What is a Subject Access Request?

A request under Article 15 UK GDPR / s.45 DPA 2018 requiring a data controller to provide a copy of all personal data they hold on the individual, plus specified information about processing.

Does the controller have to reply?

Yes — within 1 month, extendable to 3 months for complex requests. Free for first request. Must be proportionate but broad.

All personal data, purposes of processing, categories of recipients, retention period, source of data (if not collected from you), existence of automated decision-making.

What can the controller refuse?

Legal professional privilege, third party personal data without consent (balanced), disproportionate effort (high bar), crime prevention material, and certain other specific exemptions.

No for the first copy. Reasonable fee permitted for additional copies or manifestly unfounded / excessive requests.

Subject Access Request (SAR) — 2026 UK GDPR Guide

A Subject Access Request is the most powerful disclosure tool available to an individual — free, statutory, broad, and enforceable. It is used in employment disputes, family court proceedings, medical negligence claims, police complaints, and financial disputes. Most recipients underestimate how much it will turn up.

The legal basis

Article 15 UK GDPR — right of access
Section 45 DPA 2018 — additional rights
Article 12 UK GDPR — transparency obligations
ICO guidance on SARs — practical application

Structure — the Litigant Standard

1. Clear identification of yourself

Full name, date of birth, address(es) at relevant times, any account numbers or identifiers used in the controller’s systems.

2. Specific request

“I request under Article 15 UK GDPR all personal data you process relating to me, together with the information prescribed by Article 15(1)(a)–(h).”

3. Scope (where helpful)

“Including but not limited to: correspondence, file notes, internal emails referring to me, call recordings, CCTV, information held by third parties on your behalf, automated decisions taken in respect of me.”

4. Time period

All data held at the date of the request (UK GDPR). For employment disputes, specify the relevant employment period.

5. Format

“Provide by [email / post]. Electronic format where possible.”

6. Timeline

“I expect receipt within 1 month of this request under Article 12(3) UK GDPR. If an extension is required under Article 12(3) second paragraph, please notify me within that first month.”

Let Chris draft this for you

UK GDPR is precise. The remedy windows are fixed. Chris drafts SARs, ICO complaints, erasure requests, and Article 82 damages claims with the statutory scaffolding that makes controllers respond properly.

Start — £30 Pro £88 full case →

Common excuses — how Chris defeats them

“Too broad” — SAR can be broad. Controllers have disproportionate effort exemption — high bar, not a default refusal.
“Verify identity” — legitimate but limited. Must not delay unreasonably. Two basic identifiers usually suffice.
“Third party data” — controller must redact, not refuse in whole. Balancing test.
“Commercially confidential” — not a recognised exemption against SARs.
“Costs money” — first copy free under UK GDPR.

If they refuse or respond inadequately

ICO complaint (free)
County Court claim for compliance + compensation under Article 82 UK GDPR
Injunction to compel compliance

Cross-use of SAR in other claims

Employment tribunal — HR files, emails about you
Police complaint — PNC entries, intelligence reports (subject to crime prevention exemption)
Medical negligence — full medical records
Family court — social services files
Financial dispute — bank internal file notes

SAR material often becomes the exhibit bundle for the substantive claim.

Can Chris draft the SAR?

Yes. Tell Chris who you want data from and what the dispute is. Chris drafts a tightly scoped SAR with legal references, identity verification attachment, and escalation path. £30 per SAR. If the response is inadequate, ICO complaint (£30) and Article 82 damages claim (Pro £88) follow.

Prepare to win. Plan not to fail.

Evidence wins cases. SARs generate evidence. Chris generates SARs.

Start Your Case

Ready to draft this yourself?

Chris drafts to the Litigant Standard™. You sign. You file. Pick the tier that fits your case.