Guides → Subject Access Request letter

How to make a Subject Access Request in the UK

Under UK GDPR you have the right to request all personal data any organisation holds about you. Here is how to do it effectively.

What is a Subject Access Request?

A Subject Access Request, or SAR, is a formal request for all personal data an organisation holds about you. Under UK GDPR, any organisation that processes your personal data must provide it to you free of charge within one calendar month of receiving your request. This applies to employers, banks, insurers, the NHS, councils, landlords, and any other organisation that holds information about you.

People make Subject Access Requests for many reasons — to see what an employer has on file before a dispute, to check what a bank or insurer holds, to obtain medical records, or simply to understand what data organisations hold about them.

Generate your Subject Access Request in 60 seconds

Answer a few questions and get a professional SAR letter ready to send

Generate my SAR letter — £6.99

What you are entitled to receive

✓

Confirmation that data is held

The organisation must confirm whether they hold any personal data about you.

✓

A copy of all personal data

You are entitled to receive copies of all data they hold about you.

✓

The purpose of processing

They must explain why they hold and use your data.

✓

Who it is shared with

They must tell you if your data is shared with third parties and who those parties are.

✓

How long it is kept

They must explain their data retention policy.

✓

Your rights

They must inform you of your right to correct, delete, or restrict your data.

What to include in your SAR letter

✓

Your full name and any previous names

So the organisation can locate all records relating to you.

✓

Your date of birth

Helps confirm your identity, especially for large organisations.

✓

Your address and any previous addresses

Particularly important if you have moved during the period in question.

✓

Any reference numbers

Account numbers, employee numbers, or case references help locate your data faster.

✓

The specific data you want

You can request all data or limit your request to a specific type or time period.

✓

Proof of identity

Some organisations require a copy of ID — mention you are happy to provide this if needed.

What happens after you send your SAR

The organisation has one calendar month to respond. They may ask you to verify your identity before they process the request — this is normal and they can pause the one month clock while waiting for your ID. They cannot charge you for a SAR unless your request is excessive or repetitive.

If the organisation fails to respond within one month or refuses your request without good reason, you can complain to the Information Commissioner's Office, which is the UK's data protection regulator. The ICO can investigate and take action against organisations that breach your data rights.

Example SAR letter structure

Your Full Name Your Address Date of Birth Date Data Protection Officer [Organisation Name] Address Dear Sir or Madam, Re: Subject Access Request I am writing to make a formal Subject Access Request under UK GDPR and the Data Protection Act 2018. Please provide me with all personal data you hold about me, including [specify if you want particular data]. My details to help locate my records: Name: [Your Name] Date of Birth: [DOB] Address: [Your Address] [Any reference numbers] I understand you have one calendar month to respond. I am happy to provide proof of identity if required. Yours faithfully, [Your Name]

Ready to send your Subject Access Request?

LetterSure generates a professional SAR letter in under 60 seconds. Answer a few questions and download as PDF or Word.