GDPR Subject Access Request: How to Redact Documents Correctly

What Is a GDPR Subject Access Request?

Article 15 GDPR grants every individual the right to access their stored personal data

The right of access under Article 15 of the General Data Protection Regulation (GDPR) is one of the core data subject rights. It enables any natural person to find out from a company or organisation whether and what personal data is being processed about them.

A Subject Access Request (SAR) can be made informally – by email, letter, or even verbally. The data controller must then provide the following information:

Processing purposes: Why is the data being processed?
Categories of personal data: What types of data are involved?
Recipients: To whom has the data been disclosed?
Retention period: How long will the data be stored?
Copy of the data: A complete copy of all stored personal data

The response must be provided within one month of receiving the request. For particularly extensive or complex requests, the deadline can be extended by a further two months – however, the data subject must be informed of the extension and the reasons within the first month.

Who is affected? Every company, public authority, and organisation that processes personal data. From law firms to HR departments to healthcare providers – no one is exempt from this obligation.

Why Must Documents Be Redacted?

Article 15(4) GDPR: The rights of third parties must not be adversely affected

When responding to a Subject Access Request, organisations face a dilemma: they must provide the requesting person with a complete copy of their data – whilst simultaneously ensuring that no personal data of third parties is disclosed.

Article 15(4) GDPR makes clear:

“The right to obtain a copy [...] shall not adversely affect the rights and freedoms of others.”

In practice, this means that documents containing information about third parties alongside the requesting person's data must be carefully redacted before disclosure. This includes:

Third-party data in personnel files: Names of managers and colleagues in appraisals or meeting minutes
Email correspondence: Contact details and content from other participants in CC or the email body
Internal notes: Assessments and memos that allow conclusions to be drawn about other individuals
Trade secrets: Confidential information such as pricing calculations, strategy documents, or internal evaluations

The challenge: If too little is redacted, a data protection violation occurs because third-party data is unlawfully disclosed. If too much is redacted, the requesting person's right of access is impermissibly restricted. Finding the right balance requires diligence and clear processes.

Step by Step: Processing a Subject Access Request

How to handle a GDPR data access request in a structured and timely manner

1

Verify the Request and Confirm Identity

Before disclosing any data, you must ensure that the request genuinely comes from the data subject. If in doubt, request suitable proof of identity – such as a copy of an ID document (with irrelevant data redacted) or verification via the communication channel you have on file.

Important: The identity check must not be disproportionate. If the person makes the request from their known email address, this is generally sufficient as proof.

2

Gather Relevant Documents

Systematically search all systems where the requesting person's personal data may be stored:

Personnel files and HR systems
Email inboxes and archives
CRM and ERP systems
Paper files and scanned documents
Minutes, memos, and internal notes
Backups and archiving systems

3

Identify Third-Party Data

Review each document carefully and mark all sections containing personal data of third parties or protectable trade secrets. Create a checklist:

Names, contact details, and signatures of third parties
Evaluations and assessments concerning third parties
Internal calculations and confidential business figures
Information that could allow the identification of third parties

4

Redact – Automatically or Manually

Now the actual redaction takes place. It is critical that the redaction is permanent and irreversible. Two approaches are available:

Manual redaction: Each document is individually reviewed and the relevant sections are manually redacted. For extensive requests involving hundreds of pages, this is a time-intensive process.

Automated redaction: Specialised software such as Docuflair Redaction automatically identifies personal data and permanently redacts it. This drastically reduces processing time and minimises the risk of human error.

5

Quality Control

Thorough quality control is essential before disclosure:

Check completeness: Is all of the requesting person's data included?
Verify redaction: Is all third-party data reliably redacted?
Test permanence: Can redacted sections be recovered by selecting, copying, or using specialised software?
Ensure readability: Are the non-redacted contents still comprehensible and coherent?

6

Respond Within the Deadline

Provide the data subject with the prepared documents in a commonly used electronic format (e.g. PDF). Document the entire process – when the request was received, what steps were taken, and when the response was sent. This documentation serves as evidence for supervisory authorities.

Common Redaction Mistakes

These errors cost organisations fines and trust

Mistake 1: Non-Permanent Redaction

The most common and severe mistake: redactions that can be reversed. Placing a black bar over text in a PDF editor does not remove the data – it remains stored in the document. Through copy-paste, text selection, or simple PDF tools, the “redacted” information can often be effortlessly recovered.

The solution: Only pixel-based redaction, where the original data is irrecoverably replaced with black pixels, is legally compliant. Professional redaction software ensures this automatically.

Mistake 2: Overlooking Third-Party Data

In extensive documents, third-party data is easily overlooked – particularly in footers, headers, metadata, file names, or embedded comments. Even indirect references (“the responsible case worker”, “the supervising colleague”) can enable identification when combined with context.

Mistake 3: Missing the Deadline

The one-month deadline begins when the request is received – not when it is acknowledged or processing begins. Organisations without established processes lose valuable days due to unclear responsibilities and manual handling. If the deadline is missed, the data subject can file a complaint with the supervisory authority.

Fines and Consequences

The financial and legal risks of incorrect handling

GDPR violations are consistently pursued by supervisory authorities. Incorrect handling of Subject Access Requests can result in severe sanctions:

Fines of up to EUR 20 million or 4% of annual worldwide turnover – whichever is higher (Article 83(5) GDPR)
Reportable data breach: The unintentional disclosure of third-party data through inadequate redaction constitutes a data breach under Article 33 GDPR, which must be reported to the supervisory authority within 72 hours
Compensation claims: Affected third parties whose data was unlawfully disclosed can claim damages under Article 82 GDPR
Reputational damage: Data protection incidents are increasingly made public – the trust of customers, employees, and business partners is at stake

In practice, European supervisory authorities have already imposed numerous fines for violations of the right of access. Common reasons include: incomplete disclosures, late responses, and the exposure of third-party data through faulty redaction.

Automated vs. Manual Redaction

Why automated redaction makes the difference

When processing Subject Access Requests, the difference between manual and automated redaction becomes particularly apparent:

Time Comparison

Manual redaction: An average of 5 minutes per page. For a personnel file of 200 pages, that means over 16 hours of pure processing time – excluding quality control.

Automated redaction: An average of 5 seconds per page. The same 200-page file is processed in less than 17 minutes. The error rate drops significantly, as the software consistently redacts all occurrences of a recognised pattern.

Error Rate

Studies show that manual redaction has an error rate of up to 15% – meaning that in every seventh document, third-party data may potentially be overlooked. Automated redaction software reduces this rate to below 1%, as it works systematically and consistently.

Cost Efficiency

When you factor in personnel costs, error correction, and potential fines, automated redaction is not only faster and more secure but also significantly more cost-effective. Particularly for organisations that regularly process Subject Access Requests, the investment in professional redaction software pays for itself within a few months.

Docuflair offers a professional solution with the Docuflair Redaction module that automatically identifies personal data and permanently redacts it – GDPR-compliant and audit-proof.

GDPR-Compliant Redaction in Seconds

See in a personal demo how Docuflair processes Subject Access Requests automatically and in full legal compliance.

Request Free Demo Get Personal Advice

Frequently Asked Questions

Answers to the most important questions about GDPR Subject Access Requests and redaction

How long do I have to respond to a GDPR Subject Access Request?

Under Article 12(3) GDPR, you must respond within one month of receiving the request. In particularly complex cases, the deadline can be extended by a further two months, provided you inform the data subject of the extension and the reasons within the first month.

What data must be redacted when responding to a Subject Access Request?

You must redact all personal data of third parties (e.g. names, contact details of other individuals), trade secrets, and information whose disclosure would adversely affect the rights and freedoms of other persons. The data of the requesting person themselves must not be redacted.

Is redaction using a highlighter or PDF overlay legally compliant?

No. Superficial redactions using highlighters, PDF overlays, or simple black bars are not legally compliant. The underlying data can often be recovered by copying, selecting, or using specialised software. Only permanent, pixel-based redaction, where the original data is irrecoverably removed, is GDPR-compliant.

What fines can be imposed for incorrectly handling a Subject Access Request?

Violations of the right of access under Article 15 GDPR can result in fines of up to EUR 20 million or 4% of the annual worldwide turnover. The unintentional disclosure of third-party data through faulty redaction also constitutes a reportable data breach.