Back to Guides
Process Guide

Subject Access Requests


Overview

A Subject Access Request (SAR) is your legal right under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 to obtain a copy of all personal data an organisation holds about you. It is one of the most powerful tools in a consumer dispute because it forces the other side to reveal their internal records, notes, call recordings, and decision-making data.

Key Legislation

  • UK GDPR, Article 15 - The right of access by the data subject

  • UK GDPR, Article 12 - Transparent information, communication, and modalities for exercising rights

  • Data Protection Act 2018, Section 45 - Right of access (for law enforcement processing)

  • Data Protection Act 2018, Schedule 2, Part 1 - Exemptions from the right of access

    • What Are You Entitled To?

    Under Article 15, you have the right to obtain:

  • Confirmation of whether your personal data is being processed

  • A copy of the personal data itself

  • Information about:

    • - The purposes of the processing
    - The categories of personal data held
    - The recipients or categories of recipients to whom data has been disclosed
    - The retention period or criteria used to determine it
    - The existence of your other rights (rectification, erasure, restriction, objection)
    - The right to lodge a complaint with the Information Commissioner's Office (ICO)
    - The source of the data (if not collected from you directly)
    - Whether any automated decision-making (including profiling) is used, and if so, the logic involved

    What Data Can You Expect to Receive?

  • Emails and letters about you

  • Internal notes, memos, and file notes

  • Call recordings and transcripts

  • Account records and transaction history

  • Complaint handling records

  • Decision-making documents (e.g., why a claim was rejected)

  • CCTV footage (if you are identifiable)

  • HR records (if making a request to an employer)

    • Step-by-Step: How to Make a SAR

    Step 1: Identify the Organisation


    You can make a SAR to any organisation that processes your personal data. Common targets in disputes include banks, insurers, retailers, utility companies, landlords, and employers.

    Step 2: Write Your SAR


    Your request should include:
  • A clear statement that you are making a subject access request under Article 15 of the UK GDPR

  • Your full name and enough information to identify you (account number, address, date of birth)

  • Specify the data you want if possible (e.g., "all internal notes relating to my complaint reference X")

  • You do not need to explain why you want the data

    • Step 3: Submit the Request


  • Send by email or post to the organisation's Data Protection Officer or privacy team

  • There is no required format - an email is sufficient

  • It is free of charge (organisations can only charge a reasonable fee if the request is manifestly unfounded or excessive)

    • Step 4: Wait for the Response


    The organisation has one calendar month from receipt to respond (Article 12(3)). This can be extended by a further two months if the request is complex, but they must tell you within the first month and explain why.

    Step 5: Check the Response


    Verify you have received:
  • All categories of data you expected

  • A clear explanation of any data withheld and the exemption relied upon

  • Data in an accessible, commonly used format

    • What to Do if They Do Not Comply

    Incomplete or No Response


  • Write a follow-up letter reminding them of their obligations under Article 15 and the one-month deadline

  • Warn that you will escalate to the ICO if they do not comply within 7 days

  • File a complaint with the ICO via their online form

  • In serious cases, you can bring a claim under Section 167 of the Data Protection Act 2018 for a court order requiring compliance, and/or claim compensation under Section 168 for distress caused by the breach

    • Common (Unlawful) Reasons Organisations Refuse


  • "We need to know why you want the data" - No, you do not need to give a reason

  • "We cannot find any data" - They must conduct a reasonable and proportionate search

  • "The request is too broad" - They can ask you to specify, but cannot refuse entirely

  • "It would take too long" - They can extend by 2 months, but cannot refuse for this reason alone

    • Exemptions to Be Aware Of

    Certain data may be withheld under Schedule 2 of the Data Protection Act 2018:

  • Legal professional privilege - Communications with lawyers for legal advice

  • Management forecasting - Data relating to management planning that would prejudice the business

  • Negotiations - Data about ongoing negotiations where disclosure would prejudice them

  • Third-party data - Where disclosing would identify another individual (unless they consent or it is reasonable to disclose without consent)

  • Crime prevention - Where disclosure would prejudice the prevention or detection of crime

    • Strategic Use in Disputes

    A SAR is a powerful tactical tool in consumer disputes:

  • Uncover hidden information - Internal notes may reveal the real reason your claim was rejected

  • Find evidence of mis-selling - Call recordings and point-of-sale documents can prove what you were told

  • Identify regulatory breaches - Decision-making records may show the company did not follow FCA rules

  • Strengthen your FOS or court case - Comprehensive data disclosure helps build a complete picture

    • EvenStance Can Help

    EvenStance can generate a comprehensive SAR letter tailored to your dispute type, track the one-month response deadline, identify if the response is incomplete, and advise on ICO escalation if the organisation does not comply.

    Ready to Take Action?

    EvenStance can generate the letters, track your deadlines, and guide you through every step.