Subject Access Requests: How to Find Out What Data Organisations Hold on You

ยท 7 min read

Your Right to Know

Under Article 15 of the UK GDPR, you have the right to obtain a copy of all personal data that any organisation holds about you. This applies to everyone โ€” employers, councils, banks, insurers, online retailers, social media platforms, letting agents, schools, GP surgeries, and any other data controller.

Unlike FOI requests (which only apply to public bodies), subject access requests (SARs) apply to every organisation, public or private. They are free, and organisations must respond within one calendar month.

What Must They Provide?

Generate Your SAR Letter

Create a properly formatted Subject Access Request with the right legal references.

Open Right to Know Builder โ†’

Common Reasons to Make a SAR

Employment disputes: If you're in a grievance, disciplinary or redundancy situation, a SAR to your employer reveals emails about you, HR notes, management discussions and performance records. This is one of the most powerful uses of SARs โ€” employers must disclose internal emails that mention you.

Insurance claims: Find out what data your insurer holds, including internal assessments, claim notes and third-party reports that may affect your claim.

Credit issues: While you can get your credit file from agencies directly, a SAR to a lender reveals their internal scoring and decision notes.

Council/police records: Find out what's on your record, what complaints or reports have been made, and what notes have been kept.

Data breaches: After a breach notification, use a SAR to understand exactly what data was exposed.

How to Write an Effective SAR

What If They Don't Respond?

Organisations have one calendar month from receiving your request. If they need more time for complex requests, they can extend by up to two additional months โ€” but must tell you within the first month.

If they miss the deadline or refuse without valid reason:

  1. Send a chaser email citing the missed deadline and Article 12(3)
  2. Complain to the ICO (Information Commissioner's Office) โ€” free and online
  3. The ICO can order the organisation to comply and issue fines

Can They Refuse?

Only in limited circumstances. They can refuse if the request is "manifestly unfounded or excessive" โ€” but this is a high bar. They can redact other people's personal data from the response. They can extend the deadline for complex requests. But they cannot charge a fee, demand you use their own form, or require you to explain why you want the data.

SAR vs FOI: What's the Difference?

FeatureSubject Access RequestFOI Request
Applies toAll organisationsPublic authorities only
What you getYour personal dataAny recorded information
CostFreeFree (under cost limit)
Deadline1 calendar month20 working days
LawUK GDPR / DPA 2018FOI Act 2000
RegulatorICOICO

Build Your Subject Access Request

Select data categories, enter your details, and download a ready-to-send letter.

Open Right to Know Builder โ†’
Need a developer? Hire Anthony D Johnson โ€” Senior .NET & Azure Developer โ†’