Subject Access Request (UK)
[Requester Name]
[Requester Address]
Email: [Requester Email]
Tel: [Requester Phone]
Date: [Request Date]
[Organisation Department]
[Organisation Name]
[Organisation Address]
SUBJECT ACCESS REQUEST — DATA PROTECTION ACT 2018 / UK GDPR ARTICLE 15
Dear Sir or Madam,
I am writing to make a formal Subject Access Request pursuant to Article 15 of the UK General Data Protection Regulation (UK GDPR) as retained in domestic law by the European Union (Withdrawal) Act 2018, and Section 45 of the Data Protection Act 2018.
My name is [Requester Name] and I can be contacted at the address and email address stated above. To assist you in locating my personal data, my reference or account details are: [Identity Reference].
1. PERSONAL DATA REQUESTED
1.1 I request access to [Data Scope].
1.2 [Data Scope Detail]
2. SUPPLEMENTARY INFORMATION REQUESTED
2.1 In addition to a copy of my personal data, I request the following supplementary information as provided for under Article 15(1) UK GDPR:
- The purposes for which my personal data is being or has been processed, and the legal basis for each processing activity.
- The categories of personal data concerned.
- Any recipients or categories of recipients to whom my personal data has been or will be disclosed, in particular recipients in third countries or international organisations.
- Where possible, the envisaged period for which my personal data will be stored, or the criteria used to determine that period.
- Information about the right to request rectification, erasure, or restriction of processing, and to object to processing.
- The right to lodge a complaint with the Information Commissioner’s Office (ICO).
- Any available information as to the source of my personal data, where it was not collected directly from me.
- Whether any automated decision-making, including profiling, has taken place in relation to my personal data, and if so the logic involved and the significance of that processing for me.
3. PREFERRED FORMAT
3.1 I request that the information be provided in [Response Format] pursuant to Article 15(3) of the UK GDPR.
4. RESPONSE DEADLINE AND YOUR OBLIGATIONS
4.1 Under Article 12(3) of the UK GDPR and Section 45(4) of the Data Protection Act 2018, you are required to respond to this request without undue delay, and in any event within one calendar month of receipt of this request. This deadline may be extended by a further two months where requests are complex or numerous, provided you notify me within one month of receipt of the request and give reasons for the extension.
4.2 If you intend to refuse to comply with this request, you must inform me of the reasons for refusal and of my right to make a complaint to the Information Commissioner’s Office and to a judicial remedy, within one month of receipt of this request.
4.3 Please note that I am not required to pay any fee for this request. Under the UK GDPR, a Subject Access Request must be provided free of charge unless the request is manifestly unfounded, excessive, or repetitive.
4.4 If you require proof of my identity before responding, please contact me and I will provide reasonable identification. However, you should not require disproportionate or unnecessary proof of identity as a condition of responding to this request.
4.5 Please be aware that if you fail to comply with this request within the statutory time limit, I am entitled to lodge a complaint with the Information Commissioner’s Office (ICO) at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, and to apply to the court for an order requiring you to comply, pursuant to Section 167 of the Data Protection Act 2018.
I look forward to receiving your response within the statutory time limit.
Yours faithfully,
[Requester Name]
[Requester Address]
Email: [Requester Email]
Data Subject
________________
Signature
Date: ________________
What Is a Subject Access Request (UK)?
A Subject Access Request in the United Kingdom makes a formal application or declaration to the relevant authority and sets out the particulars it requires to decide or record the matter, and takes its legal force from UK GDPR and Data Protection Act 2018.
The right to access personal data is one of the most fundamental rights conferred by UK data protection law. It enables individuals to verify whether their personal data is being lawfully processed, to identify inaccuracies, to understand who it has been shared with, to check how long it will be retained, and to assess whether they have grounds to exercise other rights such as the right to rectification (Article 16), the right to erasure (Article 17), or the right to object to processing (Article 21).
A Subject Access Request can be submitted to any organisation acting as a data controller — that is, any entity that determines the purposes and means of processing personal data. This includes private sector companies, public authorities, employers, NHS trusts, financial institutions, insurers, retailers, social media platforms, and any other body holding personal data. The SAR can be submitted in writing by letter or email, and there is no prescribed format — though a well-drafted formal letter that cites the specific statutory provisions is more likely to receive a prompt and substantive response.
Organisations must respond within one calendar month of receiving the request, at no charge, unless the request is manifestly unfounded or excessive. The Information Commissioner's Office (ICO) — the UK's independent data protection regulator — enforces compliance and can receive complaints from individuals whose rights are not respected.
The legal framework governing the Subject Access Request (UK) in United Kingdom draws on several key statutes and regulatory bodies. Under UK law, the UK GDPR and Data Protection Act 2018 govern personal data in this document. The Consumer Rights Act 2015 protects individuals in consumer transactions. Section 62 of the Consumer Rights Act 2015 addresses unfair terms. The County Court and High Court of Justice have jurisdiction over personal disputes under the Senior Courts Act 1981 and the County Courts Act 1984. The Information Commissioner's Office (ICO) enforces data protection. Parties executing a Subject Access Request (UK) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Consumer Rights Act 2015 sets the foundational requirements.
When Do You Need a Subject Access Request (UK)?
A Subject Access Request is appropriate in a wide range of circumstances involving personal data held by organisations in the United Kingdom. The most common situations in which individuals submit SARs include employment disputes, consumer rights matters, healthcare queries, financial services, and general privacy concerns.
In the employment context, SARs are frequently submitted by employees or former employees who wish to review data held about them by a current or former employer — including performance records, disciplinary files, sickness records, emails, correspondence, and notes from meetings. An employee who has been dismissed, placed under a performance improvement plan, or subject to a disciplinary investigation may use a SAR to obtain documentary evidence of the decisions made and the personal data held about them, which can be relevant in employment tribunal proceedings. The subject access right applies equally to job applicants who wish to understand what data was recorded during a recruitment process.
In consumer matters, SARs are commonly used to obtain data from banks, credit reference agencies, insurers, and retailers. A borrower who has been refused a mortgage may wish to review the data held about them by a lender. A customer involved in a dispute with a company may wish to obtain copies of call recordings, emails, or notes of conversations. Under the Consumer Rights Act 2015 and the Financial Services and Markets Act 2000 (as amended), consumers in the UK have various rights that can be informed and supported by the data obtained through a SAR.
SARs are also valuable in healthcare contexts. Patients are entitled to access their NHS and private medical records under the UK GDPR. A SAR to an NHS trust, GP surgery, hospital, or private healthcare provider will typically yield copies of clinical notes, test results, correspondence between healthcare professionals, and other records held on the patient's file. This can be important for medical negligence claims, second opinions, or understanding a diagnosis.
In legal proceedings, SARs can be a cost-effective pre-litigation tool for gathering evidence. The data obtained through a SAR may reveal information that supports or informs a claim, and may also assist in identifying potential witnesses or understanding the timeline of events. Solicitors in England and Wales regularly advise clients to submit SARs as part of pre-action investigation, particularly in employment disputes, data protection claims, and professional negligence matters.
What to Include in Your Subject Access Request (UK)
A well-drafted Subject Access Request letter should contain several key elements to confirm it is effective, legally compliant, and likely to receive a thorough response from the organisation.
The letter must clearly identify the data subject — the individual making the request — with their full legal name, contact address, and any reference or account numbers held by the organisation. Providing identification information is important because the organisation is entitled to verify the identity of the person making the request before disclosing personal data to them. Under Article 12(6) of the UK GDPR, where an organisation has reasonable doubts about the identity of the individual, they may request additional information necessary to confirm identity — but they cannot demand disproportionate proof.
The letter should explicitly identify the legal basis for the request by citing Article 15 of the UK GDPR and Section 45 of the Data Protection Act 2018. This immediately signals to the organisation and its Data Protection Officer that the requester is aware of their legal rights, and makes it harder for the organisation to treat the request as an informal query rather than a formal statutory exercise.
The scope of the request should be clearly defined. The requester may request all personal data held about them, or may narrow the scope to a particular time period, category of data, or department. Being specific can make the organisation's response more focused and easier to analyse, and can reduce the volume of irrelevant information received. However, a broad request covering all personal data is equally valid.
The supplementary information requested under Article 15(1) should be stated explicitly — including the purposes and legal bases for processing, the categories of data held, recipients of the data, retention periods, and automated decision-making. These elements are often omitted from SAR responses by organisations that respond hastily, so requesting them explicitly at the outset confirms they must be addressed.
The preferred response format should be stated. Under Article 15(3) UK GDPR, the copy of personal data must be provided in a commonly used electronic format where the request is made electronically. The letter should also state the one-month response deadline and the requester's right to complain to the ICO and to seek a court order if the organisation fails to comply. Including these references signals that the requester understands the enforcement mechanisms available and is serious about exercising their rights.
Additional compliance elements for a Subject Access Request (UK) used in United Kingdom include: Under UK law, the UK GDPR and Data Protection Act 2018 govern personal data in this document. The Consumer Rights Act 2015 protects individuals in consumer transactions. Section 62 of the Consumer Rights Act 2015 addresses unfair terms. The County Court and High Court of Justice have jurisdiction over personal disputes under the Senior Courts Act 1981 and the County Courts Act 1984. The Information Commissioner's Office (ICO) enforces data protection. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Subject Access Request (UK) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/personal/legal-declarations/subject-access-request-uk
"Subject Access Request (UK) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/personal/legal-declarations/subject-access-request-uk.
@misc{formslegal-subject-access-request-uk,
author = {{Forms Legal}},
title = {Subject Access Request (UK) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/personal/legal-declarations/subject-access-request-uk}},
note = {Free legal document template. Based on Consumer Rights Act 2015}
}Also available for these jurisdictions:
Frequently Asked Questions
A Subject Access Request (SAR) is a formal request by an individual (the data subject) to an organisation (the data controller) to provide a copy of all personal data held about them, together with supplementary information about how that data is being processed. The right is contained in Article 15 of the UK General Data Protection Regulation (UK GDPR) as retained in domestic law by the European Union (Withdrawal) Act 2018, and is supplemented by Sections 45 to 49 of the Data Protection Act 2018. When you submit a SAR, you are entitled to: a copy of your personal data in a commonly used and machine-readable format; the purposes for which your data is being processed and the legal bases relied upon; the categories of data held; the recipients or categories of recipients to whom the data has been disclosed (including in third countries); the planned retention period; your rights to rectification, erasure, restriction, and objection; the right to lodge a complaint with the ICO; the source of the data where it was not collected directly from you; and information about any automated decision-making or profiling. The organisation must respond within one calendar month of receipt, extendable to three months for complex requests. The response must be provided free of charge unless the request is manifestly unfounded, excessive, or repetitive.
Yes, but only in limited circumstances defined by the Data Protection Act 2018. An organisation may refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive, having regard to the nature, context, and purposes of the request. In such cases, the organisation must inform you of the reasons for refusal and of your right to lodge a complaint with the Information Commissioner's Office (ICO) and to seek a judicial remedy under Section 167 of the DPA 2018. The organisation may also refuse to provide certain information that is covered by an exemption — for example, information that would identify a third party, information subject to legal professional privilege, or information held for the purposes of crime prevention or detection. Confidential employment references are partially exempt from the right of subject access under Schedule 2, Part 4, paragraph 24 of the DPA 2018. However, the exemptions are narrow and the ICO will scrutinise any refusal. If you believe your request has been wrongly refused, you should first ask the organisation to review their decision, then lodge a complaint with the ICO at ico.org.uk.
If an organisation fails to respond to your Subject Access Request within one calendar month (or three months where they have lawfully extended the deadline for a complex request), you have two principal remedies. First, you may lodge a complaint with the Information Commissioner's Office (ICO) under Section 165 of the Data Protection Act 2018. The ICO has extensive investigatory and enforcement powers, including the power to issue enforcement notices and monetary penalty notices. Second, you may apply to the court for an order requiring the organisation to comply with your request under Section 167 of the DPA 2018. Before escalating, you should send a follow-up letter to the organisation's Data Protection Officer reminding them of the statutory deadline and requesting an update. Keep records of all correspondence, including the date your original request was received (evidenced by a read receipt, recorded delivery, or acknowledgement email), as these records will be essential if you need to escalate the matter.
Your employer cannot refuse your SAR merely because the records relate to employment. Personal data held by an employer about an employee — including performance appraisals, disciplinary records, sickness records, emails, and correspondence — is subject to the same UK GDPR subject access rights as any other personal data. However, several exemptions may apply. The employer may redact information that would identify other employees (a third-party exemption). Information covered by legal professional privilege is exempt. Where information is held for the purposes of crime prevention or tax compliance, it may be withheld. Confidential references given by the employer about the employee for employment purposes are partially exempt under Schedule 2, Part 4, paragraph 24, DPA 2018 — but references received by the employer about the employee from a third party may be disclosable subject to the third party's identity being redacted if necessary. The ICO's Employment Practices Code provides further guidance on data subject access in the employment context.
The Information Commissioner's Office (ICO) is the UK's independent supervisory authority for data protection, established under Section 114 of the Data Protection Act 2018. In the context of Subject Access Request disputes, the ICO has three main functions. First, it handles complaints from individuals who believe an organisation has failed to comply with its obligations under the UK GDPR and DPA 2018 — including failure to respond to a SAR within the statutory deadline. Second, it can investigate the organisation and, where appropriate, issue an enforcement notice requiring compliance or a reprimand. Third, for serious breaches, it can issue a monetary penalty notice imposing a fine of up to £17.5 million or 4% of annual worldwide turnover (for public authorities, the standard maximum fine is £8.7 million). The ICO's contact details are: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. You can submit a complaint online at ico.org.uk. The ICO will generally not investigate a complaint unless you have first raised your concerns directly with the organisation concerned.
A Subject Access Request (Article 15 UK GDPR) allows you to obtain a copy of your personal data and supplementary information about its processing. A Right of Erasure request — also known as the 'right to be forgotten' — is a separate right under Article 17 of the UK GDPR that allows you to request the deletion of your personal data in certain circumstances. These include: where the data is no longer necessary for the purpose for which it was collected; where you have withdrawn consent and there is no other legal basis for processing; where you have successfully objected to processing under Article 21; where processing is unlawful; or where erasure is required for compliance with a legal obligation. Unlike a SAR, the right of erasure is not absolute — it can be overridden where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for reasons of substantial public interest. Many individuals begin with a SAR to understand what data is held before deciding whether to pursue erasure.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Statutory Declaration (UK)
Create a Statutory Declaration for England and Wales in accordance with the Statutory Declarations Act 1835 and the Oaths Act 1978. A Statutory Declaration is a formal legal statement of fact made under solemn declaration before a person authorised to administer oaths — typically a solicitor or commissioner for oaths. It is used in a wide range of legal, administrative, and commercial contexts and carries serious legal consequences if made falsely under the Perjury Act 1911.
Letter Before Action — Cease and Desist (UK)
Create a formal Letter Before Action (cease and desist) for England and Wales. Covers intellectual property infringement under the Copyright, Designs and Patents Act 1988 and Trade Marks Act 1994, passing off, defamation under the Defamation Act 2013, harassment under the Protection from Harassment Act 1997, and breach of confidence. Compliant with Practice Direction — Pre-Action Conduct and Protocols. Includes demands to cease, destroy infringing materials, and provide written undertakings. Download as PDF or Word.
Letter Before Action — Demand for Payment (UK)
Create a formal Letter Before Action (demand letter) for England and Wales compliant with the Pre-Action Protocol for Debt Claims under the Civil Procedure Rules. Required before issuing County Court proceedings. Covers principal debt, statutory interest under the Late Payment of Commercial Debts Act 1998, 30-day response period, alternative dispute resolution proposal, and warning of CCJ consequences. Download as PDF or Word.
Employment Contract (England & Wales)
Hiring someone in England or Wales? You are legally required to give them a written statement of employment particulars on or before their first day of work. Our UK Employment Contract template meets all requirements of the Employment Rights Act 1996 and covers working hours, salary, holiday entitlement, notice periods, pension auto-enrolment, confidentiality, and optional restrictive covenants. Download as PDF or Word in minutes.