We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Coronavirus Read our latest advice

Consumer Rights.

5 March 2021

How do I make a subject access request (SAR)?

You have the right to make a subject access request. This guide explains how that works for you and the organisation you’re requesting the information from.
How do I make a subject access request (SAR)?
W
Which?Editorial team

In this article

What is a subject access request (SAR)?

A subject access request, or SAR, is a written request to a company or organisation asking for access to the personal information it holds on you. 

This is a legal right everyone in the UK has, that you can exercise at any point for free in most circumstances.

1 Your right to make a subject access request

Following EU-wide changes to data protection rules, introduced in the UK as the Data Protection Act 2018 (GDPR), you can make a subject access request for free.

This right of access means you can ask to review and verify the lawfulness of the processing of your personal data. For example, you might want to make a subject access request if you’re not convinced the company is processing your data lawfully, or to understand what an organisation knows about you.

You might also want to ask about any logic involved in any automated decisions made about you or get confirmation that your data is being processed and request access.

GDPR gives you the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively. Read our guide on your right to appeal automated decisions

2 How to make a subject access request

If you wish to make a subject access request,  there is no particular format for doing so - you can simply write to or email the organisation and ask it to provide all of the information about you it is required to disclose under the Data Protection Act.

You can ask the organisation you think is holding, using or sharing your personal data to supply you with copies of your personal data.

If a company tries to charge you a fee, inform them that, as of 25 May 2018, subject access requests can be made for free when GDPR became law in the UK as the Data Protection Act 2018.

To make a subject access request (SAR), follow these steps:

  1. Find out the right department and person to send the request to, if you can
  2. Make sure you know all the information you need, so you can ask for this in the same request
  3. Write to the organisation, including your full name, address and contact telephone number; any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique IDs, etc); and include details of the specific information you require and any relevant dates
  4. Include a reference to the one month deadline that applies when dealing with requests to provide personal information
  5. Reference that you have the right to make a subject access request for free under the Data Protection Act 2018.

You can use the free template letter on the Information Commissioners Office (ICO) website to make a subject access request.

Key Information

What is ICO?

The Information Commissioner's Office (ICO) is an independent authority set up in the UK to work with organisations to uphold information rights in the public interest and protect data privacy for individuals.

It can investigate and fine organisations found to be in breach of data protection rules but it cannot award compensation to individuals. 

3 Keep copies and proof of receipt

It is best to send your request by recorded delivery or by email, and you should keep a copy of the SAR and all other correspondence.

This evidence will be important if you later need to complain to ICO that the organisation didn’t give you the information you think you are entitled to after you made the subject access request.

4 What companies need to do

The Data Protection Act 2018 (GDPR) requires companies to let you know what information is held about you, whether it is on computers or on paper.

Here are the steps an organisation would need to take when dealing with a subject access request:

  1. It has to reply to you without delay and at the latest within one month, starting from the day they receive the SAR.
  2. It is allowed to extend the period of compliance by a further two months where requests are complex or numerous, but it must inform you within one month of the receipt of the request and explain why an extension is necessary.
  3. It must provide you with a copy of the personal data requested in the SAR free of charge.
  4. It can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
  5. It may charge a reasonable fee for requests of further copies of the same information, but this doesn’t mean it can charge you for all subsequent access requests.
  6. It should give you the information in a commonly used format, but it need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen.

5 When companies can withhold information

Companies are allowed to withhold certain information from you, for example:

  • If the information could identify someone else, and it would not be reasonable to disclose that information to you.
  • If you are being investigated for a crime, or in connection with taxes, and the investigation would be prejudiced if you had access to the information.

Related articles