How to Write a Subject Access Request (Free SAR Template)

A subject access request lets you ask an organisation for a copy of the personal data it holds about you under Article 15 of the UK GDPR. There is no official form. This guide shows exactly what to include, gives model wording you can adapt, and links a free generator that builds the letter for you.
This guide covers how to write and send a subject access request under the UK GDPR, which applies uniformly across England, Wales, Scotland and Northern Ireland, since data protection is a reserved, UK-wide matter regulated by the ICO. For the fuller legal background on timing, fees and exemptions, see the subject access request guide.
What Is a Subject Access Request?
A subject access request, sometimes shortened to SAR or DSAR, is a request under Article 15 of the UK GDPR for a copy of the personal data an organisation holds about you, along with information about how and why it is used. Any individual can make one, to any organisation that controls their data, whether that is an employer, a bank, a landlord, a local council, or a company they are a customer of. gov.uk's guidance on data protection rights lists the right of access alongside the right to correct or delete your data and the right to complain to the regulator.
There is no prescribed form or wording an organisation is entitled to demand. A request is valid as soon as it clearly asks for your personal data, whether that is written on a form, sent by email, put in a letter, or said out loud to a member of staff. In practice, a clear, written request is far easier to prove was made, easier to date, and easier to escalate if the organisation is slow or unresponsive, which is why this guide focuses on writing one down.
What to Include in Your Request
A subject access request does not need legal language, but a well written one is harder for an organisation to misread, delay, or reject as unclear. Include:

- Your name, and any account, customer, or reference number the organisation uses to identify you, so it can find your record quickly.
- A clear statement that you are making a subject access request under Article 15 of the UK GDPR. You do not have to use those exact words, but naming the request removes any doubt about what you are asking for.
- What data you want. Say whether you want everything the organisation holds about you, or be specific about categories, for example emails, call recordings, CCTV footage, or HR notes, and a date range if one is relevant.
- How you want to receive it, for example by email, by post, or as a secure download, and to which address.
- Your current contact details, so the organisation can respond and, if needed, ask a follow-up question.
- Proof of identity, if you can offer it. This is not compulsory, but offering it upfront, for example a copy of a passport, driving licence, or recent utility bill, can prevent the organisation asking for it separately later and pausing the clock while it waits.
How to Send It
Send your request to the organisation itself, not to the ICO. Many larger organisations publish a data protection or privacy team email address, often inside their privacy policy, and sending it there rather than to a general customer service inbox can help avoid delay. If you cannot find a dedicated address, sending it to any part of the organisation you deal with is still legally valid; the one-month clock starts when the organisation receives a clear request, not when it reaches a particular department.
Keep a copy of what you sent and note the date. If you post a letter, consider a method that gives proof of postage or delivery. If you email, keep the sent message. This matters if you or the ICO later need to work out exactly when the one-month period started.
Model Subject Access Request Letter
The wording below is a model you can adapt to your own situation. Replace anything in brackets, and remove the bracketed instructions once you have filled them in.
[Your name] [Your address] [Date]
[Organisation name] [Organisation address, or data protection team email]
Subject access request under Article 15 of the UK GDPR
Dear [Organisation name],
I am making a subject access request under Article 15 of the UK GDPR. Please send me a copy of the personal data you hold about me, including [state what you want, for example "all personal data you hold about me" or "my customer account records and any call recordings from January 2026 to date"].
My account or reference number, if you need it to locate my record, is [reference number].
Please send this to me at [your email or postal address]. I understand you must respond within one month of receiving this request, and that a request like this is normally free of charge.
If you need to confirm my identity before responding, please let me know what you require. I can provide [for example, a copy of my passport or a recent utility bill] if that would help.
Yours sincerely, [Your name]
Prefer an Automatic Version? Use the Free Generator
If you would rather not write the letter from scratch, the free UK Subject Access Request Generator asks for your name, the organisation's name, an optional reference number, what data you want, and the date, then produces a formatted letter citing Article 15 of the UK GDPR that is ready to copy, print, or send. It runs entirely in your browser and does not collect or store what you type.

How Long a Response Takes and What It Costs
An organisation must respond without undue delay and within one calendar month of receiving a valid request. This can be extended by up to two further months where a request is complex or numerous, but the organisation must tell you within the first month and explain why. A subject access request is free in most cases; an organisation can only charge a reasonable fee, or refuse to act, where a request is manifestly unfounded or excessive, for example because it is repetitive.
Since 5 February 2026, the Data (Use and Access) Act 2025 has changed how this works in practice. First, an organisation is only required to carry out a search that is reasonable and proportionate for the data requested, rather than an exhaustive search of every system regardless of cost or effort. Second, the organisation can pause, informally called stopping the clock, on the one-month period while it waits for you to confirm your identity or clarify what you are asking for, then resume the clock once you reply. This is another reason offering proof of identity upfront, as suggested above, can help your request move faster rather than stall while the organisation waits to hear back from you.
If the Organisation Refuses or Ignores Your Request
If you do not get a response within the deadline, or you are told your request has been refused, first complain directly to the organisation using its own complaints process; most organisations are required to have one. If that does not resolve things, you can complain to the ICO, the UK's data protection regulator, which can investigate and take enforcement action. As a last resort, you can also apply to a court for an order requiring the organisation to comply.

For the wider rules a subject access request sits inside, including the other rights the UK GDPR gives you, see the UK GDPR explained guide.
This article is general information, not legal advice, and does not cover every organisation's internal process for handling a subject access request. If your request involves particularly sensitive data, such as health or criminal record information, or the organisation disputes your right to make the request at all, consider getting independent advice. For the wider picture of UK data protection rights, see the UK Data Privacy hub and the United Kingdom hub.
Frequently Asked Questions
Do I have to use a special form to make a subject access request?
No. A subject access request under Article 15 of the UK GDPR can be made in a letter, an email, or even a clear verbal request, though a written request is easiest to prove if the organisation is slow or unresponsive. It does not need to name the exact law as long as it clearly asks for your personal data.
What exactly should I ask for in a subject access request?
State that you are making a subject access request under Article 15 of the UK GDPR, and be clear about the scope, either all the personal data the organisation holds about you, or specific categories such as emails, call recordings, or account notes, plus a date range if relevant.
How long does an organisation have to respond?
An organisation must respond without undue delay and within one month of receiving a valid request. This can be extended by up to two further months for complex or numerous requests, provided the organisation tells you within the first month and explains why.
Do I have to pay for a subject access request?
No, a subject access request is free in most cases. An organisation can only charge a reasonable fee, or refuse to act, where a request is manifestly unfounded or excessive, for example if it is repetitive.
What changed for subject access requests in 2026?
From 5 February 2026, the Data (Use and Access) Act 2025 confirms that an organisation only has to carry out a reasonable and proportionate search for your data, and allows it to pause the one-month clock while it waits for you to confirm your identity or clarify what you want.
Should I include proof of identity with my request?
You are not required to, but offering proof of identity, such as a copy of a passport or a recent utility bill, can help avoid delay, since an organisation is allowed to ask for it before responding and the clock can now pause while it waits for you to provide it.
What can I do if the organisation ignores or refuses my request?
Complain to the organisation directly first, using its complaints process. If that does not resolve things, you can complain to the Information Commissioner's Office, which can investigate and take enforcement action against the organisation.
Updates
The Data (Use and Access) Act 2025 came into force for subject access requests, confirming organisations need only run a reasonable and proportionate search and allowing them to pause the one-month clock while confirming a requester's identity.
Sources and References
- ICO: A guide to subject access requests(ico.org.uk).gov
- ICO: Your right of access(ico.org.uk).gov
- gov.uk: Data protection(gov.uk).gov
- UK GDPR, Article 15: Right of access by the data subject(legislation.gov.uk).gov
- Data (Use and Access) Act 2025, s.76(legislation.gov.uk).gov