Subject Access Request (SAR): How to Make One in the UK

A subject access request (SAR) is your right under Article 15 UK GDPR to ask any UK organisation what personal data it holds about you. It must normally respond within one month, and in most cases the request is free.
This page covers the UK GDPR right of access, which applies uniformly across England, Wales, Scotland and Northern Ireland; data protection is a reserved matter regulated nationally by the ICO, unlike criminal-record disclosure, which runs on three separate per-nation systems.
What is a subject access request?
A subject access request is a request made under Article 15 of the UK GDPR for confirmation that an organisation is processing your personal data, and, where it is, a copy of that data along with supporting information. The supporting information includes the purposes of the processing, the categories of data held, who it has been or will be shared with, how long it will be kept, where it was obtained from if not from you directly, and your other rights, including the right to rectification, erasure and to complain to the ICO. A SAR can be made to any organisation that controls your personal data, including employers, former employers, banks, landlords, schools, healthcare providers and public bodies. It is sometimes called a DSAR (data subject access request); the two terms mean the same thing.
How long does an organisation have to respond?
An organisation must respond to a SAR without undue delay and, in any event, within one calendar month of receiving it (or of receiving anything it reasonably needs first, such as proof of identity). The one-month clock generally starts on the day the request is received. This can be extended by up to two further months where the request is complex or the organisation has received a number of requests from the same person, but the organisation must tell you within the first month that it is extending the deadline and explain why. An organisation cannot simply decide, part-way through, that a straightforward request has become complex; the extension is the exception, not a default buffer.

Is a subject access request free?
A SAR is free in most cases. An organisation can charge a reasonable fee, based on the administrative cost of complying, only where the request is manifestly unfounded or excessive (for example, because it is repetitive), or where you ask for further copies of the same information you have already been given. An organisation cannot charge a general administration fee simply because a request takes time to process, and it cannot refuse to respond while it decides whether to charge; if it intends to rely on the manifestly unfounded or excessive ground, it should be able to demonstrate why.
How the Data (Use and Access) Act 2025 changed the rules (in force 5 February 2026)
The Data (Use and Access) Act 2025 amended the UK GDPR's subject access provisions, with the SAR-specific changes in force from 5 February 2026. Two changes matter most in practice:
- A "reasonable and proportionate search." The Act confirms that an organisation is only required to conduct a search for personal data that is reasonable and proportionate in the circumstances, rather than an exhaustive search of every system and paper file it holds. What is reasonable depends on factors including the request's scope and the difficulty and cost of the search.
- Stopping the clock. Where an organisation reasonably needs you to confirm your identity or to clarify what you are asking for, it can pause the one-month time limit while it waits for your reply, then resume the clock once you respond. This is intended to stop the deadline running out on an organisation that is genuinely waiting on the requester, not to give it an open-ended excuse to delay.
Neither change removes the underlying right of access, and neither lets an organisation ignore a request or take materially longer than one month (plus any lawful extension) once it has what it needs from you.
How to make a SAR
- Decide what you want to know. You do not have to request everything an organisation holds; naming the specific records, department or time period you want (for example, "my HR file since 2023" or "call recordings from my account in the last year") makes the search faster and the response more useful.
- Identify who to send it to. A SAR can be made to any part of the organisation, not only a dedicated data protection team, but sending it to a known data protection officer, HR department or customer service address, or using the organisation's published SAR process if it has one, tends to get a faster start.
- Put it in writing where possible. A verbal SAR (in person or by phone) is legally valid, but a written request, by email or letter, is easier to prove was made and easier to date for the one-month deadline. You can use our SAR letter template or the free UK Subject Access Request Generator to produce a ready-to-send letter citing Article 15.
- State that it is a subject access request, though you do not have to use that phrase or mention GDPR by name; it is enough to make clear you are asking for your personal data.
- Only provide identity documents if reasonably asked for them. An organisation can ask you to confirm your identity before it searches for or releases data, and the clock can now pause while it waits for that confirmation, but it should not demand more identification than is proportionate to the request.
- Keep a copy and note the date sent. This is your evidence of when the one-month period started if the organisation is slow to respond.
- Follow up if the deadline passes. If you hear nothing within one month (or within an extended period you were told about in writing during that first month), raise it directly with the organisation before escalating to the ICO.

What can be withheld: exemptions
The right of access is not absolute. An organisation can withhold some information, in whole or in part, under recognised exemptions, including where disclosure would reveal another identifiable person's personal data without their consent (unless it is reasonable to disclose it anyway), where the information is protected by legal professional privilege, where disclosure would prejudice the prevention or detection of crime or the assessment or collection of tax, and in some other limited categories such as certain management forecasting or negotiations. An organisation relying on an exemption should still confirm what it has withheld and, generally, why, rather than simply providing a shorter response with no explanation.
If the organisation refuses or ignores your SAR
If you do not get a response within the deadline, or you think an organisation has wrongly refused, redacted or delayed your request, first raise the problem with the organisation directly, since many issues are resolved once it is aware of the complaint. If that does not resolve it, you can complain to the ICO, the UK's data protection regulator, which can investigate and take enforcement action against organisations that breach the UK GDPR. As a last resort, you can also apply to a court for an order requiring the organisation to comply. A SAR is separate from a right to be forgotten request; see our guide to the right to erasure if you want data deleted rather than copied to you.

For the wider data protection picture, see the UK GDPR explained, the UK data privacy hub and the United Kingdom country hub. If your SAR is refused or ignored, see how to complain to the ICO; if you want data deleted rather than disclosed, see the right to be forgotten. To draft your request, use the free UK Subject Access Request Generator or the SAR letter template.
This article is general information about the UK GDPR subject access right as it applies across England, Wales, Scotland and Northern Ireland, verified against ICO and legislation.gov.uk guidance current at 19 July 2026. It is not legal advice. Whether a particular organisation has handled your request correctly can depend on the specific facts; consult the ICO or a solicitor for advice on your situation.
Frequently Asked Questions
What is a subject access request (SAR)?
A subject access request is a request, under Article 15 UK GDPR, for confirmation that an organisation holds your personal data, a copy of that data, and information about how and why it is processed, who it is shared with, and how long it is kept.
How long does a company have to respond to a SAR?
An organisation must respond without undue delay and within one calendar month of receiving a valid request. This can be extended by up to two further months for complex or numerous requests, but the organisation must tell you within the first month that it is extending the deadline.
Is a subject access request free?
Yes, in most cases. A reasonable fee can only be charged if the request is manifestly unfounded or excessive, or if you ask for further copies of information you have already been given.
Do I have to make a SAR in writing?
No. You can make a SAR verbally or in writing, to any part of the organisation. A written request is not legally required, but it is easier to prove and date, which is why a letter or email is usually recommended.
What changed with SAR rules in 2026?
From 5 February 2026, the Data (Use and Access) Act 2025 confirmed that an organisation only needs to make a reasonable and proportionate search for your data, and allows it to pause the one-month deadline while it waits for you to confirm your identity or clarify the request.
Can an organisation pause the clock while it checks my identity?
Yes. Since 5 February 2026, an organisation can stop the one-month deadline running while it reasonably waits for you to confirm your identity or clarify what you are asking for, then resume the clock once you reply.
What can I do if an organisation ignores or refuses my SAR?
Raise it with the organisation first. If that does not resolve it, you can complain to the ICO, the UK's data protection regulator, and as a last resort apply to a court for an order requiring compliance.
Can an organisation withhold some information from a SAR?
Yes. Recognised exemptions allow an organisation to withhold information that would reveal another person's data without their consent, that is covered by legal professional privilege, or that would prejudice crime prevention or detection, among other limited categories.
Updates
The Data (Use and Access) Act 2025 changes to subject access requests came into force. An organisation now only has to carry out a reasonable and proportionate search for your data, and it can pause, informally called stop the clock, on the one-month deadline while it waits for you to verify your identity or clarify an unclear request.
Sources and References
- ICO – A guide to subject access requests(ico.org.uk).gov
- ICO – Your right of access(ico.org.uk).gov
- UK GDPR, Article 15 – Right of access by the data subject(legislation.gov.uk).gov
- Data (Use and Access) Act 2025, s.76(legislation.gov.uk).gov
- ICO – Make a complaint(ico.org.uk).gov