issues.ICO right of access guidance
SAR entitlement, supplementary information and controller responsibility where processors assist.ICO contracts guidance
Controller-processor contracts, documented instructions, rights assistance, security and audits.ICO SAR response guidance
Deadlines, complexity, clarification, stop-the-clock handling and identity checks.ICO search guidance
Reasonable and proportionate searches, archived records, email review and big datasets.GOV.UK DUAA factsheet
2025 reforms to subject rights, clarification and reasonable and proportionate searches.The Legal Lens point
Outsourcing SAR handling is not the problem. Uncontrolled outsourcing is the problem. A competent processor can improve capacity, search quality, redaction management and technical retrieval. But if the controller cannot explain the role, contract, search, safeguards and final decision, outsourcing has weakened rather than strengthened compliance.
The practical rule is direct: outsource assistance, not accountability. The controller must remain able to prove what was done, why it was done, who did it, what was withheld, what was disclosed and how the requester’s rights were protected.
SAR outsourcing route map
Get a free written assessment of the route
If a SAR, processor arrangement or data-disclosure dispute needs structure, Legal Lens can help organise the documents, risks and next practical questions before complaint, correspondence or specialist review.
Clarify whether the concern is delay, search scope, processor handling, redaction, exemptions or missing data.
Organise the SAR, response pack, clarification messages, privacy notice, processor role and complaint trail.
Separate controller complaint, ICO complaint, correspondence, litigation sensitivity and data-protection evidence gaps.
Controller role, processor role, search, exemptions, redactions and complaint route.
Requests, responses, logs, reasons, chronology and missing records.
Independent Legal Lens consultancy. Legal Lens is not a regulated solicitors' firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.

