Your Right to Know
Under Article 15 of the UK GDPR, you have the right to obtain a copy of all personal data that any organisation holds about you. This applies to everyone โ employers, councils, banks, insurers, online retailers, social media platforms, letting agents, schools, GP surgeries, and any other data controller.
Unlike FOI requests (which only apply to public bodies), subject access requests (SARs) apply to every organisation, public or private. They are free, and organisations must respond within one calendar month.
What Must They Provide?
- A copy of all personal data they hold about you
- The purposes they're using your data for
- Who they've shared your data with (or categories of recipients)
- How long they plan to keep your data
- Information about any automated decision-making or profiling
- Where they got your data from (if not directly from you)
- Your rights to rectification, erasure, and complaint
Generate Your SAR Letter
Create a properly formatted Subject Access Request with the right legal references.
Open Right to Know Builder โCommon Reasons to Make a SAR
Employment disputes: If you're in a grievance, disciplinary or redundancy situation, a SAR to your employer reveals emails about you, HR notes, management discussions and performance records. This is one of the most powerful uses of SARs โ employers must disclose internal emails that mention you.
Insurance claims: Find out what data your insurer holds, including internal assessments, claim notes and third-party reports that may affect your claim.
Credit issues: While you can get your credit file from agencies directly, a SAR to a lender reveals their internal scoring and decision notes.
Council/police records: Find out what's on your record, what complaints or reports have been made, and what notes have been kept.
Data breaches: After a breach notification, use a SAR to understand exactly what data was exposed.
How to Write an Effective SAR
- Be clear you're making a subject access request โ reference Article 15 of UK GDPR and the Data Protection Act 2018
- Provide enough ID information โ your full name, date of birth, address and any account/reference numbers help them find your records
- Specify categories if possible โ "all emails mentioning me" or "my HR file" focuses the search
- Ask for electronic format โ they must provide data in a commonly used electronic format if you request it
What If They Don't Respond?
Organisations have one calendar month from receiving your request. If they need more time for complex requests, they can extend by up to two additional months โ but must tell you within the first month.
If they miss the deadline or refuse without valid reason:
- Send a chaser email citing the missed deadline and Article 12(3)
- Complain to the ICO (Information Commissioner's Office) โ free and online
- The ICO can order the organisation to comply and issue fines
Can They Refuse?
Only in limited circumstances. They can refuse if the request is "manifestly unfounded or excessive" โ but this is a high bar. They can redact other people's personal data from the response. They can extend the deadline for complex requests. But they cannot charge a fee, demand you use their own form, or require you to explain why you want the data.
SAR vs FOI: What's the Difference?
| Feature | Subject Access Request | FOI Request |
|---|---|---|
| Applies to | All organisations | Public authorities only |
| What you get | Your personal data | Any recorded information |
| Cost | Free | Free (under cost limit) |
| Deadline | 1 calendar month | 20 working days |
| Law | UK GDPR / DPA 2018 | FOI Act 2000 |
| Regulator | ICO | ICO |
Build Your Subject Access Request
Select data categories, enter your details, and download a ready-to-send letter.
Open Right to Know Builder โ