Your data has value. Not just to you, but to the organisations that collect, store, and process it. Companies use personal data to tailor services, target advertisements, enhance customer experiences, and drive their business strategies. In many ways, your data helps fuel the digital economy. But how do you know how your data is being used, who has access to it, and how it’s being protected? If you want to find out, you have the right to make a Subject Access Request (SAR).
In this guide, we’ll cover everything you need to know about making a Subject Access Request, from identifying when a SAR is necessary to understanding your rights to a response.
When and why to make a SAR
Below are some situations in which a SAR can be beneficial:
- Check data accuracy: Verify that an organisation holds correct, up-to-date information about you and fix any inaccuracies.
- Understand how your data is used: Learn how an organisation processes your data, including for marketing, profiling, or analytics.
- Identify potential data breaches: If you suspect your data has been breached or shared without consent, a SAR can reveal who accessed it, what was compromised, and how the infringement occurred.
- Know data retention practices: Find out how long an organisation keeps your data and when it will be deleted.
- Request data restrictions or deletion: If you want an organisation to stop using or limit its use of your data, a SAR provides the information you need to make a well-informed request.
Step-by-step guide to making a Subject Access Request
Here’s a handy step-by-step process to help you make a successful Subject Access Request.1. Find out where to send your SAR
The first step in making a SAR is finding where to send it. Most organisations have a dedicated Data Protection Officer or contact for handling data protection inquiries. Check the following locations for details on where to send your request:
- Website privacy policies: Many companies list SAR instructions and contacts within their privacy policy sections.
- Dedicated email address: Some organisations have a specific email for SARs, often listed under ‘Data Protection Officer’ or ‘Privacy Team’.
Be sure to follow any specific requirements, as some organisations may request certain information or forms to confirm your identity.
2. Draft a formal request
A SAR should be clear and direct, specifying the data you’re requesting. Here are some essential components to include in your request:
- Your full name and any other identifying information: This helps the organisation locate your data.
- The type of information you’re seeking: While you can request all data, being specific can speed up the process. For example, you may ask for data collected within a certain period or relating to a particular breach.
- Reference your right under GDPR: Mentioning that your request is made under Article 15 of the GDPR or the Data Protection Act 2018 can clarify your intentions and establish the legal foundation of your request.
3. Sending the SAR
Once you’ve prepared your SAR, the next step is to send it to the organisation in a way that reaches the right people and is acknowledged. Here’s how to proceed:
- Email: Most organisations accept SARs via email, which is often the quickest and most convenient method. If available, use the email address designated for data protection requests, usually found in the privacy policy section of the organisation’s website. Sending a SAR by email provides a digital record of your request, which can be helpful if you need to follow up or escalate.
- Registered mail: Alternatively, you may choose to send your SAR via registered mail to the organisation’s physical mailing address. This approach is particularly useful if you want added assurance that it has been received. Include “Subject Access Request” in the subject or header of your letter, along with your contact details, to avoid any processing delays.
No matter the method, remember to save a copy of your SAR and any delivery confirmations, as these records may be important if you need to demonstrate when and how you submitted your request.
Subject Access Request templates
To help with the above, here’s some sample SAR templates:
Generic SAR template
[Your Full Name]
[Your Address]
[Your Email Address]
[Date]
Data Protection Officer
[Organisation’s Name]
[Organisation’s Address or Email]
Subject: Subject Access Request
Dear Data Protection Officer,
I am writing to make a Subject Access Request under Article 15 of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Please provide me with a copy of all personal data that your organisation holds about me, including but not limited to [mention specific data, e.g. account information, transaction history, correspondence, or other relevant categories].
I would also appreciate details on the purposes of processing my data, any third parties with whom my data has been shared, and the source of the data if it was not collected directly from me.
Please send this information to [Your Email Address or Postal Address].
If you require any further information to identify me, please let me know as soon as possible.
Thank you for your attention to this matter. I look forward to receiving a response within the statutory timeframe of one month.
Sincerely,
[Your Full Name]
Data breach SAR template
[Your Full Name]
[Your Address]
[Your Email Address]
[Date]
Data Protection Officer
[Organisation’s Name]
[Organisation’s Address or Email]
Subject: Subject Access Request relating to privacy breach.
Dear Data Protection Officer,
I am writing to make a Subject Access Request under Article 15 of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Please advise as to whether my personal data was disclosed by you in the {DETAILS} privacy breach.
Specifically, I request information on:
- The specific data affected by the breach
- The timeline of the breach, including when it occurred and when it was discovered
- Your assessment of the potential risk to me due to this breach
- The measures you have taken or plan to take to prevent further unauthorised access to my personal data
- Steps I can take to protect myself, particularly against risks like identity theft and fraud.
Please send this information to [Your Email Address or Postal Address].
If you require any further information to identify me, please let me know as soon as possible.
Thank you for your attention to this matter. I look forward to receiving a response within the statutory timeframe of one month.
Sincerely,
[Your Full Name]
Understanding your rights to a response
Organisations are legally obligated to acknowledge and address your request within specific timeframes, and they must handle your data access rights with transparency and care.
Timescale for a response
Under the GDPR, organisations are required to respond to a SAR within one month. However, there are a few things to be aware of:
- Organisations may extend this deadline by two months if the request is particularly complex or involves a high volume of data, but they must inform you of the extension within the first month.
- If the organisation requires more details to fulfil your request, they can ask for clarification, which may impact the processing time.
Legitimate reasons for a SAR refusal
In some cases, an organisation may refuse to comply with your SAR. While this can be frustrating, it’s helpful to know the legitimate reasons for a refusal, so you understand your options if this occurs.
- If the organisation believes your request to be ‘manifestly unfounded or excessive’ it can refuse to fulfil it.
- The organisation may have the right to deny a SAR if the data requested includes information about another individual.
- If an organisation decides it has grounds for denying your SAR, it must contact you to explain its reasons for doing so.
- You can complain to the Information Commissioner’s Office (ICO) if you think the refusal is unjust.
What to do if your SAR is denied or ignored
If your SAR is denied or ignored, or if you are not happy with the organisation’s response, you have several options to ensure your rights are respected:
- Send a follow-up: If the organisation has not responded within one month, send a reminder or follow-up email. Politely reference your original request and ask for a prompt response.
- Escalate to higher authorities within the organisation: Some companies have escalation procedures for data requests. Try contacting the customer service team or requesting the involvement of a senior manager.
- File a complaint with the ICO: If the organisation fails to comply, you can file a complaint with the ICO. To do this, provide details of your original SAR, any follow-up attempts, and evidence of non-response or refusal.
- Consider legal action: In serious cases, where a company repeatedly refuses to comply with data protection laws, you may have grounds for legal action. Seeking legal advice can help you understand your options and potential remedies.
Data breaches and Subject Access Requests
In situations where a data breach has occurred, making a SAR can help you:
- Understand exactly what personal data may have been affected by the breach.
- Find out if unauthorised individuals or organisations have gained access to your personal information.
- See if the organisation followed proper protocols after discovering the breach, such as notifying affected individuals and the ICO.
- Assess the level of risk to you, and, if necessary, take protective actions to prevent further harm.
- Gather concrete evidence of the breach, which can be essential for filing a data breach claim or complaint.
Subject Access Request FAQs
Understanding the legal terminology and SAR process makes looking after your data protection rights easier. Here’s what you need to know.
What is a Subject Access Request (SAR)?
A Subject Access Request (SAR) is a request you can make to any organisation to find out what personal data they hold about you.
What laws cover the right to a SAR?
Under the General Data Protection Regulation and the UK Data Protection Act, individuals have the right to know what information organisations store, how it’s used, who it’s shared with, and where it was sourced. These laws establish the right to make a Subject Access Request.
What is personally identifiable information?
Personally identifiable information (PII) is any data that can be used to identify an individual – either on its own or in conjunction with other info. This includes things like:
- Name and contact details (address, phone number, email)
- Dates of birth
- National insurance numbers
- Financial information (e.g. bank account numbers or credit card details)
- Health records and medical information
- Employment records
- Passwords and login data
- Passport information
- IP addresses
- Gender
- Race
- Religion
What is the Information Commissioner’s Office (ICO)?
The Information Commissioner’s Office (ICO) is the UK’s data privacy watchdog. It is responsible for upholding information rights and enforcing data protection laws. The ICO provides guidance for individuals and organisations on handling personal data and offers a complaint mechanism if a SAR is ignored or mishandled. If your SAR isn’t adequately addressed, the ICO can investigate and, in some cases, impose penalties on organisations.
How much does it cost to make a Subject Access Request?
In most cases, SARs are free of charge. However, if a request is deemed “manifestly unfounded or excessive,” the organisation may charge a reasonable fee.
Know your rights!
Today, when personal information is used and shared across numerous platforms, SARs help people protect their privacy rights, maintain control over their personal data, ensure its accuracy, and understand how it is being used. Likewise, following a data hack or breach, SARs can provide valuable insights into the extent of the exposure, the types of data affected, and any corrective actions taken by the organisation.
To find out more about data breaches you might have been involved in, check out the live class action claims on our website.
