We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.
A subject access request, or SAR, is a written request to a company or organisation asking for access to the personal information it holds on you.
This is a legal right everyone in the UK has, that you can exercise at any point for free in most circumstances.
Following EU-wide changes to data protection rules, introduced in the UK as the Data Protection Act 2018 (GDPR), you can make a subject access request for free.
This right of access means you can ask to review and verify the lawfulness of the processing of your personal data. For example, you might want to make a subject access request if you’re not convinced the company is processing your data lawfully, or to understand what an organisation knows about you.
You might also want to ask about any logic involved in any automated decisions made about you or get confirmation that your data is being processed and request access.
GDPR gives you the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively. Read our guide on your right to appeal automated decisions.
If you wish to make a subject access request, there is no particular format for doing so - you can simply write to or email the organisation and ask it to provide all of the information about you it is required to disclose under the Data Protection Act.
You can ask the organisation you think is holding, using or sharing your personal data to supply you with copies of your personal data.
If a company tries to charge you a fee, inform them that, as of 25 May 2018, subject access requests can be made for free when GDPR became law in the UK as the Data Protection Act 2018.
To make a subject access request (SAR), follow these steps:
You can use the free template letter on the Information Commissioners Office (ICO) website to make a subject access request.
The Information Commissioner's Office (ICO) is an independent authority set up in the UK to work with organisations to uphold information rights in the public interest and protect data privacy for individuals.
It can investigate and fine organisations found to be in breach of data protection rules but it cannot award compensation to individuals.
It is best to send your request by recorded delivery or by email, and you should keep a copy of the SAR and all other correspondence.
This evidence will be important if you later need to complain to ICO that the organisation didn’t give you the information you think you are entitled to after you made the subject access request.
The Data Protection Act 2018 (GDPR) requires companies to let you know what information is held about you, whether it is on computers or on paper.
Here are the steps an organisation would need to take when dealing with a subject access request:
Companies are allowed to withhold certain information from you, for example: