A subject access request, or SAR, is a written request to a company or organisation asking for access to the personal information it holds on you.
This is a legal right everyone in the UK has, that you can exercise at any point for free in most circumstances.
This right of access means you can ask to review and verify the lawfulness of the processing of your personal data. For example, you might want to make a subject access request if you’re not convinced the company is processing your data lawfully, or to understand what an organisation knows about you.
You might also want to ask about any logic involved in any automated decisions made about you or get confirmation that your data is being processed and request access.
If you wish to make a subject access request, there is no particular format for doing so - you can simply write to or email the organisation and ask it to provide all of the information about you it is required to disclose under the Data Protection Act.
You can ask the organisation you think is holding, using or sharing your personal data to supply you with copies of your personal data.
If a company tries to charge you a fee, inform them that, as of 25 May 2018, subject access requests can be made for free when GDPR became law in the UK as the Data Protection Act 2018.
To make a subject access request (SAR), follow these steps:
The Information Commissioner's Office (ICO) is an independent authority set up in the UK to work with organisations to uphold information rights in the public interest and protect data privacy for individuals.
It can investigate and fine organisations found to be in breach of data protection rules but it cannot award compensation to individuals.
It is best to send your request by recorded delivery or by email, and you should keep a copy of the SAR and all other correspondence.
This evidence will be important if you later need to complain to ICO that the organisation didn’t give you the information you think you are entitled to after you made the subject access request.
The Data Protection Act 2018 (GDPR) requires companies to let you know what information is held about you, whether it is on computers or on paper.
Here are the steps an organisation would need to take when dealing with a subject access request:
Companies are allowed to withhold certain information from you, for example: