How Subject Access Requests Work Under UK/EU GDPR
Taking Your Data Back
Under UK and EU GDPR, individuals have the right to request copies of their personal data from organisations that hold it. This topic explains how the process works, what organisations must provide, what exemptions apply, and how the ICO handles complaints — informing readers about the mechanism without giving personalised legal advice.
Learning Material
4 pagesWhat a Subject Access Request Is and Why It Exists
Among the rights created by the General Data Protection Regulation, the right of access — most commonly exercised through what is called a Subject Access Request, or SAR — is arguably the most foundational. Before an individual can meaningfully exercise any of their other rights (to correct, erase, or object to processing of their data), they generally need to know what data an organisation actually holds about them. The SAR is the mechanism through which that knowledge becomes accessible.
The legal basis for this right is Article 15 of the GDPR, which applies in both EU member states and in the UK through the retained UK GDPR. Article 15 states that any individual — referred to in the regulation as a 'data subject' — has the right to obtain from a data controller confirmation of whether personal data concerning them is being processed, and if so, access to that data along with a specified set of supplementary information (GDPR, Article 15(1)).
A brief history
The right of subject access is not new. It was a feature of the UK's original Data Protection Act 1984, which itself implemented principles from the 1980 OECD Guidelines on the Protection of Privacy. The 1998 Data Protection Act retained and extended the right. The GDPR, and its UK equivalent, significantly strengthened it — removing the £10 fee that previously applied, shortening the response time to one month from the previous 40 days, and expanding the information that must be provided.
The history matters because it illustrates that this is not a technical bureaucratic mechanism — it reflects a long-standing policy judgement that individuals should be able to find out what information is held about them in institutional and commercial settings, as a precondition of meaningful autonomy.
Who can make a SAR and to whom?
Any individual can make a subject access request to any organisation that qualifies as a 'data controller' under UK or EU GDPR — meaning any organisation that determines the purposes and means of processing personal data. This includes companies, public bodies, charities, schools, employers, healthcare providers, and financial institutions. Individuals can also make SARs about data held about others in certain circumstances — for example, a parent accessing data about a child, or someone acting under a power of attorney.
There is no prescribed form for a SAR. It can be made in writing (letter, email, web form) or verbally. Organisations cannot require a specific format as a condition of responding, though they can ask clarifying questions if necessary to locate the data (ICO, 2023a).