9.1 The Right to Know — Subject Access Requests (SARs)

Imagine discovering that a company holds a file on you — your location history, purchasing habits, health inferences, and social connections — and you had no idea. The right to know exists precisely to prevent this. Under modern data protection law, you have a legally enforceable right to ask any organisation what personal data it holds about you, why it holds it, and who it has shared it with.

The legal foundation

GDPR Article 15 grants every data subject the right of access. When you submit a Subject Access Request (SAR), the controller must confirm whether personal data about you is being processed, and if so, provide a copy of that data along with: the purposes of processing; the categories of data held; the recipients or categories of recipients to whom the data has been disclosed; the planned retention period (or the criteria used to determine it); the source of the data if not collected directly from you; and any logic involved in automated decision-making, including profiling (GDPR, Art. 15(1)–(2)).

In the United States, the California Consumer Privacy Act (CCPA) provides a comparable right: Californian consumers can request disclosure of the categories and specific pieces of personal information collected about them, the sources of that data, and the purposes for which it is used.

How to submit an SAR

SARs require no special form. You simply need to make a written request — email is perfectly valid — directed to the organisation's Data Protection Officer (DPO) or privacy team. Include enough information to identify yourself (but do not provide more than necessary — you should not need to send copies of passports unless identity verification is genuinely in doubt). Under GDPR, the organisation must respond within one month, extendable by two further months for complex or numerous requests — but they must notify you of any extension within the first month.

A concise SAR might read: "Under Article 15 of the GDPR [or relevant national law], I request access to all personal data you hold about me, together with the information required under Article 15(1). Please confirm the identity verification process you require."

What if the organisation fails to respond?

If an organisation ignores your SAR, charges an unlawful fee (responses must generally be free of charge for reasonable requests), or provides an inadequate response, you have clear escalation routes. You may complain to your national data protection authority (DPA) — for example, the ICO in the UK, the CNIL in France, or the BfDI in Germany. Regulators take SAR failures seriously: the ICO has issued enforcement notices against major organisations for SAR non-compliance. We examine the full escalation path in Lesson 9.4.

Your takeaway

The right of access is the cornerstone of every other data right — you cannot correct, erase, or object to data you do not know exists. Submitting an SAR to even one organisation you deal with regularly is a powerful first step in understanding your own data footprint. For region-specific templates and guidance, see Module 13.