Ever wondered what information companies, government bodies, or other organisations hold about you? Perhaps you’re curious about what your bank knows, what data your employer keeps, or what your doctor has on file. The good news is that in the UK, you have a legal right to find out—and it’s easier than you might think.
What is a Subject Access Request?
A Subject Access Request (SAR) is your legal right under UK GDPR to ask any organisation if they’re using or storing your personal information. It’s a powerful tool that puts you in control of your data, and the best part? You don’t need a solicitor or legal expertise to make one.
Under UK data protection law, organisations must tell you what information they hold about you, how they’re using it, and who they’re sharing it with. This right is enshrined in Article 15 of UK GDPR.
What Can You Request?
You can ask for:
- All the personal information an organisation holds about you
- Specific information, such as medical records, employment files, or customer service notes
- Details about how your data is being used
- Information about who your data has been shared with
- The logic involved in any automated decision-making, including AI systems
Top Tip: Being specific about what you want often leads to faster, more useful responses. Rather than asking for “everything,” try requesting particular types of information relevant to your situation.
AI and automated decisions: If you’re concerned about how AI or algorithms have been used to make decisions about you, you have the right to request meaningful information about the logic involved. For more on this topic, see our guide: GDPR Subject Access Requests When AI Processes Your Data.
How to Make a Request
Making a Subject Access Request is straightforward. You can submit one through:
- Online: Many organisations have SAR forms on their websites
- Email: Send a clear email with your request
- Post: Write a letter to the organisation
- Phone: Call and make your request verbally
- In person: Visit the organisation directly
The ICO provides a free online tool to help you generate a SAR email: ICO Subject Access Request Tool. The tool takes about 10 minutes and creates a pre-formatted email you can send directly to the organisation.
What to Include in Your Request
Make your request clear by including:
- The words “subject access request” in your subject line or opening
- Your full name and contact details
- Any reference numbers or account numbers that identify you
- A clear description of the information you’re requesting
- Your preferred method for receiving the information (email, post, etc.)
Where to Send It: Check the organisation’s privacy notice or website—they should list a contact address specifically for data requests. Look for terms like “Data Protection Officer,” “Privacy Team,” or “Data Subject Rights.”
Sample SAR Email Template
Here’s a template you can adapt for your own request:
Subject: Subject Access Request under UK GDPR
Dear Data Protection Officer,
I am making a subject access request under Article 15 of the UK General Data Protection Regulation.
Please provide me with:
1. Confirmation of whether you are processing my personal data
2. A copy of all personal data you hold about me
3. Information about the purposes of the processing
4. The categories of personal data concerned
5. The recipients or categories of recipients to whom my data has been disclosed
6. The retention period for my data, or the criteria used to determine that period
7. Information about the source of the data (if not collected from me directly)
8. Information about any automated decision-making, including profiling
My details for identification:
- Full name: [Your full name]
- Address: [Your address]
- Email: [Your email]
- Account/reference number (if applicable): [Reference number]
Please respond within one calendar month as required by law. I would prefer to receive this information by email to [your email address].
Yours faithfully,
[Your name]How Long Should It Take?
Organisations have one calendar month from receiving your request to respond. In complex cases, they may extend this by up to two additional months, but they must tell you why within the first month and when you’ll receive a response.
Important: Most organisations cannot charge you a fee for a basic SAR, though they may charge reasonable costs for additional copies or if your request is clearly excessive or repetitive.
Real-world example: In 2023, the ICO took enforcement action against Bristol City Council for consistently failing to respond to subject access requests within the legal timeframe. The case demonstrates that the ICO takes SAR compliance seriously. Read more: Bristol City Council ICO Enforcement Case: Falling Behind On Subject Access Request Compliance.
Requesting Data on Behalf of Someone Else
You can make a request for another person, such as a child or someone you have power of attorney for, but you’ll need to prove you have permission. The organisation may ask for:
- Written permission (signed letter of consent) from the person
- A power of attorney document
- Proof of parental responsibility (birth or adoption certificate)
- Other proof of your authority to act on their behalf
What If You Don’t Get a Response?
If a month passes and you haven’t heard anything, don’t worry—you have options.
Step 1: Follow Up Directly
Send a polite follow-up email or letter to the organisation. Sometimes requests get lost or delayed, and a gentle reminder can get things moving. Keep copies of everything you send.
Step 2: Make a Formal Complaint
If you still don’t receive a satisfactory response:
- Contact the organisation’s complaints department
- Clearly state that you made a Subject Access Request on [date]
- List any missing information or problems with their response
- Request a full response within one month
Keep Records: Save copies of all your correspondence—emails, letters, and notes from phone calls. This creates a paper trail if you need to escalate.
Step 3: Complain to the ICO
If the organisation still doesn’t respond properly, you can complain to the Information Commissioner’s Office (ICO)—the UK’s independent data protection regulator.
Important Timing: You must complain to the ICO within three months of your last meaningful contact with the organisation.
When you complain to the ICO:
- Provide copies of your original request and any responses
- Include your follow-up correspondence
- Explain what’s missing or unsatisfactory
You can make a complaint online: ICO Complaints Portal.
What the ICO Can Do:
- Give advice and guidance to the organisation
- Investigate your complaint
- Order the organisation to take specific action (enforcement notice)
- In serious cases, issue fines of up to £17.5 million or 4% of annual turnover
What the ICO Cannot Do:
- Act as your personal representative
- Award you compensation
- Take legal action on your behalf
If you’re considering legal action for compensation, you’ll need to seek independent legal advice and potentially take the matter to court yourself.
What If Your Request Is Refused?
Organisations can sometimes refuse all or part of your request, but they must have a valid legal reason. If they refuse, they must explain why and inform you of your right to complain to the ICO.
Common reasons for refusal include:
- The request would reveal information about other people
- The information is legally privileged
- The request is manifestly unfounded or excessive
- Disclosure would prejudice crime prevention or detection
If you believe a refusal is unjustified, you can follow the complaint process outlined above.
Frequently Asked Questions
Can organisations charge for a subject access request?
Generally no. Under UK GDPR, organisations must provide your data free of charge. However, they can charge a “reasonable fee” if your request is manifestly unfounded or excessive (particularly if repetitive), or if you request additional copies beyond the first. Any fee must be based on administrative costs.
Do I need to explain why I want my data?
No. You have an unconditional right to access your personal data. Organisations cannot refuse or delay your request because you haven’t given a reason, and they shouldn’t ask why you want the information.
Can I make a SAR to my employer?
Yes. You can make a subject access request to any organisation that holds your personal data, including your current or former employer. This can include HR records, emails mentioning you, performance reviews, disciplinary records, and any other personal information they hold.
What if an organisation says they can’t find any data about me?
If an organisation genuinely holds no personal data about you, they should confirm this in writing within one month. If you believe they do hold your data, you can ask them to explain how they searched and which systems they checked. If unsatisfied, you can complain to the ICO.
Can I request data held in backup systems?
Yes, in principle. Personal data held in backup systems is still covered by UK GDPR. However, organisations may argue that retrieving data from backups involves “disproportionate effort.” The ICO’s view is that backups should generally be searched, but there may be exceptions for genuinely archived data that’s difficult to access.
What happens if an organisation ignores my request completely?
If an organisation fails to respond within one month and ignores follow-ups, this is a breach of UK GDPR. Document everything and complain to the ICO within three months of your last contact. The ICO can investigate and, if necessary, issue enforcement notices or fines. Persistent failures to respond to SARs—like the Bristol City Council case—can result in formal enforcement action.
Final Tips for Success
- Be specific: The clearer your request, the better the response
- Be patient but persistent: Give organisations the full month, but don’t hesitate to follow up
- Keep everything: Maintain copies of all correspondence
- Know your rights: Organisations must comply with your request—it’s the law
- Don’t be intimidated: Subject Access Requests are a normal part of data protection, and you don’t need legal help to make one
- Use the ICO tools: The ICO’s online SAR tool can generate a request for you in about 10 minutes
Why This Matters
Your personal data says a lot about you—from your health and finances to your habits and preferences. Knowing what organisations hold and how they’re using it helps you:
- Spot and correct mistakes in your records
- Understand how your data influences decisions about you
- Ensure organisations are treating your information responsibly
- Exercise your wider data protection rights
Whether you’re checking your credit file, reviewing medical records, or simply curious about what a company knows, making a Subject Access Request is your right. Don’t be afraid to use it.
Official ICO Resources
- ICO Subject Access Request Tool – Generate a SAR email in about 10 minutes
- ICO Right of Access Guidance – Detailed guidance on Article 15 rights
- ICO SAR Guidance for Small Businesses – Simplified guidance for organisations
- ICO Complaints Portal – Report organisations that don’t respond properly
Related Articles
- GDPR Subject Access Requests When AI Processes Your Data – What to request when algorithms make decisions about you
- Bristol City Council ICO Enforcement Case – What happens when organisations fail to respond to SARs
- GDPR Training Requirements – Who needs to do GDPR training?
Remember: your data, your rights, your control. If you work in an organisation that handles personal data, explore our data protection training courses to better understand your responsibilities when responding to subject access requests.
