Navigating your data privacy rights can feel overwhelming, but submitting a Subject Access Request (SAR) is easier than you think. An SAR is a formal request allowing individuals to obtain a copy of their personal data from any organization, as mandated by privacy laws like the GDPR. Whether you are leaving a job, closing an account, or auditing your online presence, knowing how to submit a proper request is crucial to getting a timely response. Below, we break down exactly how to submit a Subject Access Request, including template wording, deadlines, and tips for avoiding common delays.
Read the full guide below or read the quick 60 Second Solution.
You can also submit a Subject Access Request in minutes using the CorpSpy webapp.
What is a Subject Access Request?
Step-by-Step Guide to Submitting a Subject Access Request
Subject Access Request Template
Tips for an Effective Subject Access Request
Organisational Responsibilities and Timeframes
After Submitting Your Subject Access Request
What is a Subject Access Request?
Legal Definition
A Subject Access Request is a formal request made to an organisation asking for:
- Confirmation that they are processing your personal data
- Access to your personal data
- Additional information about the processing of your data (Guide - ICO)
What You Can Request
- Personal details and contact information
- Employment records and HR files
- Health and medical records
- Financial information and transaction history
- Communication records including emails
- CCTV footage where you are identifiable
- Marketing preferences and consent records
Step-by-Step Guide to Submitting a Subject Access Request
Step 1: Choose Your Submission Method
Written Letter:
- Most formal and widely accepted method
- Provides a paper trail for reference
- Should be sent via recorded delivery
Email:
- Quick and convenient
- Easy to track and reference
- Include "Subject Access Request" in the subject line
Online Form:
- Some organisations provide dedicated SAR forms
- Often the fastest processing method
- Ensure you receive submission confirmation
Verbal Request:
- Legally valid but not recommended
- Difficult to prove submission
- Follow up in writing if using this method
Step 2: Structure Your SAR
Essential Elements to Include:
- Clear statement that you're making a Subject Access Request
- Your full name and contact details
- Specific details of information requested
- Preferred format for response (digital or hard copy)
- Proof of identity if required
Step 3: Be Specific About Your Request
Clear Specification Helps:
- Identify specific departments or systems
- Mention time periods for the data
- Specify types of data (emails, records, files)
- Identify individuals who may hold your data
Subject Access Request Template
[Your Full Name]
[Your Address]
[Your Contact Information]
[Date][Organisation Name]
[Data Protection Officer/Contact Person]
[Organisation Address]Subject: Subject Access Request under UK GDPR
Dear [Contact Person/Data Protection Officer],
I am writing to make a Subject Access Request under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.
I would like to request the following information:
- Confirmation that you are processing my personal data
- A copy of my personal data that you hold
- Information about your processing of my data, including:
- The purposes of processing
- Categories of personal data
- Recipients or categories of recipients
- Retention periods
- Information about my rights
[Add specific details about the data you're seeking]
Please provide this information in [specify format: electronic/hard copy].
To verify my identity, I have attached [list identification documents].
Please note that under UK GDPR, you must respond to this request within one calendar month.
Yours sincerely,
[Your Name]
Tips for an Effective Subject Access Request
Best Practices
- Be specific but comprehensive in your request
- Keep copies of all correspondence
- Note submission dates for timing purposes
- Follow up politely if responses are delayed
- Verify identity requirements before submitting
Common Mistakes to Avoid
- Being too vague about what you want
- Failing to provide adequate identification
- Not keeping proper records of your request
Organisational Responsibilities and Timeframes
Response Time Requirements
Organisations must generally respond to your SAR:
- Within one calendar month of receipt
- This can be extended by two additional months for complex requests
- They must inform you if they need an extension
Permitted Extensions
- Complex or multiple requests
- Requests requiring additional verification
- Seasonal periods or organisational capacity issues
Costs and Fees
- SARs are generally free of charge
- Organisations can charge a reasonable fee if hard copies are required
After Submitting Your Subject Access Request
Organisation's Response
The organisation should provide:
- Confirmation of data processing
- Copy of your personal data in an accessible format
Possible Outcomes
- Full compliance with your request
- Partial information with valid exemptions
- Request for clarification or additional verification
- Refusal with justification for denial
If Your Request is Ignored or Refused
- Send a reminder after three weeks
- Request an internal review if refused
- Escalate to the ICO if unsatisfied with response
- Consider legal action for serious breaches (Resource - ICO)
Making a Complaint to the ICO
If the organisation fails to respond adequately:
- Complain to the ICO within three months
- Provide evidence of your request and their response
- Explain why you believe they've breached data protection law
- Specify what outcome you're seeking
Last reviewed: 12/03/2026
60 Second Solution
Step 1: Prepare Your Request
Before you send anything:
- Identify the correct organisation and, if possible, their Data Protection Officer.
- Gather details you might need, like your account number or specific time periods for the data you want.
Step 2: Write and Submit Your SAR
You can send an email or letter. It must clearly be a "Subject Access Request" and include:
- Your full name and contact details.
- A clear description of the information you want (e.g., "all HR records," "emails from 2026 to 2026," "my personnel file").
- Any relevant account numbers.
Use this simple template for your email/letter:
Subject: Subject Access Request
Dear [Data Protection Officer/HR],
I am making a formal Subject Access Request under UK GDPR for a copy of [specify the data you want].
Please provide the information electronically. My details are [Your Name, Address].
Yours, [Your Name]
Step 3: Know the Rules
- Time: The organisation has one calendar month to respond.
- Cost: It is free, unless you request hard copies.
- Proof: They can ask for proof of identity, but cannot use this to delay the process unnecessarily.
Step 4: If You Have Problems
If they ignore you, refuse without reason, or miss the deadline:
- Send a reminder.
- If still unresolved, you can complain to the ICO (Information Commissioner's Office). They are the regulator and can enforce the law.