Making a Data Subject Access Request (DSAR)
How to request a copy of all personal data an organisation holds about you under UK GDPR.
Trosolwg
Under Article 15 of the UK GDPR and the Data Protection Act 2018, you have the right to request a copy of all personal data that an organisation (data controller) holds about you. This is called a Subject Access Request (SAR) or Data Subject Access Request (DSAR). The organisation must respond within one calendar month.
Pwy all ddefnyddio'r broses hon
- You are the data subject (the person the data is about) or authorised to act on their behalf
- The request is for personal data — information that identifies or relates to you
- The request is made to the data controller (the organisation that decides how your data is used)
Proses gam wrth gam
Identify the organisation
Determine which organisation holds your data. Check their privacy policy for the data controller's details and any specific SAR process they have. Large organisations may have a dedicated Data Protection Officer (DPO) or SAR email address.
- Check the organisation's privacy policy for their DPO contact details
- You can make a SAR to any organisation — employer, bank, social media platform, NHS trust, etc.
Submit your request
Write to the organisation stating you are making a Subject Access Request under Article 15 UK GDPR. You do not need to use any specific form — a letter or email is sufficient. Be as specific as possible about what data you want (though you have the right to request all data). Include enough information for them to verify your identity.
- You do not need to give a reason for your request
- Keep a copy of your request and note the date — the clock starts on receipt
- You can make the request verbally, but written requests create a clear record
Provide ID if requested
The organisation may ask you to verify your identity before releasing data. This is reasonable — but they must not use ID verification as a way to delay or obstruct the request. Provide the minimum necessary (e.g., a copy of your driving licence or passport).
- Redact unnecessary information from ID documents (e.g., your passport number if only your name and photo are needed)
Receive the response
The organisation must respond within one calendar month. They must provide: a copy of your personal data, information about the purposes of processing, the categories of data, recipients, retention periods, and your rights. The response must be in a commonly used electronic format if you made the request electronically.
- The one-month deadline can be extended by two further months for complex or numerous requests — but they must tell you within the first month
- The response must be free of charge (unless manifestly unfounded or excessive)
Complain to the ICO if not satisfied
If the organisation fails to respond, refuses your request without valid reason, or provides an incomplete response, you can complain to the Information Commissioner's Office (ICO). The ICO can investigate and order compliance.
- The ICO expects you to have raised the issue with the organisation first
- You also have the right to bring a claim in court for compensation if you have suffered damage
Costau
Rhybuddion pwysig
Organisations may refuse if your request is 'manifestly unfounded or excessive' — but the bar for this is high.
Some data may be exempt from disclosure, e.g., information subject to legal professional privilege or data that would reveal information about another person.
If you need data urgently (e.g., for court proceedings), explain the urgency — the organisation should prioritise.