Data Subject Access Requests

DigitalUK-wideLast reviewed: 1 April 20256 min

A Subject Access Request (SAR) is a formal request you can make to any organisation asking them to provide a copy of all personal data they hold about you and information about how it is used. It is one of your most powerful rights under UK GDPR and is entirely free in most cases.

Key points

  • You can submit a SAR verbally or in writing — email is the most practical and creates a record.
  • The organisation has one calendar month to respond, starting from the day after receipt.
  • Organisations cannot charge a fee for a SAR unless requests are manifestly unfounded or excessive.
  • The response must include a copy of your personal data and supplementary information such as processing purposes and retention periods.
  • If a SAR is refused or handled inadequately, you can complain to the ICO.

What Information You Can Request

A SAR entitles you to receive:

  • A copy of all personal data the organisation holds about you (in any format — emails, call recordings, CCTV footage, databases)
  • The purposes for which your data is processed
  • The categories of personal data held
  • The recipients or categories of recipients the data has been or will be shared with
  • The retention period (how long the data will be kept)
  • Your rights regarding rectification, erasure, restriction, and objection
  • The right to lodge a complaint with the ICO
  • If data was not collected directly from you, the source of the data
  • Information about any automated decision-making, including profiling, and its logic and significance

How to Submit a Subject Access Request

To submit an effective SAR:

  1. Identify the right contact. Most organisations publish a DPO or data protection contact on their privacy page. If not, address your request to "The Data Controller" or the company's general correspondence address.
  2. State clearly that you are making a Subject Access Request under Article 15 of UK GDPR. This puts the organisation on notice and starts the clock.
  3. Specify the data you are looking for — the more specific you are, the easier it is for the organisation to respond and the more useful the response. For example: "all emails in which I am named or identified," "all data held in your customer database relating to my account," or "all records of calls I have made to your customer service team."
  4. Provide enough identification to help them locate your data — your full name, any account number, date of birth, address. You do not need to provide more than is necessary for them to identify you.
  5. Send your request by email and keep a copy with a record of the send date.

Response Timeframes and Extensions

The one-month response deadline runs from the day after the organisation receives your SAR. For example, if you send a SAR on 5 March, the response is due by 5 April (or the next working day if that falls on a weekend or bank holiday).

The organisation can extend this by up to two further months where the request is complex or you have made multiple requests — but they must notify you within the first month that they are extending, and explain why. If they do not notify you, the extension is not valid.

If the organisation asks you for clarification (for example, to identify which of their systems to search), the clock is paused until you respond. Make sure your initial SAR is specific enough to avoid unnecessary delays.

What to Do If Your SAR Is Refused or Incomplete

If the organisation refuses your SAR entirely or you believe the response is incomplete:

  1. Ask for an explanation in writing. The organisation should identify which exemption they are relying on.
  2. Complain to the ICO at ico.org.uk/make-a-complaint. The ICO can investigate and issue enforcement action. You generally need to have raised the matter with the organisation first before the ICO will intervene.
  3. Apply to the court under Section 167 of the DPA 2018 for a compliance order. A court can order the organisation to comply with your request.

Keep detailed records of all communications — the dates of your request, any acknowledgements, the response received, and any follow-up correspondence.

Frequently asked questions

Can I make a SAR about my employer and get access to my personnel file?
Yes. You can submit a SAR to your employer requesting all personal data they hold about you, including your personnel file, performance reviews, emails in which you are identified, and HR records. Your employer has one month to respond. Some data may be withheld if it contains third-party information or is subject to legal professional privilege.
Can I make a SAR on behalf of someone else?
Yes, with proper authorisation. You must demonstrate you have authority to act on the data subject's behalf — for example, as a parent for a child under 13, as a holder of power of attorney for an adult who lacks capacity, or with a signed letter of authorisation from the individual. The organisation can ask for evidence of authority before responding.
The organisation says it will take three months to respond. Is this allowed?
An extension of up to two months is permitted for complex or numerous requests, but the total response time cannot exceed three months (one month + two-month extension). The organisation must notify you within the first month that they are extending, with an explanation. If they have not notified you within one month, you can complain to the ICO.
An organisation says my SAR is "manifestly unfounded" and is charging me a fee. Is this lawful?
Organisations can charge a reasonable administrative fee or refuse to respond if a SAR is "manifestly unfounded or excessive" — but this is a high threshold. A first-time SAR is almost never manifestly unfounded. If you believe the charge is unjustified, complain to the ICO.

What to do next

  1. 1
    ICO SAR guidance

    The ICO's step-by-step guidance on making a Subject Access Request.

  2. 2
    Make a complaint to the ICO

    Report an organisation that has failed to comply with your SAR.

  3. 3
    UK GDPR rights overview

    All eight of your data protection rights under UK GDPR.

  4. 4
    Right to erasure

    Request deletion of your personal data where grounds apply.

Official bodies and resources

Information Commissioner's Office

Regulator

The UK's independent authority for data protection and information rights, enforcing the UK GDPR and Data Protection Act 2018.

Visit website0303 123 1113

Citizens Advice

Charity

Provides free, confidential, and independent advice on a wide range of issues including benefits, housing, debt, and employment.

Visit website0800 144 8848

Was this page helpful?

Related guides

UK GDPR Rights for Individuals

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) give individuals in the UK eight legally enforceable rights over how organisations collect, store, and use their personal data. These rights apply whether the data is held by a business, public body, or online platform.

6 min

Right to Erasure (Right to be Forgotten)

The right to erasure — sometimes called the "right to be forgotten" — allows you to request that an organisation delete your personal data in certain circumstances. It is one of eight rights under UK GDPR and can be a powerful tool for removing outdated, irrelevant, or unlawfully held data about you from online platforms and databases.

6 min

When a Company Has a Data Breach

A personal data breach occurs when an organisation accidentally or unlawfully destroys, loses, alters, discloses, or gives access to your personal data without authorisation. When this happens, UK GDPR places obligations on the organisation — including notifying you if the breach is likely to cause you harm — and gives you rights to complain and potentially claim compensation.

6 min

Disclaimer

This information is for general guidance only and does not constitute legal advice. You should seek qualified legal help if your situation requires it.