Create a bespoke document in minutes, or upload and review your own.
Get your first 2 documents free
Your data doesn't train Genie's AI
You keep IP ownership of your information
Subject Access Request
I need a subject access request document to formally request access to all personal data held by a company about me, including details on how my data is being processed, shared, and stored, with a response deadline of 30 days as per data protection regulations.
What is a Subject Access Request?
A Subject Access Request is your legal right to ask any organization in Nigeria to show you all the personal information they have about you. Under Nigeria's Data Protection Regulation (NDPR), you can request copies of your data, learn how it's being used, and know who has access to it.
Organizations must respond to these requests within 30 days and provide the information in a clear format. You can make this request verbally or in writing to any company, government agency, or organization that handles your personal data - from banks and hospitals to employers and schools.
When should you use a Subject Access Request?
Submit a Subject Access Request when you need to understand exactly what personal information Nigerian organizations hold about you. This is especially useful if you spot errors in your records, suspect unauthorized data sharing, or need documentation for legal proceedings. It's also valuable when applying for jobs, loans, or insurance and want to verify what information potential partners can access.
Many Nigerians use these requests when dealing with banks, telecoms, or healthcare providers, particularly after experiencing service issues or identity concerns. The NDPR guarantees your right to see this data, making it a powerful tool for protecting your privacy and ensuring organizations handle your information correctly.
What are the different types of Subject Access Request?
- General Written Request: The standard format submitted by letter or email, detailing your identity and the specific personal data you want to access.
- Digital Platform Request: Submitted through an organization's website or portal, often using their prescribed online forms.
- Emergency Access Request: Used when immediate access to personal data is needed for urgent medical or legal situations.
- Third-Party Request: Made by authorized representatives like lawyers or guardians, requiring additional proof of authority.
- Sector-Specific Request: Tailored formats for banking, healthcare, or telecommunications, addressing industry-specific data protection requirements under NDPR.
Who should typically use a Subject Access Request?
- Data Subjects: Any Nigerian citizen or resident who wants to know what personal information organizations hold about them.
- Data Controllers: Companies, government agencies, and organizations that collect and process personal data, responsible for responding to requests.
- Data Protection Officers: Professionals who handle Subject Access Requests and ensure compliance with NDPR requirements.
- Legal Representatives: Lawyers who help individuals file requests or challenge responses.
- NITDA Officials: Regulators who enforce data protection rights and handle complaints about unmet requests.
How do you write a Subject Access Request?
- Personal Details: Gather your full name, address, contact information, and any account or reference numbers linked to the organization.
- Identity Proof: Prepare a valid Nigerian ID, such as your National ID card, passport, or driver's license.
- Data Scope: List specific information you're seeking and relevant time periods.
- Organization Details: Note the correct legal name and contact information of the data controller.
- Format Choice: Specify how you want to receive the information (email, paper copy, or digital file).
- Documentation: Keep copies of all correspondence and proof of delivery.
What should be included in a Subject Access Request?
- Personal Identification: Full name, address, and valid ID details that establish your identity under NDPR guidelines.
- Request Scope: Clear description of the specific personal data you're requesting access to.
- Time Period: The relevant date range for the information you're seeking.
- Legal Authority: Reference to NDPR Article 3.1(7) establishing your right to access.
- Response Format: Your preferred method of receiving the information.
- Third-Party Authorization: If applicable, documentation proving your right to request on someone's behalf.
- Declaration: Statement confirming the request's legitimacy and accuracy of provided information.
What's the difference between a Subject Access Request and an Access Control Policy?
A Subject Access Request differs significantly from an Access Control Policy. While both deal with data access, they serve distinct purposes under Nigerian data protection law.
- Purpose and Direction: Subject Access Requests flow from individual to organization, demanding specific personal data. Access Control Policies flow from organization to users, setting rules for data handling.
- Legal Framework: Subject Access Requests are individual rights under NDPR, requiring organizations to respond within 30 days. Access Control Policies are internal governance documents that organizations create voluntarily.
- Scope: Subject Access Requests focus solely on personal data about the requester. Access Control Policies cover all organizational data, systems, and access permissions.
- Enforcement: Subject Access Requests are legally enforceable through NITDA. Access Control Policies are enforced through internal disciplinary measures.
Download our whitepaper on the future of AI in Legal
ұԾ’s Security Promise
Genie is the safest place to draft. Here’s how we prioritise your privacy and security.
Your documents are private:
We do not train on your data; ұԾ’s AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
Our bank-grade security infrastructure undergoes regular external audits
We are ISO27001 certified, so your data is secure
Organizational security
You retain IP ownership of your documents
You have full control over your data and who gets to see it
Innovation in privacy:
Genie partnered with the Computational Privacy Department at Imperial College London
Together, we ran a £1 million research project on privacy and anonymity in legal contracts
Want to know more?
Visit our for more details and real-time security updates.
Read our Privacy Policy.