How do I make a subject access request (SAR)?

You can make a subject access request if you want to access the personal data a company holds about you. This guide explains how to make one and what to include in your request.

Which? Editorial team

In this article

Anyone in the UK can make a subject access request if they want to see what information a company has about them.

This is usually a free service and companies must follow strict procedures and timescales. If they don’t, you can complain to the Information Commissioner’s Office (ICO).

1. What is a subject access request (SAR)?

A subject access request (SAR) is a written or verbal request to a company or organisation asking for access to the personal information it holds on you.

Following EU-wide changes to data protection rules introduced in the UK as the Data Protection Act 2018 (GDPR), everyone has the right to make a subject access request for free.

There are many reasons for making a subject access request, including if you want to:

GDPR gives you the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively.

2. How to make a subject access request

To make a subject access request (SAR), follow these steps:

  1. Find out the right department and person to send the request to, such as the company's data protection officer. This will usually be specified on the company’s website.
  2. Make a list of all the information you would like from the company.
  3. Contact the organisation. This can be via letter, phone, or social media, but it’s a good idea to follow up verbal requests by letter or email.
  4. Include your full name, address and contact telephone number, and any account numbers where relevant.
  5. Include a reference to the one month deadline that applies when dealing with requests.
  6. Mention that you have the right to make a subject access request for free under the Data Protection Act 2018.

You can use the free template letter on the Information Commissioner’s Office (ICO) website

It is best to send your request by recorded delivery or by email, and you should keep a copy of the SAR and all other correspondence.

This evidence will be important if you later need to complain to the ICO that the organisation failed to give you the information you were entitled to.

What is the ICO?

The ICO is an independent authority set up to work with organisations to uphold information rights in the public interest and protect data privacy for individuals.

It can investigate and fine organisations found to be in breach of data protection rules, but it cannot award compensation to individuals.

3. What is the time limit of a subject access request?

There is a timescale companies must follow with subject access requests.

A company must reply to you without delay and at the latest within one month, starting from the day they receive the SAR.

It can extend the period by a further two months where requests are complex or numerous. To do this, it must inform you within one month of receipt of the request and explain why an extension is necessary.

If your subject access request is ignored, or the company doesn’t meet this timescale, you can complain to the ICO.

4. How must companies respond?

The Data Protection Act 2018 (GDPR) requires companies to let you know what information is held about you, regardless of whether it is stored on computers or on paper.

The organisation must follow these steps when dealing with a subject access request:

5. Can companies withhold information?

Companies are allowed to withhold certain information from you, for example: