The Resolver Guide to Making a Subject Access Request (SAR)

If you need access to personal data that an organisation holds about you, a Subject Access Request (SAR) is your right under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

Anyone can make a SAR – you do not need a solicitor or lawyer to make it on your behalf.

There are many circumstances where a SAR can help you obtain important paperwork. Our free guide will help you submit a SAR effectively and know what you should expect to receive in response.

What is a Subject Access Request?

A Subject Access Request allows you to:

Confirm whether an organisation is processing your personal data.
Access a copy of the personal data they hold about you.
Obtain other supplementary information about how your data is being used (e.g., purposes of processing, categories of data processed, and any sharing with third parties).

Step-by-Step to submitting a SAR

1. Identify the Organisation

Determine which organisation holds your data. This could be your employer, a service provider, or any entity with whom you’ve interacted and shared personal information.

2. Prepare Your Request

A SAR can be made verbally or in writing. However, it is better to submit your request in writing to ensure clarity and traceability.
There is no specific format required, but your request should include key details to help the organization identify your data.

Example SAR Template:

Subject: Subject Access Request – [Your name and the date]

Dear [Organisation’s Name],

I am writing to request access to my personal data under Article 15 of the UK General Data Protection Regulation (UK GDPR).

Please provide the following:

A copy of all personal data you hold about me.
Details of the purposes for which my data is processed.
Information about any third parties with whom my data has been shared.

To help identify my records, I have provided the following information:
[Insert relevant details like your full name, account number, or specific interactions with the organisation.*]

If you require additional information or identification, please let me know.

I look forward to your response within the statutory time frame of one month.

Yours sincerely,

[Your Name]

* The more additional information you provide the faster and more effective the response will be. Among the details it’s helpful to include in your SAR are:

Any other names where relevant, such as your name before you were married or changed it by deed-poll.
Your email address, home address and phone number.
Any relevant information that will help them identify you, such as employee number, customer account number, or NHS number.
The specific personal information you want them to provide – or, conversely, what information you don’t need.
Any additional details, such as dates, that will help the organisation find the information you are looking for.
The reason you want the information – while you don’t have to include this it may help the organisation find what you need.
How you would like to receive the information – whether electronically or printed and sent by post).
Any accessibility requirements that they should bear in mind when preparing their response – such as large fonts.

3. Submit the Request

When it comes to submitting your SAR, most organisations will let you do so via a form on their website. If this is the method you use, make sure that you take a screenshot of your request for your own records before you press submit.

You can also send your SAR by email to the organisation’s Data Protection Officer (DPO) or other appropriate contact. Most organisations will list their data protection contact details on their privacy policy or website.

The Information Commissioner’s Office also has a SAR service to help you create and send an email to an organisation directly.

You are also able to submit a SAR by post, over the phone or face to face. If you do this, make sure to keep records of when you made your request and who you spoke to. If mailing a letter, you can use recorded delivery to track it.

4. Provide Identification (if requested)

It may be that the organisation will ask for proof of identity to ensure they are releasing information to the correct person. Commonly accepted documents include:

A copy of your passport, driver’s license, or a utility bill.

Can someone submit a SAR on my behalf?

If you need some help making a SAR, it is possible for someone to submit one on your behalf – but they will need to prove that you have given them your permission to get the information for them.

When someone submits a SAR on behalf of someone else, the organisation will ask for proof of permission in the form of:

A written statement of permission
A power of attorney document

The organisation are not allowed to send the requested information unless these are provided.

Remember, if you do ask someone to make a SAR on your behalf, make sure you are totally happy for that person to have access to all of your personal information – such as financial details or medical history.

The Response: When and What to Expect

When it comes to a response, the first thing to note is that there is a set time-frame: the organisation must respond within one month of receiving your request.

For complex cases, they can be extended by two additional months but they must notify you and explain the delay.

When you do receive a response it should include the following:

Personal Data: Copies of the data they hold about you.
Supplementary Information, such as the purposes for which your data is being processed and categories of personal data being processed.

Details of any data recipients.
Information about data retention periods or criteria for determining them.
Details about the source of your data (if not directly obtained from you).
Any use of automated decision-making, including profiling.

While you can ask for all the information an organisation holds on you, this does’t automatically mean that you will get it: organisations can and will sometimes refuse to provide all or some of the information requested by a customer, employee or service user.

If you have any thoughts on this topic, or any other consumer issues you would like us to cover, feel free to get in touch with us at support@resolver.co.uk.