Profile information Account settings
Logout
Help Contact us
Sign up Log in
Help Contact us

Making subject access requests

Under section 45 of the Data Protection Act 2018, individuals can make subject access requests (also known as ‘SARs’ or ‘data protection requests’) to businesses and other organisations that hold their personal data. Read this guide to find out more about making SARs.

Make your Data subject access request (DSAR)
Get started
Answer a few questions. We'll take care of the rest

A subject access request is a written request to a business or organisation asking for access to the personal information it holds on you. You can make SARs to find out a variety of things, including:

  • details of the personal data that is being processed (ie a copy of the data)

  • the reasons why this data is being processed

  • how this data was sourced (if available)

  • which other organisations or individuals have access to your data

For more information, read Data protection requests.

While there is no standard form for how SARs should be made (eg post, email, social media or verbally), it is recommended that you make them in writing in order to have a record of the request. Consider making a Subject access request.

Content of a SAR

When making your SAR you should as a minimum include: 

  • your full name (including any previous names, where relevant)

  • your up-to-date contact details (eg address and telephone number)

  • any information used by the organisation to identify or distinguish you from others of the same name (eg account numbers or unique IDs)

  • details of the specific information you require and any relevant dates

  • how you would like to receive the information (eg by email or in print)

While you may request all the information an organisation holds on you, bear in mind that organisations may hold a lot of information and it could take them longer to respond or make it more difficult for you to locate the specific information you need in their response.

A SAR should not include information not relevant to your request (eg a wider customer service complaint).

Sending a SAR

Where possible, send your SAR directly to the individual or team who deal with subject access requests (eg the data protection officer). Details on contacting the relevant individual or team are usually written in a privacy policy.

Where possible, it is recommended that you:

  • keep a copy of any documents or written correspondence for your records

  • keep any proof of postage or delivery (eg postal reference number)

  • take a screenshot of the form before submitting, if using an online submission form

Where it is not possible to copy the relevant documents, you should consider making a written note of your request, recording any key details, such as:

  • the date and time of the request

  • details of the personal information requested

  • details of any further information the organisation asked you to provide

  • any reference number provided by the organisation

  • the details of any contacts interacted with when making the request

Keeping records is helpful if you later wish to follow up on your request, raise any concerns or complain about an organisation’s response.

A SAR can be made on someone’s behalf, provided the person making the request has been authorised to do so. Examples of people who may wish to make a SAR on someone’s behalf include:

  • individuals with parental responsibility (or guardianship) requesting information about a child or young person 

  • court-appointed individuals who manage someone else’s affairs (known as ‘deputies’ in England and Wales and ‘guardians’ in Scotland)

  • individuals with a power of attorney allowing them to make SARs

  • solicitors acting on their client’s instructions

  • friends or relatives that the individual feels comfortable asking for help

Organisations need to be satisfied that someone making a SAR on behalf of someone else is authorised to do so and may ask for formal supporting evidence to show this (eg written authorisation from the person on whose behalf the request is being made).

For more information on making a subject access request on someone’s behalf, Ask a lawyer.

Organisations generally have one month to respond to your request. In some circumstances (eg if you have made several requests or where proof of ID is required), organisations may need extra time to consider your request and can take up to an extra two months to respond. Organisations should inform you within one month if they need more time and explain why. 

While data requests should generally be dealt with and provided free of charge, an organisation may be able to charge a fee in certain, limited circumstances (eg where the organisation finds the request to be ‘manifestly unfounded or excessive’ because it was made to harass or disrupt the organisation).

For more information, read Data protection requests.

When organisations respond to your SAR, they will typically tell you whether or not they process your personal information and, if they do, provide copies of it. The organisations should also state:

  • what they use your information for for

  • who they share your information with

  • how long they’ll store your information for and how this was decided

  • where they obtained your information from

  • if they use your information for profiling or automated decision-making and, if so, how this is done

  • details on your rights to challenge the accuracy of your information, to have it deleted, or to object to its use

  • your right to complain to the Information Commissioner's Office (ICO)

  • what security measures they’ve taken, if they have transferred your information to a third country or an international organisation

You won’t always receive all the information you have requested. Depending on your specific circumstances you may only receive part of the information you requested or the organisation may not provide you with any personal information. 

You may not receive (all) the information you requested if the type of information you requested is not covered by a SAR (eg information about a deceased relative’s medical records) or certain exemptions apply (eg it could threaten freedom of expression in journalism, art and literature). For more information on such exemptions, read Data protection requests.

Organisations can also refuse to comply with your SAR if they believe it to be  ‘manifestly unfounded or excessive’ (instead of charging a fee).

If an organisation doesn’t respond to your SAR or you are dissatisfied with their response, you should contact the organisation. If you do not receive a response or remain dissatisfied with the response, you can complain to the ICO. You can also consider seeking enforcement through the courts. For more information, read Data protection requests.

Make your Data subject access request (DSAR)
Get started
Answer a few questions. We'll take care of the rest

We use cookies to provide the best experience