How to Make a UK Subject Access Request (SAR)

A subject access request (SAR) is the practical way you exercise the right of access under Article 15 of the UK GDPR and the Data Protection Act 2018. You can ask any organisation that holds your personal data for a copy of it, there is no special form, the request is normally free, and the organisation must usually respond within one calendar month.

For the full UK data protection framework, see the parent guide: United Kingdom data privacy laws.

What a Subject Access Request Actually Gets You

A SAR is the mechanism for the right of access in Article 15 of the UK GDPR. It entitles you to confirmation of whether an organisation is processing your personal data and, if it is, a copy of that data. You are also entitled to supplementary information that largely mirrors a privacy notice. Article 15(1)(a) to (h) lists this: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient (including any in third countries), the envisaged retention period or the criteria used to set it, your rights to rectification, erasure and restriction, your right to complain to the ICO, the source of the data where it was not collected from you, and information about any solely automated decision-making affecting you. A SAR is for your own personal data, not for general documents, and not for information that is solely about other people.

Watch out: A SAR is not a route to documents as such. The right is to your personal data within those documents, so an organisation may extract the relevant data or redact unrelated material rather than hand over whole files.

How to Make a SAR: No Form, No Fee, No Magic Words

There is no prescribed format. Under ICO guidance you can make a SAR verbally or in writing, and that includes email, a letter, a post on the organisation's social media, or a request made in person. You do not have to mention "Article 15", use the phrase "subject access request", or send it to a particular department or person. A request to any part of the organisation counts, although sending it to a named data protection contact or a published privacy address will usually be faster.

To help the organisation act quickly, make the request clear and specific. State that you want a copy of your personal data, give enough detail to identify yourself, and, if you only want particular records (for example HR files or CCTV from a specific date and location), say so. Keep a dated copy of what you sent. You can ask a third party, such as a solicitor or a relative, to make a SAR on your behalf, but the organisation can ask for evidence of their authority to act for you.

Under Article 12(6) of the UK GDPR, an organisation that has genuine, reasonable doubts about your identity can ask for information to confirm it, such as proof of identity, before disclosing data. It should not request more than is necessary, and it cannot use an ID request as a delaying tactic.

The One-Month Deadline and When It Can Pause or Extend

The organisation must respond without undue delay and at the latest within one calendar month. ICO guidance treats the clock as starting the day after the request is received and running to the corresponding date the following month. If there is no corresponding date (for example a request received on 31 January), the deadline is the last day of the next month, and if the deadline falls on a weekend or public holiday it moves to the next working day.

The one month can be extended by up to two further months where the request is complex or where you have made a number of requests. To rely on the extension the organisation must tell you within the first month that it is extending the deadline and explain why. Two separate situations also affect timing. First, under Article 12(6), if the organisation reasonably needs to confirm your identity, the time limit does not start until it has the information it needs. Second, the Data (Use and Access) Act 2025 introduced a "stop the clock" rule, in force from 5 February 2026, so that where an organisation reasonably needs more information to find the data or clarify a broad request, the clock pauses until you provide that information.

The Fee Rules: Free, With Narrow Exceptions

In most cases a SAR is free. An organisation can only charge a "reasonable fee" based on its administrative costs in limited situations: where the request is manifestly unfounded or excessive, or where you ask for additional copies of data you have already received. Article 15(3) of the UK GDPR expressly allows a reasonable fee based on administrative costs for further copies. If a fee is charged, the one-month period does not begin until you have paid it, and the organisation must be able to justify the amount if you later complain.

The "manifestly unfounded or excessive" exception is narrow. ICO guidance stresses that the word "manifestly" means it must be clear or obvious that the request is unfounded or excessive; a request is not excessive simply because you have asked for a large amount of data. Examples of manifestly unfounded requests include where someone makes a request with no genuine intention of exercising the right of access, where they explicitly say they want to cause disruption, or where they offer to withdraw the request in return for some benefit. In these cases the organisation can either charge a reasonable fee or refuse to act, but it must explain its reasoning.

Watch out: An organisation that refuses or charges on "manifestly unfounded or excessive" grounds carries the burden of demonstrating that the request meets the test. A frustrated tone or a large data volume on its own is not enough.

What Can Be Withheld: Exemptions and Third-Party Data

The right of access is strong but not absolute. The Data Protection Act 2018 sets out exemptions in section 15 and Schedule 2, and an organisation can withhold the specific material an exemption covers while still disclosing the rest. Common exemptions include legal professional privilege (Schedule 2, paragraph 19), which covers confidential communications with legal advisers for the purpose of obtaining or giving legal advice or in connection with litigation; confidential references given for employment, education or appointments (Schedule 2, paragraph 24); the prevention and detection of crime and the assessment or collection of tax (Schedule 2, Part 1); and management forecasts and negotiations where disclosure would prejudice the business.

Third-party data is handled separately. Where complying with your SAR would disclose information that identifies another living person, the organisation must balance your right of access against that person's privacy and decide whether it is reasonable to disclose without their consent, recording its reasoning. It cannot use a blanket refusal just because someone else appears in the records; it should redact or withhold only what is necessary to protect the third party.

Refusals and How to Escalate to the ICO

If an organisation refuses your SAR, in whole or in part, it must tell you why, inform you of your right to complain to the ICO, and tell you that you can seek to enforce the right through the courts. A partial refusal still requires the organisation to provide the data it can disclose. If you are unhappy with the outcome, the first step is to raise it directly with the organisation, in writing, explaining what is wrong (for example, a missed deadline, gaps in the data, or an exemption you think does not apply).

If that does not resolve matters, you can complain to the Information Commissioner's Office. ICO guidance asks you to give the organisation a chance to put things right first, and to bring your complaint to the ICO normally within three months of your last meaningful contact with the organisation. A complaint can be made online or by phone. The ICO can investigate, give the organisation advice, and take regulatory action, although it does not award compensation. Separately, you have the right to bring a claim in court to enforce your rights or to seek compensation for damage caused by a breach.