How to Make a Data Subject Access Request (DSAR)

Get access to all your personal data held by organisations

Quick Answer

You have a legal right to request all personal data an organisation holds about you. Send a written DSAR to their Data Protection Officer (email or post). They must respond within 30 days with all your data in a commonly used format (PDF/Excel). No fee. If they refuse or miss the deadline, complain to the ICO (Information Commissioner's Office). DSARs are commonly used to check your credit file, employment records, medical files, or to gather evidence for legal disputes.

What Data Can You Request?

All personal data: emails, documents, records, notes about you, photos, location data, call logs, financial info, medical records, behavioural data. Not covered: legal advice, confidential business secrets unrelated to you, or other people's personal data (unless they're related to you).

How to Make a DSAR

1. Find the Data Protection Officer (DPO). Check the organisation's website ("contact us" or "data protection"). If no DPO listed, email the main office requesting the DPO's details.

2. Send your request. Email or post a letter stating: "I am requesting a copy of all personal data you hold about me under Article 15 of UK GDPR / Section 45 of the Data Protection Act 2018." Include: your full name, date of birth, address, any account numbers or reference codes, the date you want it from. Sign and date.

3. Provide proof of identity. Include a copy of your ID (passport/driving license) or utility bill to confirm you are who you say. They can't process the request without verification.

4. Wait for response. They have 30 days (can extend to 90 for complex requests, with notice). You'll receive all your data in a readable format (usually PDF or Excel).

5. Review and dispute if needed. Check the data for accuracy. If inaccurate, request correction or deletion. If they missed the deadline or refused, complain to the ICO.

What the Law Says
UK GDPR, Article 15
Grants the right to obtain confirmation of and access to personal data. Organisation must provide it in a commonly used electronic format. Fee can be charged only if requests are manifestly unfounded or excessive.
Data Protection Act 2018, Section 45
Implements GDPR Article 15 into UK law. 30-day deadline (extendable to 90). Organisations must comply unless exemptions apply (legal privilege, confidentiality).
Information Commissioner's Office (ICO) Guidance
Sets timelines, fee rules, and enforcement. If an organisation refuses or delays, contact the ICO. They can issue enforcement notices and impose fines (up to £20 million or 4% of global turnover).
Can they charge a fee for a DSAR? +

Rarely. Fees are only allowed if the request is "manifestly unfounded or excessive" (e.g., you're submitting 100 requests per month). One reasonable request is free. If they charge, ask them to justify.

What if they miss the 30-day deadline? +

Complain to the ICO. This is a breach of UK GDPR. The ICO can issue enforcement notices and fines (up to £20 million). The organisation must then comply.

Can they refuse my DSAR? +

Only in specific cases: you're not the data subject (your information is about someone else), legal privilege applies, or the request is manifestly unfounded. Most refusals are unlawful. Challenge at the ICO.

How is the data provided? +

In a "commonly used electronic format" (usually PDF or Excel). They can provide hard copy if you request. Email is standard. You can ask for copies of documents they reference.

Can I request data on someone else? +

Only if it's personal data about you that mentions or involves them. If you request purely their data, they must refuse (unless you have power of attorney or parental consent). You can't spy on others via DSAR.

File Your DSAR