For Individuals Only

This website is designed for individual consumers to understand their rights and track their own SAR and FOI requests.

It is not intended for commercial use by organisations, companies, or professionals managing requests on behalf of others.

Back

Subject Access Requests (SAR)

Complete Guide

Everything you need to know about requesting your personal data under UK GDPR. Your rights, deadlines, and what to do when organisations push back.

1 Month
Standard Deadline
FREE
No Fee (Usually)
+2 Months
Extension Limit
Any Org
That holds your data

What is a Subject Access Request?

A Subject Access Request (SAR) is your legal right under UK GDPR Article 15 to request access to the personal data any organisation holds about you.

This isn't just a "courtesy" – it's a legal right. Organisations have a legal duty to comply within strict deadlines.

What you can request:
All personal data emails, notes, CCTV, call recordings
Processing purposes why they're using your data
Recipients who they're sharing it with
Data source where they got your data from
Retention period how long they'll keep it
Automated decisions whether any are being used

Who Can Make a SAR?

You can request

Your own personal data
On behalf of someone else (with their consent)
As a parent of a child (if appropriate)
As a legal representative

Who must respond

Any organisation that holds your data
Companies, charities, schools
NHS, hospitals, GPs
Councils and public bodies
Landlords, employers, any data controller

Deadlines – What You Need to Know

The legal deadline is: 1 Calendar Month from the day they receive your request

When does the clock start?

When they receive it – not the day you send it
Email: Day of sending (check your sent folder)
Post: Day of delivery (keep proof of postage)
Webform: Day submitted (take a screenshot)

When does it stop?

They ask for ID: Clock pauses until you provide it
They ask for clarification: Clock pauses, but only for the part needing clarification
They grant extension: New deadline is 3 months total
Important: The 1 month means the same date next month (e.g., 15 Jan → 15 Feb). If that date doesn't exist (e.g., 31 Jan → 28/29 Feb), the deadline is the last day of the month. If the deadline falls on a weekend or bank holiday, it is generally treated as the next working day (ICO guidance).

Extensions – When Can They Delay?

Organisations can extend the deadline by up to 2 months (total 3 months) but ONLY for specific reasons:

Valid Reasons

Complex request Large volumes, legacy systems, heavy redaction needed
Numerous requests Multiple requests from you in a short time
They MUST tell you within 1 month and explain why

NOT Valid Reasons

"We're too busy"
"Staff shortages"
"IT issues"
"We haven't got to it yet"
Any reason not related to complexity or volume

Common Myths vs. Truths

Myth: You must use their webform or "official channel" Truth: Any email, letter, or even social media message counts as a valid SAR
Myth: They can charge a fee Truth: SARs are FREE. They can only charge if the request is "manifestly unfounded or excessive" – and they have to prove it
Myth: You're only entitled to documents Truth: You're entitled to YOUR personal data, not documents. They must extract your data – don't let them hide behind "we'd have to create new documents"
Myth: If they ask for clarification, the clock keeps running Truth: The time limit pauses where clarification is genuinely required to identify the data requested
Myth: "We're busy" is a valid reason for extension Truth: Only complexity or numerous requests count – "busy" is not an excuse
Myth: They can refuse if you've complained before Truth: Previous complaints alone do not remove your right to make a SAR

Exemptions – When Can They Refuse?

Organisations CAN refuse to provide information in specific circumstances, but they must:

1
Tell you within 1 month
2
Explain which exemption
3
Explain why it applies
4
Tell you your right to complain
Crime and taxation

If it would prejudice crime prevention

Legal professional privilege

Confidential legal advice

Management forecasting

Plans, projections, negotiations

Health, education, social work

If likely to cause serious harm

Exemptions are set out in the Data Protection Act 2018 and must be applied on a case-by-case basis.

Watch out: "Safeguarding" is NOT a blanket exemption. They must apply specific exemptions properly.

What If They Refuse or Miss the Deadline?

1

Raise a complaint

Ask them to reconsider their decision. While there's no formal "internal review" for SARs, organisations should respond to complaints promptly.

2

Complain to ICO

If the organisation fails to respond properly, complain to the ICO. They have powers to order compliance.

3

Court action

Failure to comply with an ICO enforcement notice can ultimately lead to court action.

Pro Consumer Tips

Keep proof of sending – Email receipts, proof of postage, or screenshots. You'll need this if they claim they never received it.
No need to quote "GDPR" – Just asking for your data is enough. You don't need to mention Article 15.
No ID needed upfront – They can only ask for ID if they genuinely need to verify your identity. Don't send ID unless asked.
They can't dictate how you search – THEY must do a "reasonable and proportionate search." You don't have to do their job for them.
Watch for hidden data tricks – If they send spreadsheets, check for hidden columns. Organisations have accidentally disclosed personal data this way.
Respond quickly to ID requests – The clock stops while they wait for you. Any delay pushes your deadline back.

Sample SAR Template

Dear [Organisation],

Subject Access Request – UK GDPR Article 15

I am writing to request access to all personal data you hold about me under my right of subject access (UK GDPR Article 15).

Please provide:

1. All personal data you hold about me (including emails, notes, records, CCTV footage, call recordings)
2. The purposes of processing
3. Any recipients of my data
4. Where you obtained my data from
5. How long you will keep it
6. Whether any automated decision-making is used

If any information is withheld, please state the specific exemption you are relying on and explain why it applies.

My full name is: [Your Full Name]
My email address is: [Your Email]
My previous correspondence/reference (if any): [Reference Number]

If you require proof of identity, please let me know.

Regards,
[Your Name]
Back to Deadline Calculator