GDPR Subject Access Request (UK)

A GDPR Subject Access Request in the United Kingdom is a legally binding written instrument.

The UK GDPR defines 'personal data' broadly as any information relating to an identified or identifiable natural person. This encompasses names, addresses, email addresses, phone numbers, financial data, health records, employment records, opinions about an individual, CCTV footage, IP addresses linked to an identifiable person, and much more. Any organisation that processes personal data about identifiable individuals — whether a large corporation, an NHS trust, a small business, a school, or a government department — is a 'data controller' and is subject to UK GDPR.

The Information Commissioner's Office (ICO) is the UK's independent regulator for data protection and information rights. The ICO publishes detailed guidance on SARs, including the Code of Practice on the Right of Access, which provides practical guidance for both individuals and organisations.

When you receive a SAR response, you are entitled to: a copy of your personal data; confirmation of the purposes for which it is processed; the categories of data concerned; information about recipients; the retention period; and information about your rights to rectification, erasure, restriction, objection, and portability. The controller must respond within one calendar month (extendable by two further months for complex requests). The response is free of charge in most circumstances.

The legal framework governing the GDPR Subject Access Request (UK) in United Kingdom draws on several key statutes and regulatory bodies. Under UK law, the UK GDPR and Data Protection Act 2018 apply to personal data processed under this agreement. The Consumer Rights Act 2015, enforced by the Competition and Markets Authority (CMA), protects consumer rights. Section 43 of the Companies Act 2006 governs company names. The Employment Tribunal adjudicates employment disputes under the Employment Rights Act 1996. The High Court of Justice and County Court have jurisdiction for civil matters under the Senior Courts Act 1981. Parties executing a GDPR Subject Access Request (UK) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The UK General Data Protection Regulation (UK GDPR) sets the foundational requirements.

A Subject Access Request is appropriate in any situation where you want to know what personal data an organisation holds about you and how it is being used.

Employment disputes are one of the most common reasons for making a SAR. If you are involved in a disciplinary process, a grievance, or an employment tribunal claim, a SAR to your employer will reveal all personal data held about you — emails, performance review notes, disciplinary records, HR correspondence, and references. This data can be crucial evidence in employment proceedings.

Financial matters: a SAR to a bank, credit reference agency (Experian, Equifax, TransUnion), insurance company, or mortgage lender will reveal the personal data they hold about you, including credit files, loan assessments, and any flags on your account.

Healthcare: a SAR to an NHS trust or private medical provider gives you access to your complete medical records, clinical notes, test results, correspondence, and any assessments or diagnoses. This is often needed before a medical negligence claim or when transferring care to a new provider.

Data misuse: if you suspect an organisation is using your personal data improperly — for example, sharing it with third parties without your consent or using it for purposes you never agreed to — a SAR reveals what data they hold and how it is being processed.

Insurance claims: if an insurer has declined a claim or changed your premium, a SAR will reveal the data they used to make that decision, including any information from third-party data sources.

Legal proceedings: in civil litigation, a SAR can be used to obtain documents and data that the other party may not voluntarily disclose.

Immigration and Home Office: a SAR to the Home Office reveals what data they hold about your immigration history, visa applications, and any decisions made about your status.

A well-drafted UK GDPR Subject Access Request should contain the following elements.

Identification of the data subject: your full name, current address, date of birth, and any other identifiers that will help the organisation locate your data — for example, customer account number, employee number, NHS number, or the email address associated with your account. Providing sufficient identification is important: the controller is entitled to request verification of your identity before processing the SAR.

Date of the request: important because the one-month response period runs from the date the controller receives the request.

Identification of the data controller: the full name and address (or data protection email) of the organisation being requested. Where the organisation has a Data Protection Officer (DPO), address the request to them directly.

Statutory basis: a reference to Article 15 of the UK GDPR and/or section 45 of the Data Protection Act 2018. This puts the organisation on notice that this is a statutory request and triggers the formal response obligations.

Scope of the request: a clear statement of what data you are requesting — typically 'all personal data held about me' — and any specific categories of data you particularly want, if the organisation holds large amounts of data about you.

Time period (optional): if you want data from a specific period, state it. However, a broad request for all data is also valid and the organisation must comply with it.

Requested format: state that you would like the data in a commonly used electronic format (such as PDF or an accessible digital format) where possible. UK GDPR Article 15(3) requires the data to be provided in a commonly used electronic form if the request was made electronically.

ICO escalation language: a statement that you will complain to the ICO if the request is not responded to within one calendar month or is refused without valid grounds.

Signature and date: signed and dated by the data subject.

Additional compliance elements for a GDPR Subject Access Request (UK) used in United Kingdom include: Under UK law, the UK GDPR and Data Protection Act 2018 apply to personal data processed under this agreement. The Consumer Rights Act 2015, enforced by the Competition and Markets Authority (CMA), protects consumer rights. Section 43 of the Companies Act 2006 governs company names. The Employment Tribunal adjudicates employment disputes under the Employment Rights Act 1996. The High Court of Justice and County Court have jurisdiction for civil matters under the Senior Courts Act 1981. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.