UK GDPR — Art 15 Subject Access

The Request

One SAR. One month. Eighteen thousand data points.

It is Thursday 5 February 2026. Three days ago, Sam Chen filed a Subject Access Request. You have until 2 March. In the next 25 minutes you will make three decisions that determine whether Cerulith's SAR handling ends up as a quiet case study or as Exhibit A in an ICO investigation eleven months from now.

Learning Objectives

Apply Art 12 and Art 15 to a real SAR on Art 9 health data
Distinguish manifestly unfounded/excessive from inconvenient under ICO guidance
Resolve third-party redaction correctly using Art 15(4), DPA 2018 Schedule 2, and Durant v FSA

Monday 2 February 2026 · 14:12 · Lee Valley Athletics Centre

The Request

Trackside · Sam Chen files her SAR

Monday, 14:12. Sam Chen opened a laptop in the athletes' lounge at Lee Valley and submitted a Subject Access Request via cerulith.com/privacy/sar.

Template-quality. She cited Art 15(1)(a)-(h), set the window (1 February 2023 to today), named the processors she knew about, and asked only for her own data.

From: Sam Chen <s.chen.t54@britishathletics.org.uk>

To: SAR Portal <sar@cerulith.com>

Article 15 Subject Access Request — Sam Chen (user ID CPL-20210617-CHN)

To whom it may concern,

Under Article 15 UK GDPR, please provide a copy of all personal data Cerulith Health Ltd processes about me, plus the Article 15(1)(a) to (h) information. Pulse user ID: CPL-20210617-CHN. Three processors likely hold relevant data: AWS Ireland (infrastructure), Zendesk (support), Mixpanel (analytics). Electronic format is fine.

I am NOT seeking confidential references or third-party personal data. I'm aware of the manifestly unfounded/excessive test and consider this request proportionate.

Time window: 1 February 2023 to date of response. Please confirm receipt and deadline.

Sam Chen

Thursday 5 February 2026 · 09:24 · Aisha's home office

Rachel's Escalation

Three days later. You open your inbox. Rachel Whitmore has forwarded the SAR with a single-line note.

From: Rachel Whitmore <r.whitmore@cerulith.com>

To: Aisha Khan <a.khan@cerulith.com>

Cc: Vikram Rao <v.rao@cerulith.com>

RE: Article 15 Subject Access Request — Sam Chen — URGENT

Aisha,

Please can we treat this as manifestly excessive? Full scope is 18,000+ data points across three years across three processors. Danielle estimates 60+ hours of redaction work. We're covering NHS escalations and Q1 onboarding with four people. She has mentioned litigation to her coach. I think this is a fishing expedition dressed up as an SAR.

Please confirm by EOD so we can send the refusal letter.

Rachel

Thursday 5 February 2026 · 09:26 · Aisha's home office

Your Inbox — 09:26

Six emails arrived in the last hour. Sort each into Urgent / Defer / Delegate / File. You have four minutes before Rachel dials in. Triage does not affect your defensibility score — it shapes your framing.

Thursday 5 February 2026 · 10:00 · Aisha's home office

The First Call

Rachel is on the line. Vikram is lurking on video with his camera off. Danielle has texted you once.

You have three positions you can take. All three are career-surviving. Only one is regulator-defensible.

The Question

How do you respond to Rachel?

Your choice

📋

Process in full. Plan the work.

Confirm the SAR is valid, scope is appropriate, and 18,000 data points does not meet the manifestly excessive threshold. Clock runs to 2 March. Plan the redaction sprint with Rachel and Danielle.

Your choice

⏳

Seek reasonable clarification, pause the clock.

Write to Sam asking her to narrow the scope (e.g., which types of Pulse data). Under the DUAA 2025 stop-the-clock rule, the one-month period restarts when clarification is received. Buy the team breathing room; risk being seen as obstructive.

Your choice

✉️

Refuse. Invoke Art 12(5).

Send the refusal letter Rachel wants. Rely on Art 12(5) manifestly unfounded/excessive. Burden of proof will sit on Cerulith.

Thursday 5 February 2026 · 10:18 · Aisha's home office

+3 Defensible

The Plan

Dr Aisha Khan

Data Protection Officer

Rachel, 18,000 data points across three years and three processors isn't excessive. It's the product of Sam using Pulse every day. That's on us, not her.

Rachel Whitmore

Head of Customer Support

So what am I telling Danielle?

Dr Aisha Khan

Data Protection Officer

That we're doing it properly. I'll take redaction review off her plate. She pulls the Zendesk tickets and the email thread. You handle the scope letter to Mixpanel.

Vikram Rao

Chief Legal Officer

I'll draft the acknowledgement to Sam confirming receipt and the 2 March deadline.

You've framed it correctly. {{ref:ico-manifestly:Manifestly unfounded}} means malicious intent, withdrawal-for-payment, or repeat requests with no material change. Volume alone does not meet that bar under ICO guidance.

You've also protected the Art 38 line: Vikram is helping, not directing.

Why This Was Defensible

{{ref:gdpr-12:Article 12(5)}} puts the burden of proof on the controller. 'This is a lot of work' is not a defence.

{{ref:gdpr-15:Article 15}} is not conditional on the requester's motives. Litigation intent is not the test.

{{ref:ico-manifestly:ICO guidance}} is narrow: malicious intent, quid pro quo withdrawal, true duplicates. None apply.

Thursday 5 February 2026 · 10:22 · Aisha's home office

+1 Mixed

The Clarification Letter

Dr Aisha Khan

Data Protection Officer

I'm going to write to Sam asking her to narrow the scope. Under DUAA the clock pauses until she replies.

Rachel Whitmore

Head of Customer Support

She'll think we're dodging.

Dr Aisha Khan

Data Protection Officer

Probably. It's defensible but it's not friendly.

{{ref:duaa-clock:The DUAA 2025 stop-the-clock provision}} is statutorily available in the UK when the controller reasonably requests information to clarify scope. It is not equivalent under EU GDPR, which expects clarification to be sought without undue delay but without pausing the clock.

Clarification must be reasonable. Sam already specified time window, processors, and scope. An over-broad clarification request can itself become an Art 12 failure.

Why This Is Mixed

Legally available. Strategically costly. Sam reads the ICO guidance and will know what's happening.

If Sam complains, the ICO will test whether the clarification request was 'reasonable' per {{ref:gdpr-12:Art 12(3)/(6)}}. Cerulith's position is weaker than it needs to be.

Thursday 5 February 2026 · 10:31 · Aisha's home office

−2 Indefensible

The Refusal

Rachel Whitmore

Head of Customer Support

Thank you. Really. The team needed this.

Dr Aisha Khan

Data Protection Officer

I need you to know this will be challenged. And when it is, the burden will be on us to justify it.

Vikram Rao

Chief Legal Officer

I'll review the letter. If I'm not comfortable, I'll say so.

You have sent a refusal letter Cerulith cannot defend. {{ref:gdpr-12:Art 12(5)}} requires the controller to prove manifestly unfounded or excessive. 18,000 data points over three years of active platform use is the ordinary consequence of providing the service.

Sam will escalate. Her ICO complaint will be accepted. The refusal will sit at the top of Exhibit A in an enforcement file already being opened for other reasons.

Why This Was Indefensible

{{ref:ico-manifestly:ICO guidance}} on manifestly unfounded/excessive is specific: this situation does not meet any listed example.

{{ref:gdpr-12:Art 12(5)(b)}} allows refusal, but the burden is on the controller, and the ICO reads it narrowly.

Refusal is a Chekhov's gun. It will return in Module 6.

Thursday 5 February 2026 · 14:30 · Aisha's home office

Three Threads

Three threads open on the desk

By lunchtime, three files sit open on your desk.

The Zendesk thread: 214 support tickets. Most are Sam's own words. A handful are internal notes from support agents discussing her case.

The Mixpanel export: 17,841 events. Product telemetry — no third-party data in there.

The internal email chain: seventeen messages between Rachel, Danielle, and two support agents about Sam's November 2025 adverse-event report. Embedded in one of them: Danielle's 260-word draft clinical opinion, written for internal use, containing Danielle's speculation about whether Sam's training pattern indicated a pre-existing cardiac anomaly. Danielle has texted you three times today.

You need a framework. Not every line of every document is Sam's to read. But the default must be disclosure, not redaction.

Thursday 5 February 2026 — Zendesk call recording 11-0842

The Support Call — Segment by Segment

Buried in the Zendesk thread: one recorded support call from November 2025. Sam herself opened the call. The agent, Marco, confirmed the recording was being made. The recording is part of Sam’s SAR bundle — but not every second of it is hers to take.

The test. Default is disclosure. Redact only what contains third-party personal data, privileged content, or material that is not about Sam. Over-redacting destroys the record. Under-redacting exposes third parties.

KeepDisclosable — Sam’s data

Redact — 3rd-party PIINames other people

Redact — privilegedLegal / internal review

Redact — not SamUnrelated to requester

Thursday 5 February 2026 · 15:05 · Aisha's home office

The Email Chain — Line by Line

This is the most contested document. Mark each line as one of the four categories below. Scoring is informational — it sharpens your framing but does not affect the defensibility score.

Source: Internal email chain — "Re: CPL-20210617-CHN — adverse event 12 Nov 2025" — 17 messages, 3,420 words. Below is the contested message (Danielle → Rachel, 13 Nov 2025 09:47).

ASam's personal data — disclose BThird-party personal data — redact COpinion about Sam biographical in a significant sense — disclose with context DConfidential reference (DPA Sch 2 Pt 4 para 24) — redact

0 of 8 lines classified

Teaching Note

Lines l1, l2, l4, l8 are Sam's personal data in the Durant sense — biographical, with Sam as focus — disclose. l3 names Sam's coach; Sam knows her coach is known, but the coach's quoted words are his third-party personal data — redact. l5-l7 are opinions about Sam; they ARE her personal data (Nowak, endorsed in UK post-Durant) and biographical in a significant sense — disclose with appropriate context. l8 is Danielle's own discomfort — not a Sch 2 para 24 confidential reference (not about suitability for employment/training appointments) — disclose. Danielle's preference is not a legal basis for redaction.

Thursday 5 February 2026 · 16:10 · Aisha's home office

What Sam Reads

Vikram pings you. Danielle pings you. Rachel pings you.

Danielle is panicking. Rachel wants to redact the whole email chain as 'internal management.' Vikram reminds you to cite your basis in writing for whatever you choose.

The Question

How do you treat the internal email chain?

Your choice

⚖

Proportionate: redact third-party data, disclose Sam-focused content.

Redact the coach's quoted words (third-party personal data under Art 15(4)). Disclose Danielle's opinion paragraphs about Sam with an explanatory cover note — they are her personal data under Nowak and biographical in a significant sense under Durant. Decline to invoke Sch 2 Pt 4 para 24 — this is not a confidential reference about employment suitability.

Your choice

■

Redact the whole chain. 'Internal management.'

Mark the entire thread internal and redact. Rely on a broad reading of Sch 2 exemptions and Danielle's expressed preference not to disclose.

Your choice

📤

Disclose unredacted to save time.

Include the full chain unredacted. Be thorough, be fast. Sam asked for her data; give her her data.

Thursday 5 February 2026 · 17:02 · Aisha's home office

+3 Defensible

The Cover Note

Dr Aisha Khan

Data Protection Officer

Danielle, your words about Sam's training pattern are Sam's personal data. She gets them. I'll write a cover note: you wrote internally, not clinically, and flagged a data-quality concern.

Danielle Obi

Support Team Lead

Will it say that?

Dr Aisha Khan

Data Protection Officer

It will. And that you raised the fix quickly. Sam will see that.

Danielle Obi

Support Team Lead

OK. Thank you. Really.

You've applied {{ref:gdpr-15-4:Art 15(4)}} correctly: redact third-party personal data, not opinion about the data subject.

You refused to stretch {{ref:dpa18-sch2:Sch 2 Pt 4 para 24}} (confidential references for employment, training, appointments). Exemption-stretching is how {{ref:ico-manifestly:ICO}} enforcement starts.

The cover note is the skilled-DPO move. Context reduces litigation risk more than redaction.

Why This Was Defensible

{{ref:nowak:Nowak (C-434/16)}}: opinions about a data subject are that subject's personal data.

{{ref:durant:Durant v FSA}}: disclose where data is biographical in a significant sense and the subject is in focus. Both tests met.

{{ref:dpa18-sch2:DPA 2018 Sch 2 Pt 4 para 24}} covers genuine confidential references for employment/training/appointment decisions. Not internal support emails.

Thursday 5 February 2026 · 17:14 · Aisha's home office

−2 Indefensible

The Blanket Redaction

Rachel Whitmore

Head of Customer Support

Thank you. The team owes you.

Vikram Rao

Chief Legal Officer

I want your legal basis in the file. 'Internal management' is not a statutory exemption I can find.

Dr Aisha Khan

Data Protection Officer

...

There is no 'internal management' exemption in UK GDPR or DPA 2018. {{ref:dpa18-sch2:Schedule 2}} provides named exemptions — none cover routine internal discussion of a data subject.

This is the {{ref:ba-mpn:Durant-era over-redaction instinct}} the ICO specifically warns against in its right-of-access guidance.

Why This Was Indefensible

Blanket redaction with no statutory basis is an Art 15 breach.

If Sam complains and the ICO reviews the chain, the response demonstrates a systematic over-redaction approach — far worse for Cerulith than the individual refusal.

Thursday 5 February 2026 · 17:19 · Aisha's home office

−2 Indefensible

The Unredacted Send

Danielle Obi

Support Team Lead

She's going to read the ARVC paragraph. I'm going to be named in the complaint.

Dr Aisha Khan

Data Protection Officer

I owe you an apology.

{{ref:gdpr-15-4:Art 15(4)}} is explicit: the right to obtain a copy shall not adversely affect the rights and freedoms of others. The coach's quoted words were third-party personal data that needed redaction.

Speed is not the test. Proportionality is.

Why This Was Indefensible

Third-party personal data must be redacted or a lawful basis for disclosure must exist. Neither was applied.

The coach could file a separate complaint against Cerulith — a second Art 15 breach from the same response.

Thursday 26 February 2026 · 17:44 · Cerulith HQ — Bishopsgate, London

The Package

Three weeks later. The redaction sprint is in the final stretch. Deadline is Monday 2 March.

Danielle has the Zendesk cut. Mixpanel sent the events as a 312MB JSON. The email chain is redacted correctly and cover-noted. An index — 41 pages — sits next to Aisha's keyboard, listing every file, its Art 15(1) element mapping, retention period, and the three processors.

One question remains: how do you send it?

Friday 27 February 2026 · 15:12 · Cerulith HQ — Bishopsgate

The Handover

Sam confirmed in her original SAR that electronic format is acceptable. She added no delivery-method preference.

You have three options. All three are technically possible. Only one treats Art 15(1)(c)-(h) as part of the right, not a footnote.

The Question

How do you deliver the SAR response?

Your choice

🔒

Encrypted archive + indexed package + Art 15(1) cover letter.

Deliver via secure-file-share (controller-held key, time-limited link, out-of-band password). Include the 41-page index mapping every file to Art 15(1)(a)-(h): purposes, categories, recipients (AWS, Zendesk, Mixpanel named), retention periods, source, existence of automated decision-making in Pulse (flag for M3 reuse), transfer safeguards.

Your choice

✉

Unencrypted PDF via email.

ZIP the redacted files to a PDF bundle, email to the address on file. Fast, simple.

Your choice

💾

Raw database export, no index.

Send the redacted files + the Mixpanel JSON with no index and no cover letter. 'Here is the data you asked for.'

Friday 27 February 2026 · 15:40 · Cerulith HQ

+3 Defensible

The Package

Dr Aisha Khan

To Vikram, on the call

Link goes out at 09:00 Monday. Password by SMS at 09:05. 14-day expiry. Audit log goes to the SAR register.

Vikram Rao

Chief Legal Officer

Index?

Dr Aisha Khan

Data Protection Officer

Every file mapped to Art 15(1)(a) through (h). Where she asked for something we don't hold, we say so. Where she asked about automated decisions, we describe Pulse's triage routing — that becomes relevant in another conversation this year.

{{ref:gdpr-15:Art 15}} is not just the data — it is the information in Art 15(1)(a) to (h). A raw export is not compliance; a cover letter with the information alongside the data is.

Encryption with out-of-band key distribution is proportionate to {{ref:gdpr-9:Art 9 special-category}} data. The cost is tiny. The protection is material.

Why This Was Defensible

{{ref:gdpr-15:Art 15(1)(a)-(h)}} requires specific information alongside the data — purposes, categories, recipients, retention, source, automated decision-making, safeguards for transfers, right to complain to the ICO.

{{ref:gdpr-32:Art 32}} applies to the delivery channel itself: special-category data in flight must be protected.

Friday 27 February 2026 · 15:52 · Cerulith HQ

±0 Mixed

The Email

Dr Aisha Khan

Reviewing the sent bundle

It's the data. It's not the Art 15(1) information.

A PDF bundle of redacted files is the data, but Art 15(1)(a) to (h) is also part of the right — purposes, categories, recipients, retention, source, automated decision-making, transfer safeguards, right to complain.

Unencrypted email for {{ref:gdpr-9:Art 9 special-category}} data is a defensible but suboptimal channel choice. If intercepted, it becomes a second incident.

Why This Is Mixed

Compliant-ish. Incomplete. Not the benchmark.

The ICO will not enforce on this. A sophisticated requester may come back asking for the Art 15(1) information explicitly.

Friday 27 February 2026 · 16:02 · Cerulith HQ

−2 Indefensible

The Dump

Dr Aisha Khan

Data Protection Officer

...

A data dump is not a Subject Access Response. {{ref:gdpr-12:Art 12(1)}} requires information in a 'concise, transparent, intelligible and easily accessible form.'

Sam will not know what she has, what's missing, what's been redacted, where it came from, how long it's kept. None of the Art 15(1) information was provided.

Why This Was Indefensible

{{ref:gdpr-12:Art 12(1)}} and {{ref:gdpr-15:Art 15(1)}} combined require form plus information. You have neither.

This mirrors part of the fact pattern in {{ref:tiktok-mpn:the TikTok £12.7M MPN}} — opaque provision of required information.

Routing Verdict

Tallying the three decisions. Translating defensibility into consequence.

Case Study

9 / 9

Defensibility Score

The Case Study

Bound report · Cerulith HQ boardroom

How an experienced DPO handles a template-quality SAR on Art 9 health data. Every thread closed. Every stakeholder clearer.

Affected Individual — Sam Chen

Sam gets the package at 09:05 on Monday 2 March. She replies at 14:22: 'Thanks. Clear and complete.' No escalation. Six months later, she tells a magazine Cerulith's handling was 'the first time a health-tech SAR hasn't felt adversarial.' British Athletics signs Cerulith into three more athlete contracts in 2027.

Company — Cerulith Health

Total SAR cost: £6,800 of internal time. Zero legal spend. Aisha's Art 15(1) cover-letter template becomes company standard. When the ICO investigation arrives in Module 6, this file is exhibited as process maturity — a mitigating factor under {{ref:edpb-04-2022:Art 83(2)(f)}}.

Career — Aisha

Aisha's handling is short-listed at the IAPP 2027 European Summit 'DPO in Practice' track. Danielle sends a handwritten card.

Next Fifty SARs

The Art 15(1) index template runs every subsequent SAR. Median turnaround drops from 24 days to 11. Rachel's team regains three support-person-weeks per quarter.

System

The email-chain redaction framework joins the DP playbook. Danielle writes a short note for the support team: 'Don't write anything you wouldn't want included. It's all their data.'

Quiet Miss

0 / 9

Defensibility Score

The Quiet Miss

You didn't breach. You didn't excel. The outcome feels worse than 'poor' because there is no crisis to close the loop — only a slow erosion of trust.

Affected Individual — Sam Chen

Sam receives the response on 3 March — one day late under a strict reading, or on time if the DUAA clock pause was documented cleanly. She does not complain, but she notices. The next time a piece of Pulse data matters — in October 2026 — she goes through her coach, not through the platform.

Company — Cerulith Health

SAR closed. An internal audit flags 'insufficient Art 15(1) information' and 'over-broad clarification letter' as process weaknesses. Remediation adds £14,000 of consultant work in Q2.

Career — Aisha

No visible impact. Aisha notes privately that the decision made Rachel's quarter easier and Cerulith's defensibility weaker.

Next Fifty SARs

SAR volume over the next two quarters runs higher than expected as requesters escalate to clarification letters that Cerulith cannot easily justify.

System

The process is revised in June, but the June revision is the third one in nine months. The DP team is seen as reactive.

First Exhibit

-6 / 9

Defensibility Score

The First Exhibit

ICO enforcement file · red-tab marker

The refusal letter is Exhibit A. Cerulith's ICO file is open. None of this was inevitable.

Affected Individual — Sam Chen

Sam files an ICO complaint on 14 March, attaching the refusal letter, the original SAR text, and the ICO SAR guidance URL. On 28 April, enforcement opens an Information Notice. Word travels via her coach to British Athletics' DP lead. Two contracts with Cerulith are paused.

Company — Cerulith Health

The refusal letter is Exhibit A in the investigation that opens December 2026 (Module 6). Under {{ref:edpb-04-2022:EDPB 04/2022}}, the Art 15 breach sits in Art 83(5) — the higher tier — pushing the proposed starting-point fine well above what Cerulith's turnover band would otherwise carry.

Career — Aisha

Vikram writes a board memo summarising the decision chain. Aisha's Art 38 reporting line is invoked for the first time.

Next Fifty SARs

Rachel's team handles every later 2026 SAR with extra scrutiny. Support sentiment drops. Two engineers resign citing 'risk-averse culture.'

System

The ICO asks for Cerulith's SAR-handling policy. It doesn't exist in writing. Drafting becomes an emergency 10-day project. The draft cites the refusal as a 'training example' — which does not help the investigation.

Module complete. Continue when you're ready. Continue to Module 2 →

Debrief

What M1 Teaches

The one-month clock under {{ref:gdpr-12:Art 12(3)}} is firm. DUAA's stop-the-clock is available in the UK but carries its own cost. There is no 'too much work' defence.
Manifestly unfounded / excessive per {{ref:ico-manifestly:ICO guidance}} is narrow: malicious intent, withdrawal-for-payment, repeat with no material change. Volume alone is not enough.
Third-party redaction under {{ref:gdpr-15-4:Art 15(4)}} protects others' personal data. Opinions about the data subject are the data subject's data — {{ref:nowak:Nowak}}, endorsed in UK practice.
Sch 2 exemptions are tools, not shields. {{ref:dpa18-sch2:Sch 2 Pt 4 para 24}} is about confidential references for appointments, not internal emails.
Art 15(1)(a)-(h) is part of the right. A cover letter with the information is not optional dressing — it is the right itself.

Next Module Tease

Three months from now, a Friday afternoon at 16:10, Imran Saleh will walk into your office with a laptop. The data that made Sam's SAR possible is about to leave the building.

Knowledge Check

Knowledge Check — 5 Questions

Five short questions to cement the module. Pass mark: 80%.

Module 1 Complete

0 / 9

Defensibility (out of 9)

This file feeds Module 6 exhibits. Your choices travel with you.

Return to Course Continue to Module 2 →