GetMySAR

GetMySAR Guides

What Is a Subject Access Request (SAR)?

A plain-English guide to Subject Access Requests under UK GDPR, including what a SAR is, what rights you have, what organisations must do, when they can refuse, and why some people choose to use GetMySAR to handle the process for them.

On this page

1. What is a Subject Access Request (SAR)?

A Subject Access Request, usually shortened to SAR, is the legal right that lets you ask an organisation for a copy of the personal data it holds about you.

Under Article 15 UK GDPR, you can ask a data controller to confirm whether it is processing your personal data and, if it is, to give you access to that data and important information about how it is being used.

The ICO also calls this the right of access. It exists to help people understand how and why organisations use their information and to check that the processing is lawful, fair and transparent.

This sits within the wider data protection framework set out by the UK GDPR and the Data Protection Act 2018. The law also says information about your rights should be clear and easy to understand, which is reflected in Article 12 UK GDPR, Recital 39 UK GDPR and Recital 58 UK GDPR.

In plain English, a SAR is how you ask: “What personal data do you hold about me, and what are you doing with it?”

2. What counts as personal data?

Personal data is any information that relates to you and identifies you, either directly or indirectly.

That can include obvious things such as:

  • your name, address, email address or phone number;
  • date of birth and account or customer reference numbers;
  • photos, CCTV images or audio recordings of you; and
  • copies of forms, applications or complaints you submitted.

But personal data can also include less obvious material, such as:

  • internal emails discussing you;
  • case notes or account notes about your behaviour or history;
  • call recordings and chat transcripts;
  • fraud markers, warning flags or internal risk scores;
  • location data or login history linked to your account; and
  • profiling or automated decision-making information about you.

It is important to understand that a SAR is about your personal data. It is not automatically a right to every document an organisation holds. Sometimes an entire document may be disclosed. In other cases, only the parts containing your personal data will be included.

The organisation is only expected to carry out a reasonable and proportionate search. That principle appears in Article 15(1A) UK GDPR. The organisation can therefore refuse requests it deems unreasonably burdensome or disproportionate, and it can ask you to clarify the scope of your request if it is too broad.

3. What can you get from a SAR?

A SAR is not just about receiving a bundle of documents. Under Article 15 UK GDPR, you can usually ask for:

  • confirmation that your personal data is being processed;
  • a copy of the personal data itself;
  • the purposes of the processing;
  • the categories of personal data involved;
  • the recipients or categories of recipients;
  • the retention period, or how the organisation decides how long to keep the data;
  • information about your rights to rectification, erasure, restriction or objection;
  • your right to complain to the ICO;
  • where the data did not come from you, any available information about its source; and
  • information about automated decision-making or profiling, where relevant.

If personal data is transferred outside the UK in certain circumstances, you may also be entitled to information about the safeguards used for that transfer under Article 15(2) UK GDPR.

This is why a SAR can be useful even if you already know an organisation has information about you. It can help you understand not only what data is held, but also why it is being processed and who it may have been shared with.

4. Examples of what you can ask for in a Subject Access Request

Many people have heard of SARs but are not sure what they can actually request. Common examples include:

  • customer service notes and complaint files;
  • emails mentioning your name or discussing your case;
  • call recordings and voicemail records;
  • live chat transcripts or support ticket history;
  • account notes, internal comments and case logs;
  • CCTV footage showing you;
  • copies of letters, forms or applications you submitted;
  • records of decisions made about you;
  • marketing preferences and consent records; and
  • profiling information or automated decision records.

If you know the type of data you want, saying so can be helpful. A focused request can reduce confusion and make it easier for the organisation to identify what you are asking for.

That said, people often ask for “all personal data held about me”. This is not automatically invalid. If the organisation holds a large amount of information about you, it may ask you to clarify the scope of your request. That is recognised by Recital 63 UK GDPR and reflected in Article 12A UK GDPR.

5. How to make a SAR

A Subject Access Request does not need special legal wording.

The ICO says a request is valid if it is clear that you are asking for your own personal data. You can make a SAR:

  • by email;
  • by letter;
  • through an online form;
  • verbally; or
  • in some cases, through social media.

You do not need to cite legislation, but doing so can help make your request clearer. A simple example could be:

“Please provide a copy of all personal data you hold about me, together with the information I am entitled to receive under Article 15 UK GDPR.”

If you already know what you want, you can be more specific. For example, you might ask for call recordings, account notes, complaint records, CCTV footage or emails that mention you.

A SAR can also be made by someone acting on your behalf. The ICO says that a third party such as a relative, friend, solicitor or service provider can make the request if they are authorised to do so. The right to use a representative is also recognised in Article 80 UK GDPR.

That means you can make a SAR yourself, or you can ask a service such as GetMySAR to prepare and submit it for you.

6. Time limits, ID checks and the format of the response

In most cases, an organisation must respond without undue delay and within one month.

This appears in Article 12 UK GDPR and the ICO’s guidance on responding to a SAR.

The deadline can be extended by up to two further months if:

  • the request is complex; or
  • the organisation has received a number of requests from you.

If the organisation extends the deadline, it should tell you within the first month and explain why. The detailed timing rules are set out in Article 12A UK GDPR.

Can they ask for ID?

Yes, where they have reasonable doubts about identity. Under Article 12(6) UK GDPR, an organisation can ask for additional information to confirm who you are before dealing with the request.

The ICO also says ID checks should be proportionate. For example, if you are already logged into a secure account, it may not always be necessary to ask for extensive extra documents. UK GDPR recognises this idea in Recital 57 UK GDPR and Recital 64 UK GDPR.

Can they ask you to clarify the request?

Yes, sometimes. Where an organisation processes a large amount of information about you and your request is unclear, it may ask you to specify which information or processing activities your request relates to. That is recognised in Article 12A(5) UK GDPR.

How should the data be provided?

If you make the request electronically, the organisation should usually provide the information in a commonly used electronic form, unless you ask otherwise. This is reflected in Article 15(3) UK GDPR.

The ICO also says it is good practice to consider the person’s preferred format and to provide the information securely.

7. Is a Subject Access Request free?

Usually, yes. In most cases, an organisation cannot charge you for making a SAR.

The general rule is set out in Article 12(5) UK GDPR. The ICO also makes clear that controllers can no longer charge a general fee just because someone has exercised their right of access.

There are limited exceptions. An organisation may charge a reasonable fee if:

  • the request is manifestly unfounded;
  • the request is manifestly excessive; or
  • you ask for further copies of the same information.

The DPA 2018 also allows for regulations to set limits on such fees in some circumstances through section 12 of the Data Protection Act 2018.

So the legal right itself is usually free to exercise directly. However, some people still choose to pay for help with the process.

GetMySAR charges a £20 service fee. That fee is not charged by the data controller and it is not a fee for the legal right itself. It is a fee for the service of preparing, submitting and managing the SAR on your behalf, including follow-up where needed.

8. When can a SAR be refused or limited?

Although the right of access is broad, it is not unlimited. An organisation may refuse or limit a SAR in some situations.

Manifestly unfounded or manifestly excessive requests

Under Article 12(5) UK GDPR, a controller may refuse to act on a request or charge a reasonable fee if the request is manifestly unfounded or manifestly excessive.

The ICO’s position is that this depends on the circumstances. Repetitive requests, requests that overlap heavily, or requests that are clearly disproportionate may sometimes fall into this category. But the organisation has to justify that decision.

Information about other people

A SAR does not usually entitle you to receive information that would unfairly disclose another person’s personal data. This is one of the most common reasons for redactions.

The rules on protecting the rights of others appear in paragraph 16 of Schedule 2 to the Data Protection Act 2018. In some cases the organisation may disclose the information if the other person consents, or if it is reasonable to disclose it without consent.

Legal professional privilege

Information protected by legal professional privilege can be exempt. See paragraph 19 of Schedule 2 to the Data Protection Act 2018.

Crime, taxation and other public interest restrictions

Some rights can be restricted where disclosure would prejudice crime prevention, investigation, prosecution, taxation or other important public interests. The UK GDPR allows certain restrictions through Article 23 UK GDPR, and the DPA 2018 contains many of the detailed exemptions in Schedule 2.

Other exemptions that may apply

Depending on the circumstances, exemptions may also cover:

  • management forecasting or planning;
  • negotiations with the requester;
  • confidential references;
  • research and statistics;
  • archiving in the public interest; and
  • special rules for health, education and social work data.

The main exemption structure is introduced in section 15 of the Data Protection Act 2018.

If an organisation refuses to comply, it should tell you why and explain that you can complain to the ICO and seek a judicial remedy. That duty appears in Article 12(4) UK GDPR.

9. Children, health data and other sensitive records

Some SARs involve more sensitive situations, especially where the data relates to children, health records, education records or social work records.

Children

The ICO says organisations should consider whether a child is mature enough to understand their rights. If the child is competent, the response will usually go directly to the child. A parent or guardian may be able to act for the child if the child authorises it or if it is clearly in the child’s best interests.

Health data

Health data can be subject to special protections. In some cases, data may be withheld if disclosure would be likely to cause serious harm to the physical or mental health of the data subject or another person. These rules appear in Schedule 3 of the Data Protection Act 2018 in paragraph 2, paragraph 5 and paragraph 6.

Education and social work data

Similar serious-harm style rules can apply to certain education and social work records, again under Schedule 3 of the Data Protection Act 2018.

These special rules are one reason SARs can become complicated in practice. A request that sounds simple at first can involve questions about safeguarding, third-party confidentiality, serious harm tests or parental authority.

10. What if the organisation does not comply?

If an organisation ignores your SAR, misses the deadline, gives an incomplete response or refuses without a proper reason, you may have options.

You may be able to:

  • complain to the ICO;
  • ask the ICO to investigate; and
  • apply to the court for a remedy in appropriate cases.

The right to complain to the ICO appears in Article 77 UK GDPR. The right to an effective judicial remedy appears in Article 79 UK GDPR.

The ICO also has powers to require a controller or processor to comply with a data subject’s request under Article 58 UK GDPR.

In more serious cases, breaches of data subject rights can expose an organisation to significant enforcement action and fines under Article 83 UK GDPR.

The law also makes it an offence to alter, erase, destroy or conceal information with the intention of preventing disclosure in response to a valid access request. That appears in section 173 of the Data Protection Act 2018.

11. No one can force you to make a SAR

UK law also protects people from being pressured into using a SAR against themselves.

An enforced SAR is where someone requires you to make a subject access request so they can see records about you, such as health records, cautions or convictions, for example in connection with a job application, insurance or services.

The ICO states that forcing someone to do this in certain circumstances can be a criminal offence. The main statutory rules are found in section 184 of the Data Protection Act 2018 and section 185 of the Data Protection Act 2018.

In short, your right of access is meant to protect you. It should not be misused as a way for others to bypass proper legal disclosure routes.

12. Why some people use GetMySAR instead of doing it themselves

You can usually make a Subject Access Request yourself for free. Many people do.

But in practice, SARs are not always as simple as sending one short email and waiting for a reply. Organisations may ask for ID, seek clarification, redact material, rely on exemptions or miss the deadline.

That is why some people choose to use GetMySAR.

  • We help present the request clearly and in the right format.
  • We can submit the request on your behalf with authority documents.
  • We help reduce confusion about what to ask for and how to word it.
  • We follow up with the data controller if a response is delayed.
  • We make the process easier for people who do not want to deal with the legal and administrative side themselves.

Using GetMySAR does not create extra legal rights, and a data controller should apply the law fairly whether you act alone or through a representative. But many people prefer the convenience of having the request prepared, submitted and managed for them.

For those users, the £20 fee is a service fee for convenience and support, not a charge for the legal right itself.