What is a Data Subject Access Request (DSAR)?

A DSAR is a formal request under Article 15 of UK GDPR and the Data Protection Act 2018 that allows you to ask any organisation what personal data they hold about you, why they're processing it, who they've shared it with, and how long they'll keep it. The organisation must respond within one calendar month and provide the information free of charge.

How long does an organisation have to respond to a DSAR?

Organisations must respond within one calendar month of receiving your request. They can extend this by a further two months for complex or numerous requests, but must inform you within the first month and explain why. If they don't respond within the timeframe, you can complain to the Information Commissioner's Office (ICO).

Can a company refuse a data subject access request?

Only in limited circumstances. An organisation can refuse if the request is 'manifestly unfounded or excessive' (e.g., repetitive requests with no new reason). They can also redact information that relates to other identifiable individuals or is subject to legal professional privilege. If they refuse, they must explain why and inform you of your right to complain to the ICO.

Yes. Under UK GDPR, organisations must provide a copy of your personal data free of charge. They can only charge a 'reasonable fee' for additional copies, or if the request is manifestly unfounded or excessive. In practice, the vast majority of DSARs are completely free.

Data Subject Access Request (DSAR) Letter Template UK

Every UK resident has the right to know what personal data organisations hold about them. A DSAR is the legal mechanism to get that information — and organisations must comply within one month.

What the Law Says

UK GDPR, Article 15 & Data Protection Act 2018, Section 45

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning them is being processed, and where that is the case, access to the personal data and information including: the purposes of processing, the categories of data, the recipients, the envisaged storage period, and the existence of the right to rectification, erasure, or restriction.

📅

Strict legal deadline: Organisations must respond to your DSAR within 30 calendar days of receipt. They may extend by a further 2 months for complex requests, but must notify you within the first 30 days. If they miss the deadline, you can report them to the ICO — who take non-compliance seriously.

The UK GDPR (retained from EU GDPR after Brexit) and the Data Protection Act 2018 together form the UK's data protection framework. Every organisation that processes your personal data must respond to a DSAR within one calendar month, free of charge.

What You're Entitled to Receive

Confirmation of whether they hold your personal data
A copy of all personal data they hold about you
The purposes of processing — why they have your data
Categories of data — what types (name, email, browsing history, etc.)
Recipients — who they've shared your data with
Retention period — how long they plan to keep it
Source — where they got your data from (if not directly from you)
Automated decision-making — whether any automated profiling is applied
Your rights — information about your rights to rectification, erasure, and restriction

When You Have a Valid Claim

You can submit a DSAR to any organisation that processes your personal data. Common reasons include:

Employment disputes — request all data your employer holds (emails, performance reviews, disciplinary records, CCTV footage)
Insurance claims — find out what data an insurer used to make decisions about your claim
Financial disputes — discover what data a lender used for credit decisions
Marketing harassment — identify where a company got your contact details
Social media — request all data platforms like Facebook, Google, or TikTok hold
Healthcare — access your medical records held by the NHS or private providers
Pre-litigation — gather evidence before taking legal action against an organisation

You Don't Need to Give a Reason

You are not required to explain why you're making a DSAR. The organisation cannot refuse or delay because they disagree with your reasons. Simply state that you're exercising your right under Article 15 of UK GDPR.

What Your Letter Should Include

DSAR Letter Checklist

Your full name (and any previous names the organisation might hold)
Your address and contact details
Any reference numbers or account identifiers (customer number, employee ID, etc.)
A clear statement that this is a subject access request under Article 15, UK GDPR
Request for all personal data in any format (electronic and paper)
Request for supplementary information (purposes, recipients, retention periods, source)
Specific categories of data you want (if you're targeting specific records)
A date range (if applicable — e.g., "all data from January 2023 to present")
Reference to the one-month response deadline
Proof of identity (photocopy of driving licence or passport — they may request this)

Ready to submit your data request? LetterLift generates a formal DSAR letter under UK GDPR Article 15 — citing the correct legislation and the specific data you're requesting.

Write Your Letter — £2.99

Takes 90 seconds. No account needed.

Key tip: Be specific about what you want if you know it. Broad requests are valid, but targeted requests (e.g., "all emails mentioning my name between March and June 2025") get faster, more complete responses.

What Happens If They Don't Respond

Send a Follow-Up After 30 Days

If the one-month deadline passes with no response, send a follow-up letter reminding them of their legal obligation under Article 15, UK GDPR. Note the original date of your request and the breach of the statutory timeframe. Give them 7 more days.

Complain to the Information Commissioner's Office (ICO)

The ICO is the UK's data protection regulator. You can file a complaint online at ico.org.uk. The ICO can investigate, issue enforcement notices, and fine organisations up to £17.5 million (or 4% of annual turnover) for serious breaches. Complaints are free.

Take Legal Action in Court

Under Section 167 of the Data Protection Act 2018, you can apply to the county court for an order requiring the organisation to comply. You can also claim compensation for distress caused by the failure to respond (Section 168, Data Protection Act 2018).

Claim Compensation for Distress

If the failure to respond caused you material damage or significant distress, you can claim compensation through the courts. Awards for DSAR non-compliance typically range from £250–£5,000, though cases involving deliberate obstruction or sensitive data have attracted higher awards.

Get a free letter template straight to your inbox

Not ready to generate your letter now? We'll send you a free template to keep.

✓ On its way. Check your inbox.

Get your DSAR letter now

Professional data subject access request letter citing UK GDPR and the Data Protection Act 2018. Personalised to the organisation you're targeting.

Write Your Letter — £2.99

Takes 90 seconds. No account needed.

Frequently Asked Questions

Common questions about Data Subject Access Requests in the UK.

Can an organisation charge me for a DSAR?

No, not for a standard DSAR. Under UK GDPR, organisations must respond free of charge. They can only charge a "reasonable fee" if a request is manifestly unfounded or excessive (e.g., you've sent repeated identical requests). In practice, charging for a first DSAR is a breach of the law.

What information am I entitled to receive?

You're entitled to: a copy of your personal data, the purpose it's being processed for, who it's been shared with (categories of recipients), how long they'll keep it, where it came from if not directly from you, and information about any automated decision-making. You can also ask for it in a commonly used electronic format.

What if the organisation refuses or ignores my DSAR?

You can complain to the Information Commissioner's Office (ICO) at ico.org.uk. The ICO can issue enforcement notices and fine organisations up to £17.5 million or 4% of global annual turnover for serious breaches. You can also seek compensation through the courts for material or non-material damage caused by the breach.

Can I send a DSAR to my employer?

Yes — employment DSARs are very common and very powerful. Your employer holds significant personal data: emails, performance reviews, disciplinary records, payroll data, and more. In employment disputes, a DSAR often reveals information that strengthens a grievance or tribunal claim. Employers are subject to the same 30-day response requirement.