MAKE YOUR FREE Data Subject Access Request (DSAR)
What we'll cover
What is a Data Subject Access Request?
Under the Data Protection Act 2018, you can make a Data Subject Access Request (known as 'DSAR' or 'SAR') to organisations that hold your personal data. Subject Access Requests can be used to find out things like:
-
details of the personal data that is being processed (ie a copy of the data)
-
the reasons why this data is being processed
-
how this data was sourced (if available)
-
which other organisations or individuals have access to your data
When should I use a Data Subject Access Request?
Use this Data Subject Access Request:
-
to request access to your personal data that is held by a business or other organisation
-
if you are based in England, Wales or Scotland
-
if the business or organisation is also based in England, Wales or Scotland
Sample Data Subject Access Request (DSAR)
The terms in your document will update based on the information you provide
To whom it may concern,
Re: Subject access request
Under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 I have the right to request access to my personal data held by. This includes:
the right to obtain confirmation that you process my personal data.
the right to receive certain information about the processing of my personal data.
the right to obtain a copy of my personal data processed by you.
I am requesting that you supply me with the personal data you hold about me. Specifically, I am requesting personal data held:
Please find below my information which you can use to identify me and the personal data I am requesting access to, to respond to my request and to keep a record of my request and your response.
- Full name:
- Address: , ,
- Date of birth:
- Telephone number:
- Email address:
- Are you a current or former employee of?: I am a employee
- Approximate date of employment:
If you need any more information, please let me know as soon as possible.
Please provide the personal data requested in.
Please bear in mind that data protection laws require you to respond to my request for personal data within one calendar month.
If you do not normally deal with data subject requests, please pass this letter on to your data protection officer or relevant member of staff.
Yours faithfully,
_________________________________ | _________________________________ |
About Data Subject Access Requests (DSARs)
Learn more about making your Data Subject Access Request (DSAR)
-
How to make a Data Subject Access Request (DSAR)
Making a Data Subject Access Request online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the details prepared in advance, making your document is a quick and easy process.
To make your DSAR you will need the following information:
Party details
-
The details of the business or organisation that you’re sending the DSAR to (including its legal structure, name and address).
-
Your details (including your name (and any previous names), address, date of birth and contact details).
Personal data
-
Where is the personal data you are requesting access to held? In employment records or personnel files; in pension or benefits records; by a specific department; in billing records; in user activity logs; in medical records; in financial statements; or in another place?
-
If the data is held by a specific department, what is the department’s name?
-
If the data is held in medical records, what are the doctor’s and practice’s names? What are the dates of the medical records being requested?
-
If the data is held in financial statements, what account number do they relate to and what are the dates of the financial statements being requested?
-
If the data is held in another place, where is it being held?
-
Employment
-
Are you a current or former employee of the business or organisation holding your personal data?
-
If you are a current employee, when did you start working for the business or organisation?
-
If you are a former employee, when did you start and stop working for the business or organisation?
-
Provision of personal data
-
Should the requested personal data be provided in electronic and/or hard copy?
Letter
-
On what date is the DSAR sent to the business or organisation?
-
-
Common terms in a Data Subject Access Request (DSAR)
Data Subject Access Requests are used by data subjects (ie individuals) to request a copy of their personal data held by a business or other organisation. As a result, DSARs will typically include:
An introduction
This sets out your right under the Data Protection Act 2018 and UK General Data Protection Regulation (GDPR) to make a DSAR and what exactly this entails.
Details of the personal data requested
This sets out your request that the business or organisation supplies you with the personal data it holds about you. It then provides details of where the requested personal data is held.
Details to identify the data subject
This sets out details that can be used by the business or organisation to identify you and the personal data you are requesting access to. These details include:
-
your name and any previous or other names you are or have been known by
-
your address
-
your date of birth
-
your telephone number and email address
-
if applicable, whether you are a current or former employee of the business or organisation, and your employment start (and, where applicable, end) date
Response to your DSAR
This sets out how you wish to receive a copy of the requested personal data. It also reiterates that, under data protection laws, a business or organisation generally has one calendar month to respond to your letter.
If you want your DSAR to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review or change the DSAR for you, to make sure it complies with all relevant laws and meets your specific needs. Ask a lawyer for assistance.
-
-
Legal tips for making a Data Subject Access Request (DSAR)
Understand when it’s appropriate to make a DSAR
Data protection laws give data subjects the ‘right to access’, which grants them the right to request and receive a copy of their personal data. Empowering individuals to make such data subject access requests allows them to understand how and why businesses and other organisations are using their data. It also helps individuals verify that any use of their data is lawful.
Generally, someone can only make a DSAR on their own behalf (ie you can send a request to a business to find out what data they hold on you). However, DSARs can also be made on behalf of another, provided that the individual making the request has the authority to do so. This may be the case if a parent with parental responsibility requests information on behalf of their child, or if someone makes a DSAR under a power of attorney.
For more information, read Making subject access requests.
Remember that you may not always get access to all personal data requested
While businesses or organisations will typically tell you whether they process your personal data and, if they do, provide copies of it, they may not always provide all data you request. Depending on your situation and circumstances, you may only receive some of the data requested or you may receive no data at all. Examples of situations in which you might not receive (all) personal data requested in a DSAR include:
-
if the information requested is not actually covered by DSARs (eg you asked for a deceased relative’s medical records)
-
if an exemption applies (eg it would prejudice ongoing negotiations)
You should also be aware that a business or organisation may refuse to comply with a DSAR if they believe the request is ‘manifestly unfounded or excessive’ (eg if they believe that you don’t have a genuine intention of accessing the information). If this is the case, they should provide you with their reasoning as to why this is the case.
Be aware that you may have to provide proof of identity
After a DSAR is made and sent, the business or organisation may ask you for proof of ID to carry out identity verification for security reasons.
Where you are asked to provide proof of your identity, the one-month time limit within which the business or organisation has to respond is extended. In fact, the time limit does not start until the business or organisation has received your proof of ID.
For more information, read Data protection requests.
Be aware that a fee may be charged in some circumstances
Generally speaking, businesses or other organisations should comply with and respond to DSARs free of charge. However, a fee may be charged by the business or organisation if:
-
you ask for additional copies of the data requested
-
the business or organisation believes your request to be manifestly unfounded or excessive. In this case, a fee can be charged to cover their administrative costs
The one-month time limit for responding to a DSAR doesn’t start until after any required fee is paid and received.
For more information, read Data protection requests.
Understand when to seek advice from a lawyer
Ask a lawyer for advice if:
-
you are making a Subject Access Request on behalf of someone else
-
this document does not cover your legal needs
-
the business is based outside of England, Wales and Scotland
-
a business does not respond to your request
-
Data Subject Access Request (DSAR) FAQs
-
What is included in a Data Subject Access Request?
This Subject Access Request template covers:
-
your details
-
the organisation’s (eg business’) details
-
details of your rights relating to personal data
-
where the personal data you are requesting access to is held (eg in employment records, billing records or user activity logs)
-
how the personal data should be provided to you
-
-
What details does a Data Subject Access Request need to include?
Your SAR should, as a minimum, include:
-
your full name (including any previous names, if relevant)
-
your up-to-date contact details (eg address and telephone number)
-
details of the specific information you require and any relevant dates
-
how you would like to receive the information (eg by email or in print)
A SAR should not include information not relevant to your request (eg a wider customer service complaint).
While you may request all the information an organisation holds on you, bear in mind that organisations may hold a lot of information. Requesting access to all of it could mean that the organisation takes longer to respond and it may make it more difficult for you to locate the specific information you need in their response.
For more information, read Making subject access requests.
-
-
How long does a business have to respond to a DSAR?
Businesses generally have one month to respond to your request. They may, however, need extra time to consider your request in some circumstances (eg if you have made several requests or where proof of ID is required). Where this is the case, they can take up to an extra two months to respond. In this case, they must inform you within one month that they need more time and explain why.
For more information, read Data protection requests.
-
How will a business respond to a Data Subject Access Request?
A business will generally tell you whether or not they process your personal information and, if they do, provide copies of it. They should also set out other details, including:
-
what they use your information for
-
who they share your information with
-
how long they’ll store your information for and how this was decided
-
where they obtained your information from
-
if they use your information for profiling or automated decision-making and, if so, how this is done
Bear in mind that you may not always receive all the information you have requested.
For more information, read Making subject access requests and Data protection requests.
-
-
What if a business doesn’t respond to my DSAR?
If a business doesn’t respond or you are dissatisfied with their response, you should contact the organisation. If you do not receive a response or remain dissatisfied with the response, you can complain to the Information Commissioner’s Office (ICO). For more information, read Data protection requests.
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.