Free GDPR Subject Access Request Template

Dear Sir or Madam,

I write to exercise my right of access under Article 15 of the UK GDPR, read with section 45 of the Data Protection Act 2018. This is a formal Subject Access Request ("SAR"). Please treat this letter with priority and route it to your Data Protection Officer or Privacy Team.

I am: Jane Elizabeth Smith, date of birth 15 June 1985, account/reference AC-987654, email jane.smith@email.co.uk. Pursuant to Article 12(6) of the UK GDPR, where you have reasonable doubts as to my identity you may request additional information strictly necessary to confirm it. I am willing to provide a copy of a UK passport or driving licence to assist verification on request; please do not release any personal data to any other address, email, telephone number or portal without first verifying my identity and the channel. I do not consent to my data being released to any third party on my behalf without my further specific written authority.

Pursuant to Article 15(1) of the UK GDPR I require:
— confirmation of whether or not you are processing personal data concerning me;
— where you are so processing, access to that personal data;
— the purposes of processing and the lawful basis under Article 6 (and, where applicable, Article 9);
— the categories of personal data concerned;
— the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
— the envisaged retention period, or the criteria used to determine it;
— the existence of the rights to rectification, erasure, restriction of processing and to object, and the right to lodge a complaint with the ICO;
— where the personal data was not collected from me, any available information as to its source; and
— the existence of any automated decision-making, including profiling (Article 22(1) and (4)), and meaningful information about the logic, significance and envisaged consequences.

Pursuant to Article 15(3) I require a copy of the personal data undergoing processing. In particular, I request the following categories of my personal data:

— All emails and correspondence (internal and external) mentioning me
— Customer service and HR call recordings
— Payroll, benefits and pension records
— Profiling, performance-management and disciplinary records
— CCTV footage in which I appear

I confirm that I expressly require the copy to include telephone call recordings, chat transcripts, CCTV footage and any other audio/visual recordings in which I can be identified, to the extent you hold such recordings.

I also require, in respect of any automated decision-making or profiling affecting me (Article 22), meaningful information about the inputs, the logic involved, the significance of the processing and the envisaged consequences.

To assist your search, I limit this SAR to personal data processed during the following period: 1 January 2021 to 9 March 2026. This limitation is without prejudice to my right to submit a further SAR in relation to other periods.

For completeness only, my context for making this request is: I am seeking this information in connection with a potential employment dispute.. I am not required to give a reason and the purpose of the SAR is irrelevant to your statutory obligation to comply: see Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74.

Please provide the information and the copy by email to jane.smith@email.co.uk as encrypted attachments. You are required to respond without undue delay and in any event within one calendar month of receipt of this request pursuant to Article 12(3) of the UK GDPR. That period may be extended by a further two months only where the request is complex or numerous, in which case you must inform me of the extension and the reasons for it within one month of receipt. If you propose to request additional information to confirm my identity under Article 12(6), please do so within 7 days of receipt of this letter, as the statutory response period runs from the time my identity is verified.

Pursuant to Article 12(5) of the UK GDPR, this request is made free of charge. You may charge a reasonable fee (or refuse to act) only where the request is manifestly unfounded or excessive, in particular because of its repetitive character — see Rudd v Bridle [2019] EWHC 893 (QB). In that event you bear the burden of demonstrating that the request falls within that narrow exception. I do not consider this request to be either manifestly unfounded or excessive.

If you intend to withhold any data in reliance on an exemption in Schedule 2 of the Data Protection Act 2018 (for example: crime and taxation, legal professional privilege, negotiations, confidential references, management information) or on Article 15(4) of the UK GDPR (rights and freedoms of others), you must: (a) identify the data withheld (in generic terms); (b) specify the exemption relied on; (c) set out, in sufficient particularity, the reasoning as required by Article 12(4); and (d) release all other data which is not properly caught by any such exemption. Redactions must be the minimum necessary to protect the rights relied on — wholesale redaction of documents is not permissible.

This request is made pursuant to Articles 12 and 15 of the UK GDPR, read with the Data Protection Act 2018. If you fail to comply fully, or only in part without lawful justification, I reserve my statutory rights to:
— lodge a complaint with the Information Commissioner's Office (ICO) under section 165 DPA 2018;
— apply for a court order for compliance under section 167 DPA 2018; and
— claim compensation under Article 82 UK GDPR and section 168 DPA 2018 for any material or non-material damage (including distress).

Please acknowledge receipt of this request and confirm your reference within 7 days. All correspondence should be directed to Jane Elizabeth Smith at the details shown on this letter.

YOURS FAITHFULLY,