What is a Subject Access Request (SAR)?

A Subject Access Request is a formal request made under Article 15 of the UK GDPR that allows any individual to ask an organisation to confirm whether it processes their personal data and, if so, to provide a copy of that data along with supplementary information such as the purposes of processing, categories of data held, and recipients of the data.

How long does an organisation have to respond to a SAR?

Under the UK GDPR, an organisation must respond to a Subject Access Request without undue delay and within one calendar month of receiving the request. This deadline can be extended by a further two months if the request is complex or if the organisation has received a large number of requests, but the organisation must inform you of the extension within the first month.

Can an organisation charge a fee for a SAR?

In most cases, an organisation cannot charge a fee for responding to a Subject Access Request under the UK GDPR. However, if the request is manifestly unfounded or excessive, or if you request further copies of the same data, the organisation may charge a reasonable fee based on administrative costs or refuse to act on the request.

What can I do if an organisation ignores my SAR?

If an organisation fails to respond to your SAR within the one-month deadline, you can lodge a complaint with the Information Commissioner's Office (ICO). The ICO has the power to investigate, issue enforcement notices, and impose fines on organisations that breach their obligations under the UK GDPR and the Data Protection Act 2018.

Does a SAR have to be in writing?

A SAR does not have to be in writing under the UK GDPR; it can be made verbally as well. However, making a request in writing (by letter or email) creates a clear record of what was requested and when, which is important evidence if you later need to escalate the matter to the ICO.

Can I make a SAR on behalf of someone else?

Yes, a SAR can be made by an authorised representative on behalf of another person, such as a solicitor, parent (for a child), or anyone with written authority from the data subject. The organisation may ask for evidence of the representative's authority before processing the request.

What personal data am I entitled to receive?

You are entitled to receive a copy of all personal data the organisation holds about you, along with supplementary information including the purposes of processing, the categories of data, recipients or categories of recipients, the retention period, the source of the data if not collected directly from you, and information about any automated decision-making or profiling.

Free GDPR Subject Access Request (SAR) Template (UK)

What Is a GDPR Subject Access Request?

A Subject Access Request (SAR) is a formal request you can make to any organisation asking them to confirm whether they process your personal data and, if so, to provide you with a copy of that data. This right is enshrined in Article 15 of the UK GDPR, which was retained in domestic law after Brexit, and is further supported by the Data Protection Act 2018.

Under UK data protection law, every individual has the right to know what personal information an organisation holds about them, why it is being processed, who it has been shared with, how long it will be kept, and where it was obtained from. Organisations including employers, banks, councils, NHS trusts, online retailers, and any other data controller must comply with a valid SAR.

A well-drafted SAR compels the organisation to respond within one calendar month. If they fail to do so, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection. The ICO can investigate, issue enforcement notices, and impose significant fines for non-compliance.

What's Covered in This Template

Doxuno's GDPR Subject Access Request template covers every element required for a valid and comprehensive SAR under UK law. Each section can be tailored to your specific circumstances and the type of data you are seeking.

Your Identity Details

Full name, address, and reference numbers to verify your identity

Organisation Addressed

Name and contact details of the data controller receiving your request

Data Categories Requested

Specify the types of personal data you want disclosed

Purpose of Processing Enquiry

Ask why the organisation is processing your personal data

Recipients of Data

Request details of third parties your data has been shared with

Retention Periods

Find out how long the organisation intends to keep your data

Right to Rectification Notice

Remind the organisation of your right to correct inaccurate data

Automated Decision-Making Query

Ask whether automated profiling or decisions affect you

Data Source Enquiry

Find out where the organisation obtained your personal data

International Transfer Details

Ask about any transfers of your data outside the UK

Response Deadline (1 Month)

Statutory one-calendar-month deadline for the organisation to respond

ICO Complaint Reference

Notice of your right to escalate to the Information Commissioner's Office

How to Make a GDPR Subject Access Request

Creating a Subject Access Request is straightforward when you follow a clear process. Our template guides you through each required element so your request is complete, lawful, and difficult for the organisation to refuse. Follow these five steps.

Identify the Organisation

Determine which organisation holds the personal data you want to access. Look up their Data Protection Officer (DPO) or privacy team contact details, which are typically published in their privacy notice or on their website. If the organisation is a public body, you can also find this information through the ICO's register.

Provide Your Identity Details

Enter your full name, current address, and any reference numbers the organisation may use for you, such as an account number, customer ID, employee number, or NHS number. Providing these details helps the organisation locate your records quickly and reduces the risk of delays caused by identity verification queries.

Specify the Data You Want

Describe the categories of personal data you are requesting. You can ask for all data held about you, or you can narrow your request to specific types such as employment records, CCTV footage, financial data, emails, or call recordings. Being specific can help the organisation respond more quickly.

State Your Legal Basis

Reference Article 15 of the UK GDPR and Section 45 of the Data Protection Act 2018 as the legal authority for your request. The template includes this language automatically. Remind the organisation of the one-calendar-month statutory deadline and their obligation to provide the information free of charge.

Send the Request and Keep Records

Send your SAR by email (for a quick, timestamped record) or by Royal Mail Signed For post. Keep a copy of the completed request together with proof of sending. If the organisation fails to respond within one calendar month, you can escalate the matter by filing a complaint with the ICO online or by post.

Legal Considerations for UK Subject Access Requests

Understanding the legal framework behind Subject Access Requests ensures your request is effective and that you know your rights if the organisation does not comply. UK data protection law provides strong protections for individuals seeking access to their personal data.

Important: This template is provided for informational purposes and does not constitute legal advice. For complex situations involving sensitive data or ongoing legal proceedings, consult a qualified solicitor.

Reviewed by legal professionals. The content on this page and the template clauses have been reviewed by licensed solicitors in England and Wales to ensure accuracy and compliance with UK GDPR and the Data Protection Act 2018.

UK GDPR Article 15 — Right of Access

Article 15 of the UK GDPR gives every individual the right to obtain confirmation from a data controller as to whether their personal data is being processed. If it is, the individual has the right to receive a copy of that data together with supplementary information including the purposes of processing, the categories of data concerned, the recipients, and the envisaged retention period. This right applies to all organisations operating in the United Kingdom, regardless of where they are headquartered.

Data Protection Act 2018

The Data Protection Act 2018 (DPA 2018) supplements the UK GDPR and sets out specific exemptions that may apply to a SAR. These include exemptions for crime prevention and detection, legal professional privilege, management forecasting, negotiations, and certain regulatory functions. If an organisation relies on an exemption, it must explain which exemption applies and why. The DPA 2018 also provides the legal framework for the ICO's enforcement powers.

ICO Enforcement and Complaints

If an organisation fails to respond to your SAR within one calendar month, provides an incomplete response, or refuses your request without a valid exemption, you can lodge a complaint with the Information Commissioner's Office. The ICO will investigate and can issue enforcement notices requiring the organisation to comply. In serious cases, the ICO can impose fines of up to 17.5 million pounds or 4% of annual global turnover, whichever is higher. You also have the right to seek a court order compelling the organisation to comply.

One-Month Response Deadline

The statutory deadline for responding to a SAR is one calendar month from the date the organisation receives the request. This can be extended by up to two further months if the request is complex or if the organisation has received numerous requests from the same individual. However, the organisation must contact you within the first month to explain the delay and the reasons for it. The response must be provided in a commonly used electronic format if the request was made electronically.

Frequently Asked Questions

A Subject Access Request is a formal request under Article 15 of the UK GDPR that allows you to ask any organisation to confirm whether it processes your personal data and, if so, to provide a copy of that data. The organisation must also tell you why it is processing your data, who it has been shared with, how long it will be kept, and your rights regarding that data.

Under the UK GDPR, an organisation must respond to a SAR without undue delay and within one calendar month of receiving the request. If the request is particularly complex or the organisation has received a large number of requests, this deadline can be extended by a further two months, but the organisation must inform you of the extension within the first month and explain why.

In most cases, no. Under the UK GDPR, organisations must respond to SARs free of charge. However, if your request is manifestly unfounded or excessive (for example, because it is repetitive), the organisation may charge a reasonable fee based on administrative costs. They may also charge a reasonable fee if you request additional copies of data already provided.

If an organisation fails to respond within the one-month deadline, you can lodge a complaint with the Information Commissioner's Office (ICO). The ICO has the power to investigate the matter, issue enforcement notices requiring the organisation to comply, and impose fines. You can also apply to the courts for an order compelling the organisation to respond to your request.

No. Under the UK GDPR, a Subject Access Request can be made verbally as well as in writing. However, making your request in writing (by letter or email) is strongly recommended because it creates a clear, dated record of exactly what you asked for and when. This evidence is important if you need to escalate the matter to the ICO or the courts.

An organisation can only refuse a SAR if it is manifestly unfounded or manifestly excessive. It must explain its reasons for refusal and inform you of your right to complain to the ICO. Certain exemptions under the Data Protection Act 2018 may also limit what data is disclosed, such as where disclosure would prejudice crime prevention, legal professional privilege, or regulatory functions.

Yes. A SAR can be made by an authorised representative on behalf of another individual. This could be a solicitor, a parent acting on behalf of a child, or any person with written authority from the data subject. The organisation may ask for evidence of the representative's authority before processing the request to ensure data is not disclosed to an unauthorised party.

You are entitled to receive a copy of all personal data the organisation holds about you. In addition, you must be told the purposes of processing, the categories of data held, the recipients or categories of recipients, the retention period or criteria used to determine it, where the data was obtained if not directly from you, and whether any automated decision-making or profiling is being applied.

Free GDPR Subject AccessRequest (SAR) Template

What Is a GDPR Subject Access Request?

What's Covered in This Template

How to Make a GDPR Subject Access Request

Legal Considerations for UK Subject Access Requests

UK GDPR Article 15 — Right of Access

Data Protection Act 2018

ICO Enforcement and Complaints

One-Month Response Deadline

Frequently Asked Questions

Exercise Your Data Rights Today

Free GDPR Subject Access
Request (SAR) Template