Data Protection

Subject Access Request: UK GDPR Article 15 Guide

Full guide: Complete Data Protection Guide

You have the legal right to request all personal data that any organization holds about you, free of charge, under UK GDPR Article 15. They must provide it within one month. Learn how to make the request, enforce it, and escalate to the ICO if they refuse or delay.

Quick Answer

Send a Subject Access Request to any company, council, NHS trust, or organization. Write: "I request a Subject Access Request under UK GDPR Article 15 for all personal data held about me." Include proof of identity. They must respond within one month, free of charge. If they refuse or delay, complain to the Information Commissioner's Office. If the ICO agrees, they can fine the organization up to GBP 17.5 million.

Get Help Now

Your Right to Access Personal Data Under UK GDPR

Article 15 of the UK General Data Protection Regulation gives you the absolute right to access all personal data an organization holds about you. This includes medical records (from NHS), council files, bank records, insurance claims history, social media activity data, call records, emails, and any other personal information. The organization must provide it free of charge and you cannot be asked for a fee.

This applies to all organizations: companies, public bodies, charities, government agencies, and individuals processing personal data. Anyone in the UK can make a Subject Access Request regardless of citizenship or residency.

Your Legal Rights

UK GDPR Article 15 - Right of Access

Data subjects have the right to obtain confirmation of whether their personal data is being processed and, if so, access to that data. It must be provided in a clear, intelligible format within one month.

Data Protection Act 2018

Implements UK GDPR into domestic law. Organizations that breach Article 15 can be fined up to GBP 17.5 million or 4% of global turnover (whichever is higher). The ICO can enforce this.

ICO Investigation and Enforcement

The Information Commissioner's Office (ICO) investigates complaints about breached Subject Access Requests. They have power to serve enforcement notices, issue fines, and order organizations to comply within a deadline.

Step-by-Step: How to Make a Subject Access Request

  1. Identify the organization: Write down the name of the company, council, hospital, or body you want data from. Find their privacy policy (usually on their website) to get the correct email address or mailing address for requests.
  2. Prepare proof of identity: You may need to send a copy of your passport, driving licence, or utility bill to prove who you are. Organizations can ask for reasonable verification but cannot ask for excessive proof.
  3. Draft the request: Write a clear email or letter. State: "I request a Subject Access Request under UK GDPR Article 15. Please provide all personal data you hold about me, including [any specific categories: medical records, call logs, emails, documents, etc.]. Please provide this in a commonly used electronic format (CSV or PDF). Here is proof of my identity: [attach document]."
  4. Send by email or registered post: Email is fastest. Keep the send receipt and your draft request.
  5. Wait for response: The organization must respond within one month (extendable to two months for complex requests). If they do not respond, or provide incomplete data, send a follow-up demand.
  6. Review the data: Check that all your personal information has been provided. Look for errors, inaccuracies, or missing categories.
  7. If they refuse or delay: Complain to the ICO at www.ico.org.uk. Include the date of your request and the organization's response (or lack of response).

Critical Deadlines

The organization has one month from the date they receive your request to provide access. If the request is complex (involves many documents or cross-referencing), they can extend to two months. They cannot exceed two months.

What Data Must They Provide?

All personal data: your name, contact details, address history, financial records, health information, employment history, communications (emails, messages, notes about you), documents, audio/video recordings of you, cookies and tracking data, and any other information linked to your identity.

Can They Refuse Your Request?

In rare cases, yes: if the request is vexatious, repetitive (more than once per year), or would require disproportionate effort. However, these exemptions are narrow and rarely upheld. A first request is almost never refused. If they refuse, demand they explain which exemption applies and why. This explanation is subject to review by the ICO.

Do You Need Help?

Most organizations comply with Subject Access Requests without legal intervention. However, if an organization is slow, refuses, or provides incomplete data, the ICO process is free and straightforward.

What the Law Says

Primary Right
UK GDPR Article 15
Right of access to personal data. Organization must provide all data within one month, free of charge.
Domestic Law
Data Protection Act 2018
Implements UK GDPR. Breach penalties up to GBP 17.5 million or 4% of global turnover.
Regulator
Information Commissioner
Investigates complaints and can issue enforcement notices, fines, and orders for compliance within a deadline.
Exemptions
Rare & Narrow
Vexatious or repetitive requests. Legal privilege. Requests requiring disproportionate effort (rarely upheld).

Frequently Asked Questions

How do I send a Subject Access Request? +
Email is fastest. Write to their customer service or DPO email (usually on their website). State clearly: "Subject Access Request under UK GDPR Article 15" and list what data you want. Attach proof of identity.
How long do they have to respond? +
One month from the date they receive your request. If it is complex, they can extend to two months but must notify you within one month. They cannot exceed two months under any circumstances.
Can they charge me for a Subject Access Request? +
No. Subject Access Requests are free. They can only charge a fee for additional copies of the same data if your request is repetitive or manifestly unfounded. First-time requests are always free.
What if they don't respond within one month? +
Complain to the ICO at www.ico.org.uk. Failure to respond within one month is a breach of Article 15. The ICO will investigate and can issue a fine.
What if they only provide partial data? +
Send a follow-up email identifying what is missing and demanding it be provided within 7 days. If they still refuse, complaint to the ICO. ICO will investigate incomplete responses.
Can they refuse my Subject Access Request? Rarely. Refusals are only allowed if the request is vexatious (repeatedly making requests to harass the organization), repetitive, or would require manifestly disproportionate effort. A first, reasonable request cannot be refused.

Request Your Personal Data Today

Use FOIRequest to draft your Subject Access Request and track the one-month deadline. Know what data organizations hold about you.

Start Your Request