YOUR GUIDE TO:
Join the Claim is not a law firm. This information is for general guidance only and does not constitute legal advice. While every effort has been made to ensure the information is accurate, regulations, details, and legal proceedings may change.
Your personal data matters.
Your data has value. Not just to you, but to the organisations that collect, store, and process it.
Companies use personal data to provide services, improve customer experiences, personalise advertising and support business decisions. In many ways, personal data helps power the modern digital economy.
But do you know what information organisations hold about you, how they use it, who they share it with, and how long they keep it?
If you want to find out, you have the right to make a Subject Access Request (SAR).
This guide explains what a SAR is, when it can help, how to make one, and what to do if an organisation does not respond properly.
A subject access request (SAR) is a request you can make to an organisation to find out what personal data it holds about you.
Under UK data protection law, you have the right to ask an organisation whether it is processing your personal data, receive a copy of that information, and understand how it is being used.
A SAR can help you access a wide range of personal information, including:
In addition to a copy of your personal data, organisations must usually provide information about:
A SAR can be especially useful after a data breach, where you want to understand what information may have been exposed and what the organisation has done about it.
Whether you are checking the accuracy of your records, investigating a concern, or simply looking for greater transparency, a SAR gives you the right to access information that might otherwise be difficult to obtain.
Making a SAR can help you make informed decisions about your personal data. For example, you may decide to request corrections, raise a complaint, exercise other data protection rights, or seek professional advice based on what you discover.
People commonly make SARs to:
A SAR is not just for serious disputes. It is a general information right. You do not need to explain why you are making the request.
Here’s a handy step-by-step process to help you make a successful Subject Access Request.
The first step is finding where to send your request.
Most organisations provide information about SARs in their website’s privacy notices or data protection policies. Look for contact details for:
Alternatively, the organisation may provide an online SAR form.
Many organisations explain their preferred process for making a SAR, but they cannot usually insist that you use that method.
You can ask for all personal data an organisation holds about you. However, if the organisation holds a large amount of information, a more focused request may be quicker and more useful.
For example, you might ask for:
You do not need to refer to the law for your request to be valid. However, mentioning that your request is made under Article 15 of the UK GDPR and the Data Protection Act 2018 may help avoid confusion.
To process your request, the organisation needs to identify you and locate the correct records. Providing accurate information from the outset can help avoid delays and reduce the likelihood that the organisation will need to contact you for further details.
Include your:
The organisation can ask for ID if it needs to confirm who you are. The time it has to respond to your SAR does not usually start until it has received any identification it reasonably requires. However, it should request this information promptly and only ask for what is necessary to verify your identity.
Once you have prepared your SAR, you need to send it to the organisation.
A subject access request can be made verbally or in writing. You do not need to use a specific form or wording for your request to be valid, although some organisations provide dedicated channels that can help speed up the process.
You can send your SAR in the following ways:
Keeping a clear record of your SAR can make it much easier to follow up with the organisation, track response deadlines, and demonstrate what happened if you later need to make a complaint.
Keep copies of:
If you make your SAR by phone, make a note of the date and time of the call, who you spoke to, and what was discussed.
Not sure where to start? Try our ready-to-use SAR template to help you draft your request.
Subject: Subject access request
Dear [organisation name / Data Protection Officer],
I am making a Subject Access Request under Article 15 of the UK GDPR and the Data Protection Act 2018.
Please confirm whether you hold personal data about me and provide a copy of that personal data.
I would also like information about:
To help you locate my records, my details are:
Full name: [name]
Email address: [email]
Postal address: [address]
Account/reference number: [if relevant]
Other relevant details: [if relevant]
Please provide the information electronically by email.
If you need any further information to identify me, please let me know as soon as possible.
Yours sincerely,
[name]
In most cases, organisations must respond to a SAR without undue delay and within one calendar month.
The clock usually starts when the organisation receives the request. If it reasonably requires proof of identity, the clock will normally start once that information has been received.
If the request is complex, or you have made multiple requests, the organisation may extend the deadline by up to a further two months. If it does so, it must tell you within the first month and explain why.
If your request is unclear, the organisation may ask for clarification.
Where clarification is genuinely needed to identify the information being requested, the response period may be paused until the clarification is received. However, the organisation should still provide any information it can identify within the normal timeframe.
Usually not. In most cases, organisations cannot charge a fee for responding to a subject access request. The right of access is intended to help people understand how their personal data is being used, and organisations are generally expected to provide this information free of charge.
However, there are some exceptions. An organisation may charge a reasonable administrative fee if:
If an organisation decides to charge a fee, it should explain why and tell you how the fee has been calculated. It cannot use charges simply to discourage people from exercising their data protection rights.
When responding to a SAR, an organisation must provide a copy of your personal data along with information explaining how and why it is being used.
If you make your request electronically, the information will usually be provided in a commonly used electronic format unless you request otherwise. This may include:
In some cases, they may provide secure online access to your information instead.
Organisations should consider your circumstances and provide the information in a format that is accessible and practical for you to use. However, if you would prefer to receive the information in a particular format, it is worth mentioning this when making your request.
Any personal information disclosed in response to a SAR should be provided securely to help protect your privacy and prevent unauthorised access.
While organisations are generally required to respond to valid subject access requests, there are situations in which they may refuse a request or withhold some of the information requested.
Legitimate reasons for refusing a SAR include:
There are a number of legal exemptions that may allow organisations to withhold some or all of the requested information.
Common examples include:
Importantly, an exemption does not automatically mean an organisation can refuse the entire request. In many cases, it will still need to provide any information that is not covered by the exemption.
If an organisation decides it has grounds for denying your SAR, it must contact you to explain its reasons for doing so. You can complain to the Information Commissioner’s Office (ICO) if you think the refusal is unjust.
If your SAR is denied or ignored, or if you are not happy with the organisation’s response, you have several options available to you:
If the organisation has not responded within one month, send a reminder or follow-up email. Reference your original request and ask for a prompt response.
They must give people a clear way to complain, acknowledge complaints within 30 days, investigate without undue delay, keep people informed, and tell them the outcome
If you still do not get a satisfactory response, you can file a complaint with the ICO. To do this, provide details of your original SAR, any follow-up attempts, and evidence of non-response or refusal.
The ICO generally expects complaints to be made within three months of your last meaningful contact with the organisation.
In serious cases, where a company repeatedly refuses to comply with data protection laws, you may have grounds for legal action. Seeking legal advice can help you understand your options and potential remedies.
A SAR can be a valuable first step if you suspect your data has been mishandled.
In situations where a data breach has occurred, making a SAR can help you:
That may be useful if you are considering your next steps after a data breach.
However, a SAR does not automatically mean you have a data breach claim. Whether a claim exists depends on the circumstances of the incident and any loss or distress suffered.
Concerned about a data breach? Try our ready-to-use data breach SAR template to help you draft your request.
Subject: Subject access request relating to data breach
Dear [organisation name / Data Protection Officer],
I am making a Subject Access Request under Article 15 of the UK GDPR and the Data Protection Act 2018.
I understand that there may have been a data breach involving your organisation. Please confirm whether my personal data was affected.
Please provide copies of any personal data you hold about me relating to the incident, including:
To help you locate my records, my details are:
Full name: [name]
Email address: [email]
Postal address: [address]
Account/reference number: [if relevant]
Other relevant details: [if relevant]
Please provide the information electronically by email.
If you need any further information to identify me, please let me know as soon as possible.
Yours sincerely,
[name]
No. Your request is still valid even if you do not use the phrase “subject access request”, “right of access” or “Article 15”. It simply needs to be clear that you are asking for your own personal information.
No. Organisations can encourage you to use a form, but they cannot usually insist on it.
People can make SARs by any means, although, in practice, using the organisation’s preferred process may make things quicker.
Personally identifiable information (PII) is any data that can be used to identify an individual – either on its own or in conjunction with other info.
This includes things like:
Under UK data protection law, you have the right to know exactly what personal information an organisation holds about you, how it’s being used, and who it’s been shared with.
Organisations can only provide information they still hold. If personal data has been lawfully deleted before your SAR is received, the organisation will not usually be required to recreate or recover it.
No. A subject access request is used to obtain personal information about yourself.
A Freedom of Information request is used to obtain information held by public authorities, whether or not it relates to you personally.
The ICO is the UK’s data privacy watchdog. It is responsible for upholding information rights and enforcing data protection laws.
The ICO provides guidance for individuals and organisations on handling personal data and offers a complaint mechanism if a SAR is ignored or mishandled. If your SAR isn’t adequately addressed, the ICO can investigate and, in some cases, impose penalties on organisations.
Yes. A third party can make a subject access request on behalf of someone else, provided they have the individual’s permission or legal authority to act for them. This might include a solicitor, family member, carer, parent, guardian or someone holding a power of attorney.
In some circumstances, yes. Parents and guardians can often make a subject access request on behalf of a child. However, organisations must consider whether the child is mature enough to understand their own data protection rights.
If a child is considered capable of understanding those rights, the organisation may choose to deal directly with the child rather than the parent. A child can also authorise a parent, guardian or another trusted person to make a request on their behalf.
The organisation’s main consideration should be what is in the child’s best interests. It may ask for evidence that you have the authority to act on the child’s behalf before providing any information.
Yes. An organisation is entitled to take reasonable steps to verify your identity before releasing personal information. This helps ensure that your data is not disclosed to the wrong person.
If the organisation is unsure who you are, or someone is making a request on behalf of another person, it may ask for additional information or identification documents.
Organisations must make reasonable efforts to find and provide the information covered by your request. However, they are not required to carry out searches that would be unreasonable or disproportionate. If you believe information has been missed, you can ask how the searches were carried out or raise a complaint with the ICO.
Was your information compromised in the Biobank data breach? Stay informed and register for updates on...
Was your information compromised in the Transport for London data breach? If so, you could have a compensation...
Was your information compromised in the Transport for London data breach? If so, you could have a compensation...
Was your information compromised in the ManoMano UK data breach? Stay informed and register for upda...
Was your information compromised in the Dentsu data breach? Stay informed and register for updates on...
Was your information compromised in the CarGurus data breach? Stay informed and register for updates...
Was your information compromised in the LastPass data breach? Stay informed and register for updates...
Did Facebook unfairly profit from your data? If so, you may be due compensation.
Was your information breached in the Mango cyberattack. Stay informed and register for updates on potential...
Was your information compromised in the Dentsu data breach? Stay informed and register for updates on...
Sign up for our newsletter to stay up to date.
We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.
Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.
Join the Claim is a trading name of Join the Claim Limited, authorised and regulated by the Financial Conduct Authority (FRN: 1053404). Registered in England and Wales, Company No: 16245278. Registered office: 32 Eyre Street, Sheffield, S1 4QZ.
© Join the Claim All Rights Reserved |
