Subject Access Request Guide (2026)

Subject Access Request Guide (2026)

A Subject Access Request (SAR) is one of the most powerful and underused tools available to individuals in England and Wales. It costs nothing to send, it carries legal force, and — if the organisation receiving it holds data about you — they are legally required to respond within 30 calendar days. For litigants in person, a well-targeted SAR can surface exactly the documents, records, or communications that an opponent may prefer you never see.

This guide explains what a SAR is, when to use one, how to send it correctly, and what to do when the organisation fails to comply.

<

div style=”margin:24px 0;padding:18px;background:#f8f8fc;border-radius:8px;”>

When Do You Need a SAR?

A Subject Access Request is appropriate whenever an organisation holds personal data about you and you need to know what that data is. In a legal context, this arises in a wide range of situations:

• Employment disputes — you suspect your employer has made decisions based on information you have not seen, or you need internal emails, appraisal notes, or HR records to support a tribunal claim.
• Financial disputes — a bank, insurer, or lender holds records of calls, decisions, or assessments relevant to your claim or complaint.
• Housing and landlord disputes — a letting agent or housing association holds correspondence or reports that document the history of your tenancy.
• Data breach claims — you want to understand exactly what data was held about you and how it was processed before or after a breach occurred.
• Medical negligence investigations — you need records held by a healthcare provider. Note that clinical records may be subject to separate access rights under the Access to Health Records Act 1990, but a SAR under UK GDPR also applies.
• Local authority matters — a council holds assessments, communications, or decision records you need to challenge a decision.
• General litigation preparation — any opponent, insurer, or third party who holds personal data about you can be required to disclose it via a SAR, independently of any court disclosure order.

A SAR is not a fishing exercise for general documents — it is specifically a request for your personal data. However, personal data is broadly defined: it includes any information that relates to an identified or identifiable individual, which in practice captures a very wide range of records including internal notes, call recordings, emails that mention you, and decision logs that reference your file.

What a SAR Involves

A SAR is a written request made directly to an organisation — the data controller — under Article 15 of the UK General Data Protection Regulation (UK GDPR), as retained and amended by the Data Protection Act 2018 (DPA 2018).

When you submit a SAR, the controller must:

• Confirm whether or not they hold personal data about you.
• Provide a copy of that personal data.
• Provide supplementary information, including the purposes for which the data is processed, the categories of data held, the recipients to whom it has been or will be disclosed, the retention period, and information about your other rights.

There is no prescribed form. A SAR can be sent by email, letter, or through any communication channel the controller uses. Some large organisations have online SAR portals — using these is acceptable, but you should always keep a copy of your submission and note the date you sent it.

You are not required to give a reason for your request. You do not need to justify why you want the data. The right exists independently of any dispute or proceedings.

A SAR is free to make. Controllers cannot charge a fee unless your request is manifestly unfounded or excessive, in which case they may charge a reasonable fee — but the bar for this is high, and they must justify it.

Step by Step: How to Send a SAR

1. Identify the Correct Controller

Before sending your SAR, confirm who the data controller is. For a company, this is usually the organisation itself. For a group of companies, each entity is a separate controller. If you have been dealing with a subsidiary or trading name, search Companies House to identify the correct registered entity. Addressing your SAR to the wrong legal entity can cause delay.

2. Find the Data Protection Officer or Privacy Contact

Many organisations are required to appoint a Data Protection Officer (DPO). Their contact details should be in the organisation’s privacy notice, which is typically found on their website. If there is no DPO, address your SAR to the organisation’s legal or compliance team, or simply to the organisation directly.

3. Draft Your SAR

Your SAR must be clear enough for the controller to identify you and understand what you are requesting. Include the following:

• Your full legal name.
• Your address or other identifying details (for example, an account number, customer reference, or date of birth) so that they can locate your records.
• A clear statement that you are making a Subject Access Request under Article 15 UK GDPR.
• The categories or date ranges of data you are particularly interested in, if you wish to narrow the scope. This is optional — a general SAR for all data held about you is perfectly valid — but specifying a time period or subject matter can lead to a more useful response.
• A request for all supplementary information required under Article 15(1).

Do not explain why you want the data. Do not mention any dispute unless it is strategically useful to do so. A neutral, clear SAR is usually the most effective.

4. Send and Record

Send the SAR to the data controller in a way that creates a record. Email with a read receipt is ideal. If you send by post, use recorded delivery. Note the exact date of sending — this is the start of the 30-day clock.

5. Follow Up If There Is No Acknowledgement

Many organisations will send an acknowledgement within a few days. If you receive nothing within five working days, send a polite follow-up referencing the original date of your SAR and asking for confirmation that it has been received and is being processed.

6. Review the Response

When the response arrives, check it carefully:

• Does it confirm whether or not personal data is held?
• Does it provide copies of all the data, or does it redact information? If data is withheld, the controller must state the exemption they are relying on.
• Does it include all required supplementary information?
• Is there any indication that the response is incomplete — for example, an absence of communications you know must exist?

If the response appears incomplete or you believe data has been withheld without a valid exemption, you have grounds to complain to the Information Commissioner’s Office (ICO).

7. Use the Data Strategically

Once you have the data, analyse it in the context of your dispute. Internal emails, decision logs, call recordings, and system notes frequently contain admissions, inconsistencies, or evidence of procedural failures that are highly relevant to legal proceedings.

Key Deadlines

The 30-day period begins on the day the request is received by the controller — not the day they open it or acknowledge it. If they claim they need to verify your identity before processing, they may pause the clock until identity is confirmed, but only where verification is genuinely necessary and proportionate.

What Happens After You Send Your SAR?

In most cases, the controller will respond within the 30-day window. A compliant response will include copies of your personal data and the supplementary information required under Article 15.

If the controller:

• Does not respond within 30 days — this is a breach of UK GDPR. You should first send a formal reminder stating that the deadline has passed. If there is still no response, you can escalate to the ICO.
• Refuses the SAR — the controller must state which exemption under the DPA 2018 or UK GDPR they are relying on. Exemptions exist (for example, where the data relates to ongoing legal proceedings and disclosure would prejudice those proceedings, or where disclosure would affect the rights of a third party) but they are not a blanket excuse. An unjustified refusal is grounds for an ICO complaint.
• Provides an incomplete response — write to them identifying the specific gaps and requesting that the full response be provided. If they decline or do not respond, escalate to the ICO.
• Charges an unjustified fee — challenge this in writing. A fee is only permitted where the request is manifestly unfounded or excessive, and the controller must justify that characterisation.

If the ICO upholds your complaint, it can require the controller to comply and, in serious cases, issue an enforcement notice or a fine. You may also have a right to bring a claim for compensation in the civil courts under Section 169 of the DPA 2018 if you have suffered damage as a result of a breach of data protection law.

Common Mistakes to Avoid

1. Sending to the wrong entity. Always verify the data controller’s legal name. A SAR sent to a trading name rather than the registered legal entity may be treated as invalidly addressed.

2. Failing to include enough identifying information. If the organisation cannot identify your records, they may legitimately ask for more information before processing. Include your full name, date of birth, account numbers, or any other reference that links you to their records.

3. Making the SAR too vague. A request for “everything” is valid, but if you have a specific dispute, identifying the relevant time period or subject matter will often produce a more useful and manageable response.

4. Not keeping a copy of the SAR or evidence of sending. If there is a later dispute about whether a SAR was received, or when, your evidence of sending is critical. Always retain the email or postal receipt.

5. Missing the extension notification. If the controller sends you a notice extending the deadline to three months, check whether they have done so within the first 30 days and whether they have given adequate reasons. If not, the extension may not be valid.

6. Assuming the response is complete. Organisations sometimes provide a curated or partial response. Cross-reference what you receive against what you know must exist. If call recordings are mentioned in correspondence but not provided, query the omission explicitly.

7. Waiting too long before escalating. The ICO expects complainants to have given the controller a reasonable opportunity to respond. But unreasonable delay in escalating a clear breach weakens your complaint. Do not wait months before acting.

Legal Framework

The right of access is established by Article 15 of the UK General Data Protection Regulation (the UK GDPR, as retained under the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).

The Data Protection Act 2018 supplements the UK GDPR and sets out specific exemptions that controllers may rely on to withhold data. Schedule 2 of the DPA 2018 contains a range of exemptions, including those relating to legal proceedings, legal professional privilege, and crime and taxation.

The Information Commissioner’s Office is the independent supervisory authority responsible for upholding information rights in the UK. It has powers to investigate complaints, issue enforcement notices, and impose financial penalties.

Where a controller fails to comply with a SAR and you suffer damage as a result, Section 169 DPA 2018 gives you the right to bring a compensation claim in the civil courts. This is a separate route from the ICO complaints process and the two are not mutually exclusive.

Related Court Forms & Guides

• Form N260: Statement of Costs — the costs schedule used at summary assessment.
• Form N244: Application Notice — the form for interim applications.
• Start a Money Claim Online (OCMC) — where most civil money claims begin.
• Particulars of Claim — setting out the basis of your claim.
• Civil Court Forms Index — every civil court form guide in one place.

How Chris Can Help

Drafting an effective SAR — particularly one targeted at an organisation in the context of active or prospective litigation — requires precision. Chris can prepare a legally worded Subject Access Request tailored to your specific circumstances, identify the correct data controller, and draft any follow-up correspondence if the response is late, incomplete, or refused.

If you have already received a SAR response and need help analysing it or preparing an ICO complaint, Chris can assist with that too.

Start My Case — £30 · No subscription. 7-day money-back guarantee. Instant access.

Frequently Asked Questions

Q: Do I need a solicitor to send a Subject Access Request?
A: No. A SAR is a right that every individual can exercise directly and without legal representation. You do not need to use any particular form or follow any prescribed procedure. A clear written request sent directly to the data controller is sufficient.

Q: Can an organisation refuse to respond to my SAR?
A: They can only refuse if a specific exemption under the DPA 2018 or UK GDPR applies. The exemption must be stated, and it must be genuinely applicable. A blanket refusal without a stated legal basis is a breach of data protection law and should be reported to the ICO.

Q: What if the organisation claims my SAR is manifestly unfounded or excessive?
A: This is a high threshold. An organisation cannot use this label simply because a request is inconvenient or broad. If they claim your request is manifestly unfounded or excessive and attempt to charge a fee or refuse, ask them to provide their written justification. If the justification is inadequate, you can challenge it with the ICO.

Q: Can I use a SAR response as evidence in court proceedings?
A: Yes. Documents disclosed in a SAR response can be used in evidence subject to the normal rules of evidence in civil proceedings. If the documents are relevant and admissible, there is nothing to prevent you from relying on them. Always obtain legal advice on how to deploy evidence effectively in the context of your particular claim.

Q: What if the organisation says they do not hold any data about me?
A: They must respond within 30 days and confirm this in writing. If you have reason to believe the response is inaccurate — for example, because you have other evidence that they do hold your data — you can challenge this with the ICO. Providing false information in response to a SAR is a serious matter.

Frequently asked questions

Do I need a solicitor to send a Subject Access Request?

No. A SAR is a right that every individual can exercise directly, without legal representation. There is no prescribed form, and you can send it by email, letter, or any communication channel the controller uses.

How long does an organisation have to respond to a SAR?

The controller must respond within 30 calendar days of receiving the request. For complex or numerous requests they may extend this by up to two further months, but they must notify you of the extension — with reasons — within the first 30 days.

Does it cost anything to make a SAR?

A SAR is free to make. A controller cannot charge a fee unless your request is manifestly unfounded or excessive, in which case a reasonable fee may apply — but the bar for this is high and the controller must justify it.

Do I have to give a reason for my request?

No. You are not required to justify why you want the data. The right of access exists independently of any dispute or proceedings, so a neutral, clear request is usually the most effective.

What can I do if the organisation fails to comply?

If there is no response within 30 days, or the response is incomplete or unjustifiably refused, you can send a formal reminder and then complain to the Information Commissioner’s Office (ICO). In some cases you may also have a right to bring a compensation claim in the civil courts under Section 169 of the DPA 2018 where you have suffered damage.

What information should I include in my SAR?

Include your full legal name, identifying details such as an account number or date of birth, a clear statement that you are making a Subject Access Request under Article 15 UK GDPR, and — optionally — the date ranges or categories of data you are particularly interested in to narrow the scope.

Related guides: Form N244: Application Notice · Form N260: Statement of Costs · Particulars of Claim · All civil court forms