How to Make a Subject Access Request (SAR) Under GDPR

Under UK data protection law, you have the right to obtain a copy of the personal data that organisations hold about you. This is called a "subject access request" or SAR. It's a powerful tool for finding out what information companies, employers, councils, the NHS, and other bodies have recorded about you.

This guide explains how to make an effective subject access request and what to do if your request is ignored or refused.

What Is a Subject Access Request?

A subject access request is a formal request to an organisation asking them to provide you with:

• Confirmation of whether they hold personal data about you
• A copy of that personal data
• Information about how they're using it, who they've shared it with, and how long they'll keep it

This right exists under Article 15 of the UK GDPR and Section 45 of the Data Protection Act 2018. Almost every organisation that holds data about you must comply.

Why Make a Subject Access Request?

People make SARs for many reasons:

• To obtain evidence for legal proceedings (employment tribunal, family court, etc.)
• To find out what an employer or former employer has recorded about them
• To check medical records or social services files
• To see what a company knows about them and how they're using it
• To check whether information held is accurate
• To gather evidence of poor treatment, discrimination, or misconduct

Who Can You Send a SAR To?

You can send a SAR to any organisation that processes your personal data, including:

• Employers (current or former)
• Banks and financial institutions
• The NHS and healthcare providers
• Local councils and government departments
• Schools and universities
• Retailers and online services
• Social media companies
• Insurers
• Landlords and letting agents
• Solicitors (who hold your data)

How to Make a Subject Access Request

Step 1: Identify the Right Organisation

Make sure you're sending your request to the correct legal entity. For large companies, there's usually a data protection team or privacy contact. Check their website for a privacy policy or data protection contact.

Step 2: Put Your Request in Writing

While you can make a SAR verbally, it's much better to put it in writing so you have evidence. Email is fine — you don't need to send a letter.

Step 3: Include the Right Information

Your SAR should include:

• Your full name and any previous names they might hold records under
• Enough information to identify you (date of birth, address, account numbers, employee number, etc.)
• A clear statement that you're making a subject access request under the UK GDPR
• Specific details of what you're looking for, if you want to narrow it down

Step 4: Provide Proof of Identity

Organisations can ask for proof of identity before responding. It's reasonable to provide a copy of your passport or driving licence, but they shouldn't ask for excessive documentation.

What Should Be Included in the Response?

The organisation must provide:

• A copy of your personal data in an accessible format
• The purposes of the processing
• The categories of data they hold
• Who they've shared it with (or categories of recipients)
• How long they'll keep it
• Information about your other rights (rectification, erasure, etc.)
• The source of the data (if not collected from you directly)

Time Limits

Organisations must respond to your SAR within one calendar month. This can be extended by a further two months for complex or numerous requests, but they must tell you within the first month if they're doing this and explain why.

Cost

SARs are usually free. Organisations can only charge a "reasonable fee" if your request is "manifestly unfounded or excessive" — for example, if you're making repetitive requests for the same information. In practice, the vast majority of SARs should cost you nothing.

What If They Don't Respond?

If an organisation fails to respond within the time limit, provides an incomplete response, or refuses your request without valid grounds, you have several options:

1. Chase them. Send a follow-up letter pointing out they've missed the deadline and giving them a final opportunity to comply (perhaps 14 days).

2. Complain to the ICO. The Information Commissioner's Office is the regulator for data protection in the UK. You can submit a complaint online at ico.org.uk. The ICO can investigate and take enforcement action.

3. Take court action. You have the right to apply to court for an order requiring the organisation to comply. You may also be able to claim compensation if you've suffered damage or distress as a result of their failure.

Exemptions

There are some circumstances where organisations can withhold information:

• Legal professional privilege (confidential legal advice)
• Information that would reveal personal data about someone else (unless they consent or it's reasonable to disclose)
• Data processed for the prevention or detection of crime (in some circumstances)
• Certain regulatory functions
• Management forecasting or planning (to some extent)

However, organisations must still tell you if they're relying on an exemption and explain which one applies. They can't simply ignore your request.

Tips for an Effective SAR

Be specific if you can. If you're looking for particular documents or emails from a certain period, say so. This makes it easier for the organisation to find the relevant data and reduces the chance of important information being missed.

Keep copies of everything. Keep a copy of your request and note when you sent it. Keep all correspondence.

Follow up promptly. If the deadline passes without a response, don't wait months before chasing. A prompt follow-up shows you're serious.

Be persistent. Some organisations hope you'll go away. If you have a legitimate need for the data, don't be deterred by delays or partial responses.