How to Write a Subject Access Request (GDPR SAR) in the UK
You've just been dismissed and suspect your employer had a file full of inaccuracies about you. Or you've been turned down for a job and want to see what a referencing agency told them. Or you're in a dispute with an insurer who seems to have information you've never seen. There is a legal tool that forces any UK organisation to show you exactly what they hold: the Subject Access Request.
Get this right, and you can see every email that mentions you, every internal note your employer wrote, every piece of data a letting agent or insurer used to make a decision about you. It costs nothing to send, and organisations are legally required to comply.
What Is a Subject Access Request?
A Subject Access Request (SAR) is a formal request made under Article 15 of the UK GDPR and Section 45 of the Data Protection Act 2018, which together give every individual the right to obtain a copy of all personal data an organisation holds about them.
The UK GDPR was retained after Brexit and domesticated via the European Union (Withdrawal) Act 2018. It operates alongside the Data Protection Act 2018, which implements and supplements it. The right of access is not discretionary. An organisation that holds your personal data is required by law to provide it when you ask.
Personal data means any information that can be used to identify you: your name, email address, employee ID, medical records, purchasing history, notes made about you in someone's system, recordings of your voice.
Who Can You Send One To?
Any organisation that acts as a data controller — meaning it determines the purposes and means of processing personal data — is subject to a SAR. In practice, that means:
Employers (current and former), landlords, letting agents, councils and local authorities, banks and financial institutions, insurers, retailers, schools, NHS trusts, private hospitals, GP surgeries, solicitors, debt collection agencies, credit reference agencies, background check companies, and any private company that has ever held data about you.
If they processed your personal data, they must respond to your SAR.
What Must They Give You?
Under Article 15 UK GDPR, a compliant SAR response must include: a copy of all your personal data, the purposes for which they are processing it, who it has been shared with (including recipients abroad), how long they intend to keep it, the source of the data if it was not collected directly from you, and information about any automated decision-making or profiling that applies to you.
In employment cases
Your HR file, all disciplinary correspondence, emails that mention you (including between managers), performance review notes, grievance records, and internal communications discussing your conduct, capability, or dismissal.
In tenancy disputes
All data a letting agent or referencing agency holds, including the credit or background check they ran when you applied.
In consumer disputes
Call recordings, complaint logs, internal case notes, and any data used to decide your claim.
The Deadline
Under Article 12 of the UK GDPR, an organisation receiving a SAR has one calendar month to respond in full. That clock starts from the day they receive the request.
They may extend by a further two months where the request is complex or numerous — but they must inform you of the extension and give their reasons within the first calendar month. They cannot let the deadline pass and claim the extension retrospectively.
If they miss the one-month deadline without notifying you of a valid extension, they are in breach. That breach is actionable.
How to Write the SAR
You do not need a formal template or a solicitor. The letter must be clear, but it does not need to be complicated. Follow these steps:
Name the legislation
State explicitly at the start that you are making a "Subject Access Request under Article 15 of the UK GDPR and Section 45 of the Data Protection Act 2018." Use those words. It removes any ambiguity and puts the recipient on immediate legal notice.
Provide your identifiers
Include your full name and any identifiers that help them locate your data: account number, employee ID, National Insurance number, property address, reference number, or date of birth. The more specific you are, the harder it is for them to claim they couldn't find relevant records.
Specify what you want
You can ask for everything they hold on you, or narrow the scope — for example, "all data held by your HR department relating to my employment between [dates]." Being specific tends to produce faster, more usable responses and reduces their ability to claim the request is excessive.
State your preferred delivery method
Secure email is standard. If you have reason to believe they might alter or delete records, request delivery by secure post.
Send with proof
Send by email with a read receipt, or by recorded post. Keep the evidence of sending. You will need it if the deadline is missed.
What If They Ignore It or Refuse?
An organisation may only refuse to comply if the request is "manifestly unfounded or excessive" — that is the only valid basis for refusal under UK GDPR. They cannot refuse because responding is inconvenient, because the data might be embarrassing, or because they believe the information won't help your case.
If they miss the deadline or refuse without valid grounds, you have three routes:
Escalate directly
Write again, formally citing the breach of Article 12 UK GDPR and demanding immediate compliance. This letter creates a paper trail and puts them on further legal notice.
Report to the ICO
The Information Commissioner's Office is the UK's supervisory authority for data protection. It can investigate, fine organisations, and order compliance. The drawback: ICO investigations take months and the outcome is uncertain.
Pre-action letter under Section 167 DPA 2018
Section 167 of the Data Protection Act 2018 gives courts the power to order compliance directly. A pre-action letter threatening county court proceedings is often the fastest route — this does not require going through the ICO first, and it tends to prompt compliance before a hearing is needed.
SAR and Employment Disputes
This is the use case where a SAR most consistently changes outcomes. Before you file an employment tribunal claim — for unfair dismissal, discrimination, whistleblowing, or anything else — send your employer a SAR.
What you receive often includes things they never intended to share: emails between managers discussing whether to dismiss you before any formal process began, performance review notes that contradict the stated reason for dismissal, disciplinary records that reveal procedural failures, and HR communications that show the real reason for your treatment.
Tribunal claims are won and lost on evidence. A SAR filed before you commit to a claim can reveal whether you have a strong case, what the weaknesses are, and what inconsistencies you can put to witnesses. It costs nothing. There is almost no employment dispute where you should not send one.
SAR and Landlord Disputes
If your landlord used a lettings agency or a referencing company to assess you as a tenant, you can send a SAR to that agency and to the referencing company directly. This is useful if you were denied a tenancy and believe the credit check or reference contained errors, or if you're disputing a letting agent's conduct and want to see what they recorded about you internally.
Credit reference agencies — Experian, Equifax, TransUnion — are also subject to SARs. If you believe incorrect data on your credit file contributed to a decision made about you, the SAR is the starting point for understanding what was shared and correcting it.
They ignored your SAR. Now what?
If an organisation misses the deadline or refuses without valid reason, Fight My Corner writes the follow-up enforcement letter for you — citing their specific breach, the ICO escalation path, and the Section 167 DPA 2018 court route. Legally grounded and ready within 5 minutes. From £9.99.
Write your enforcement letter now →Fight My Corner provides dispute letter generation tools and guidance — not legal advice. For complex data protection matters, consider seeking advice from a solicitor or the ICO.