GDPR Subject Access Request (UK)
[Subject Name]
[Subject Address]
Date of birth: [Subject DOB]
Email: [Subject Email]
Reference: [Account Reference]
[Request Date]
Data Protection Officer / Data Protection Team
[Controller Name]
[Controller Address]
SUBJECT ACCESS REQUEST — ARTICLE 15 UK GDPR
Dear Sir or Madam,
I am writing to exercise my right of access to personal data under Article 15 of the UK General Data Protection Regulation (UK GDPR) and section 45 of the Data Protection Act 2018.
INFORMATION REQUESTED
I request access to: [Data Scope].
[Specific Data]
Please provide the following supplementary information in accordance with Article 15(1) UK GDPR: (a) confirmation of whether you process personal data about me; (b) the purposes of processing; (c) the categories of data concerned; (d) the recipients or categories of recipients to whom data has been or will be disclosed; (e) the retention period or criteria for determining it; (f) information about my rights to rectification, erasure, restriction, and objection; (g) the right to lodge a complaint with the ICO; (h) where the data was not collected from me, the source; and (i) information about any automated decision-making, including profiling.
Preferred format: [Preferred Format]
RESPONSE DEADLINE
Under Article 12(3) of UK GDPR, you are required to respond to this request within one calendar month of receipt. If you require additional time (up to a maximum of three months) due to the complexity or number of requests, you must notify me within the initial one-month period, setting out the reasons for the extension.
If you fail to respond within the applicable period, refuse this request without valid grounds, or provide an incomplete response, I will make a complaint to the Information Commissioner's Office (ICO) under section 165 of the Data Protection Act 2018 and may exercise my right to seek a court order under section 167 of that Act.
Please acknowledge receipt of this request.
Yours faithfully,
[Subject Name]
Data Subject
________________
Signature
What Is a GDPR Subject Access Request (UK)?
A GDPR Subject Access Request in the United Kingdom makes a formal application or declaration to the relevant authority and sets out the particulars it requires to decide or record the matter, and is shaped by UK General Data Protection Regulation (UK GDPR).
The UK GDPR defines 'personal data' broadly as any information relating to an identified or identifiable natural person. This encompasses names, addresses, email addresses, phone numbers, financial data, health records, employment records, opinions about an individual, CCTV footage, IP addresses linked to an identifiable person, and much more. Any organisation that processes personal data about identifiable individuals — whether a large corporation, an NHS trust, a small business, a school, or a government department — is a 'data controller' and is subject to UK GDPR.
The Information Commissioner's Office (ICO) is the UK's independent regulator for data protection and information rights. The ICO publishes detailed guidance on SARs, including the Code of Practice on the Right of Access, which provides practical guidance for both individuals and organisations.
When you receive a SAR response, you are entitled to: a copy of your personal data; confirmation of the purposes for which it is processed; the categories of data concerned; information about recipients; the retention period; and information about your rights to rectification, erasure, restriction, objection, and portability. The controller must respond within one calendar month (extendable by two further months for complex requests). The response is free of charge in most circumstances.
The legal framework governing the GDPR Subject Access Request (UK) in United Kingdom draws on several key statutes and regulatory bodies. Under UK law, the UK GDPR and Data Protection Act 2018 apply to personal data processed under this agreement. The Consumer Rights Act 2015, enforced by the Competition and Markets Authority (CMA), protects consumer rights. Section 43 of the Companies Act 2006 governs company names. The Employment Tribunal adjudicates employment disputes under the Employment Rights Act 1996. The High Court of Justice and County Court have jurisdiction for civil matters under the Senior Courts Act 1981. Parties executing a GDPR Subject Access Request (UK) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The UK General Data Protection Regulation (UK GDPR) sets the foundational requirements.
When Do You Need a GDPR Subject Access Request (UK)?
A Subject Access Request is appropriate in any situation where you want to know what personal data an organisation holds about you and how it is being used.
Employment disputes are one of the most common reasons for making a SAR. If you are involved in a disciplinary process, a grievance, or an employment tribunal claim, a SAR to your employer will reveal all personal data held about you — emails, performance review notes, disciplinary records, HR correspondence, and references. This data can be crucial evidence in employment proceedings.
Financial matters: a SAR to a bank, credit reference agency (Experian, Equifax, TransUnion), insurance company, or mortgage lender will reveal the personal data they hold about you, including credit files, loan assessments, and any flags on your account.
Healthcare: a SAR to an NHS trust or private medical provider gives you access to your complete medical records, clinical notes, test results, correspondence, and any assessments or diagnoses. This is often needed before a medical negligence claim or when transferring care to a new provider.
Data misuse: if you suspect an organisation is using your personal data improperly — for example, sharing it with third parties without your consent or using it for purposes you never agreed to — a SAR reveals what data they hold and how it is being processed.
Insurance claims: if an insurer has declined a claim or changed your premium, a SAR will reveal the data they used to make that decision, including any information from third-party data sources.
Legal proceedings: in civil litigation, a SAR can be used to obtain documents and data that the other party may not voluntarily disclose.
Immigration and Home Office: a SAR to the Home Office reveals what data they hold about your immigration history, visa applications, and any decisions made about your status.
What to Include in Your GDPR Subject Access Request (UK)
A well-drafted UK GDPR Subject Access Request should contain the following elements.
Identification of the data subject: your full name, current address, date of birth, and any other identifiers that will help the organisation locate your data — for example, customer account number, employee number, NHS number, or the email address associated with your account. Providing sufficient identification is important: the controller is entitled to request verification of your identity before processing the SAR.
Date of the request: important because the one-month response period runs from the date the controller receives the request.
Identification of the data controller: the full name and address (or data protection email) of the organisation being requested. Where the organisation has a Data Protection Officer (DPO), address the request to them directly.
Statutory basis: a reference to Article 15 of the UK GDPR and/or section 45 of the Data Protection Act 2018. This puts the organisation on notice that this is a statutory request and triggers the formal response obligations.
Scope of the request: a clear statement of what data you are requesting — typically 'all personal data held about me' — and any specific categories of data you particularly want, if the organisation holds large amounts of data about you.
Time period (optional): if you want data from a specific period, state it. However, a broad request for all data is also valid and the organisation must comply with it.
Requested format: state that you would like the data in a commonly used electronic format (such as PDF or an accessible digital format) where possible. UK GDPR Article 15(3) requires the data to be provided in a commonly used electronic form if the request was made electronically.
ICO escalation language: a statement that you will complain to the ICO if the request is not responded to within one calendar month or is refused without valid grounds.
Signature and date: signed and dated by the data subject.
Additional compliance elements for a GDPR Subject Access Request (UK) used in United Kingdom include: Under UK law, the UK GDPR and Data Protection Act 2018 apply to personal data processed under this agreement. The Consumer Rights Act 2015, enforced by the Competition and Markets Authority (CMA), protects consumer rights. Section 43 of the Companies Act 2006 governs company names. The Employment Tribunal adjudicates employment disputes under the Employment Rights Act 1996. The High Court of Justice and County Court have jurisdiction for civil matters under the Senior Courts Act 1981. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Sources & Citations
Statutory citations link to official government sources.
- GDPR Article 15EU – GDPR
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). GDPR Subject Access Request (UK) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/government/declarations/gdpr-subject-access-request-uk
"GDPR Subject Access Request (UK) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/government/declarations/gdpr-subject-access-request-uk.
@misc{formslegal-gdpr-subject-access-request-uk,
author = {{Forms Legal}},
title = {GDPR Subject Access Request (UK) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/government/declarations/gdpr-subject-access-request-uk}},
note = {Free legal document template. Based on UK General Data Protection Regulation (UK GDPR)}
}Frequently Asked Questions
A Subject Access Request (SAR) is a formal written request under Article 15 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, by which an individual (the 'data subject') asks an organisation (the 'data controller') to provide a copy of all personal data held about them. The right of subject access is one of the fundamental individual rights under UK data protection law. Upon receiving a valid SAR, the data controller must confirm whether they hold personal data about you, provide you with a copy of that data, and supply supplementary information including: the purposes for which the data is being processed, the categories of data, the recipients or categories of recipients to whom the data has been disclosed, the retention period, and your rights under UK GDPR (rectification, erasure, restriction, objection, and portability). The data controller must respond within one calendar month of receiving the SAR. This can be extended by a further two months where the request is complex or numerous, but the controller must notify you of the extension and reasons within the initial one-month period.
Under Article 12(5) of UK GDPR, data controllers must provide the information requested in a SAR free of charge. An exception applies only where the requests are 'manifestly unfounded or excessive' — in which case the controller can charge a reasonable fee based on administrative costs, or refuse to comply. Where a data subject makes repeated requests (for example, the same information requested multiple times), the controller may charge a reasonable fee for subsequent copies. The fee must reflect the administrative cost of providing the information and cannot be used as a deterrent. If a controller charges a fee that you believe is unreasonable or applies the 'manifestly unfounded or excessive' exception unjustifiably, you can complain to the Information Commissioner's Office (ICO). The ICO's guidance makes clear that controllers should not refuse or charge for SARs unless there are genuinely exceptional circumstances.
If a data controller fails to respond to a SAR within the one-month deadline, fails to provide all relevant personal data, or refuses to comply without a valid legal basis, you can complain to the Information Commissioner's Office (ICO). The ICO investigates data protection complaints and can issue enforcement notices requiring the organisation to comply with UK GDPR. The ICO can also impose fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious infringements of UK GDPR. In addition to complaining to the ICO, you have the right to bring a civil claim in the courts under section 167 of the Data Protection Act 2018 for a court order requiring compliance, or under section 168 for compensation for material or non-material damage caused by the infringement. Non-material damage includes distress. The ICO's 2024 regulatory strategy prioritises enforcement of individual rights, including SAR compliance.
Data controllers are entitled to withhold certain categories of personal data from a SAR response. The most common grounds for withholding are: (1) Third-party personal data — if disclosing information would reveal personal data about another individual who has not consented, the controller may redact that third party's data (unless it is reasonable to disclose it without their consent). (2) Legal professional privilege — legal advice and litigation correspondence protected by privilege can be withheld. (3) Crime prevention and detection — personal data held for law enforcement purposes can be withheld if disclosure would prejudice the prevention or detection of crime. (4) Regulatory activity — information held for regulatory purposes by bodies such as HMRC or the FCA may be exempt. (5) Manifestly unfounded or excessive requests can be refused. If a controller withholds information, it must tell you it is withholding it (even if it cannot say what it is) and give you the legal basis for withholding. You can complain to the ICO if you believe a withholding decision is unjustified.
A GDPR Subject Access Request (UK) does not legally require a lawyer in United Kingdom, and individuals and businesses may draft and execute the document independently. The UK General Data Protection Regulation (UK GDPR) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified United Kingdom lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The High Court of Justice has jurisdiction over disputes arising from this type of document, and Companies House may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Right to be Forgotten Request (UK)
Create a Right to Erasure (Right to be Forgotten) Request for England and Wales. Formally request an organisation to delete your personal data under UK GDPR Article 17 and the Data Protection Act 2018. Sets out the legal grounds for erasure and the required response deadline.
Data Collection Consent Form (UK GDPR)
Create a legally compliant Data Collection Consent Form for England and Wales under the UK GDPR and Data Protection Act 2018. Covers lawful basis for processing under Article 6(1)(a), explicit consent for special category data under Article 9(2)(a), purpose limitation, third-party sharing disclosures, retention periods, data subject rights (Articles 15–22), right to withdraw consent under Article 7(3), and PECR-compliant marketing consent. Suitable for websites, apps, businesses, charities, and research organisations. Download as PDF or Word.
Freedom of Information Request (England & Wales)
Create a formal Freedom of Information (FOI) request letter under the Freedom of Information Act 2000. Compliant with s.8 FOIA 2000, covering the 20-working-day response period, exemptions (absolute and qualified), Environmental Information Regulations 2004, and your right to internal review and ICO complaint.
Formal Complaint Letter (UK) (Letters)
Create a Formal Complaint Letter for England and Wales. Covers consumer goods and services under the Consumer Rights Act 2015, financial services complaints under FCA DISP rules, legal services complaints for the Legal Ombudsman, and escalation paths including the Financial Ombudsman Service, Small Claims Court (up to £10,000), and approved ADR schemes. Download as PDF or Word.