Derbyn ymateb i'ch cais gwrthrych am wybodaeth

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Cynnwys

What should the organisation send back to me?

If the organisation has the information you asked for, they should provide you with copies of it (unless there is a good reason for them not to).

In their response, the organisation should also include:

yr hyn y maent yn defnyddio'ch gwybodaeth ar ei gyfer;
gyda phwy y maent yn rhannu eich gwybodaeth;
how long they will store your information for and why;
details on how you can ask if the information is correct, ask to have it amended or deleted, object to or restrict their use of it;
details on your right to complain to the ICO;
manylion am ble y cawsant eich gwybodaeth;
a ydynt yn defnyddio'ch gwybodaeth ar gyfer proffilio neu wneud penderfyniadau awtomataidd a sut maent yn gwneud hyn; a
what security measures they use if they have or will transfer your information to a country outside the UK or an international organisation.

Can the organisation send me partial or incomplete documents?

Yes. Organisations don't have to give you full copies of the original documents you have requested. You can only get eich personal information that’s contained in the documents. This might mean you get new documents that only contain your information, or original documents with certain information removed or edited out. This is commonly known as ‘redaction’.

Example of when it’s okay for an organisation not to send a full copy of an original document

Rydych yn gwneud cais gwrthrych am wybodaeth i'ch banc am gopïau llawn o'ch cyfrifynnau banc.

Your bank is not required to provide copies of the actual bank statements, but they must provide you with your personal information contained within them. For example, they could provide you with a list of transactions.

By doing so, they have now complied with your SAR without having to give you a full copy of the original bank statements.

Example of when it’s okay for an organisation to redact information

You request information from your work about a disciplinary matter.

They send you copies of all documents they have about the matter. This includes witness statements from other employees. The organisation has edited out the names of the witnesses and any other information that could identify them.

They have complied with your SAR whilst also protecting other people’s personal information.

How should the organisation send the information to me?

If you have said how you would like to receive the information (eg electronically or by post), the organisation should send it in that format where possible.

However, where you have requested large amounts of information, you may want to discuss the best way for the organisation to send you the information.

The organisation should not ask you to take action to receive this information (eg by downloading particular software or collecting it from their premises) unless you have agreed to do so.

The organisation must take steps to help you with your SAR if you have a physical or cognitive impairment or have difficulty accessing or understanding information.

What if the organisation says they no longer have the information I’ve requested?

If the organisation says they no longer have the information you’re requesting, they may have deleted or destroyed it. This is because data protection law says organisations shouldn't keep information for longer than they need it.

If you are concerned, you can check the organisation’s retention schedule. This should tell you how long they keep information for and how they safely delete or destroy it. You can usually find this in their privacy notice or on their website.