Subject Access Request Form


A Subject Access Request (SAR) form is a tool used by individuals to request access to their personal data held by an organisation. Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, individuals have the right to know what personal data is being processed about them. This guide outlines the essential elements of a SAR form, the legal framework governing SARs, and best practices for handling these requests.

Legal Framework

General Data Protection Regulation (GDPR)

The GDPR provides individuals with the right to access their personal data. Article 15 of the GDPR outlines the right of access, giving individuals the ability to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information (which corresponds to the information that should be provided in a privacy notice)

Data Protection Act 2018

The Data Protection Act 2018 supplements the GDPR and provides the legal framework for data protection in the UK. It ensures that data subjects have the right to access their personal data and understand how it is being used by organisations.

Components of a Subject Access Request Form

A comprehensive SAR form should include the following components

Personal Details of the Requester

  • Full Name
  • Address
  • Telephone Number
  • Email Address
  • Any other identifying information that may assist in locating the data

Details of the Request

  • Specific details about the personal data being requested
  • Timeframe for the data being requested (if applicable)
  • Any relevant account or reference numbers

Proof of Identity

  • Request for copies of identification documents to verify the identity of the requester (e.g., passport, driving licence)

Signature and Date

  • Signature of the requester
  • Date of the request

Preferred Method of Response

  • Options for how the requester would like to receive the data (e.g., electronically, by post)

Sample Subject Access Request Form

Subject Access Request Form

Personal Details

  • Full Name: _______________________________________
  • Address: __________________________________________
  • Telephone Number: _________________________________
  • Email Address: _____________________________________

Details of the Request

  • Please provide specific details of the information you are requesting, including any relevant timeframes or account/reference numbers: ____________________________________________

Proof of Identity

  • Please provide copies of identification documents (e.g., passport, driving licence): ___________________________________

Preferred Method of Response

  • Please select your preferred method of receiving the information:
    • Electronically (Email)
    • By Post (Address as above)


  • I confirm that the information provided in this form is correct and that I am the individual to whom it relates. I understand that [Organisation Name] may need to contact me for further information to verify my identity or process my request.

Signature: _____________________________ Date: ___________________________________

Handling Subject Access Requests

Receiving the Request

  • Acknowledge receipt of the SAR promptly.
  • Verify the identity of the requester to prevent unauthorised access to personal data.

Locating the Data

  • Identify all locations where the requester’s personal data might be stored (e.g., databases, email systems, paper files).
  • Retrieve the relevant data, ensuring completeness and accuracy.

Assessing the Data

  • Review the data to ensure it does not include information about third parties unless consent has been obtained or it is reasonable to disclose without consent.
  • Apply any legal exemptions that may prevent disclosure of certain information.

Responding to the Request

  • Provide the data in a clear, understandable format.
  • Include any supplementary information as required by the GDPR, such as the purposes of processing and the recipients of the data.
  • Ensure the response is made within one month of receiving the request. Extensions of up to two months are allowed for complex or numerous requests, but the requester must be informed of the delay within the initial one-month period.

Documenting the Process

  • Keep records of the SAR, including the date received, actions taken, and the date of response.
  • Ensure that all communication related to the SAR is documented.

Best Practices for Managing SARs

Training Staff

  • Ensure all employees understand the importance of SARs and are trained in recognising and handling such requests.

Maintaining Records

  • Keep accurate records of all SARs and the responses provided to ensure compliance and accountability.

Data Minimisation

  • Only collect and process the personal data necessary to fulfil the SAR, in line with GDPR principles.

Regular Audits

  • Conduct regular audits of SAR procedures to ensure compliance and identify areas for improvement.


Effectively managing Subject Access Requests is a crucial aspect of data protection compliance under GDPR and the Data Protection Act 2018. By having a clear, comprehensive SAR form and robust procedures in place, organisations can ensure they respect individuals’ rights to access their personal data while maintaining compliance with UK data protection laws.

What is a Subject Access Request (SAR) Form?

A Subject Access Request (SAR) Form is a tool that individuals can use to request access to their personal data held by an organisation, as stipulated under GDPR and the Data Protection Act 2018.

Who can submit a Subject Access Request?

Any individual has the right to submit a SAR to access their personal data held by an organisation. They can also request on behalf of another individual, provided they have legal authorisation.

How do I submit a Subject Access Request?

A SAR can be submitted verbally or in writing, including electronically. Many organisations provide a specific form to streamline the process, but any written request that clearly identifies it as a SAR is valid.

What information do I need to provide in a SAR Form?

Typically, you need to provide your full name, address, contact information, specific details about the data you are requesting, proof of identity, and your preferred method of receiving the data.

Why is proof of identity required for a SAR?

Proof of identity is required to ensure that personal data is not disclosed to the wrong individual, thus protecting against unauthorised access and potential data breaches.

How long does it take to process a Subject Access Request?

Organisations must respond to SARs without undue delay and within one month of receipt. In complex cases, this period can be extended by up to two additional months, with the requester being informed of the delay within the initial one-month period.

Are there any fees for submitting a Subject Access Request?

Generally, organisations cannot charge a fee for processing a SAR. However, if the request is manifestly unfounded or excessive, a reasonable fee may be charged, or the request may be refused.

What should I do if my SAR is refused?

If your SAR is refused, the organisation must inform you of the reasons for refusal and your right to complain to the Information Commissioner’s Office (ICO) or seek judicial remedy.

Can I request access to data held about me by another individual or organisation?

Yes, you can request access on behalf of another individual if you have their consent or legal authority, such as a power of attorney. The request should include proof of this authority.

What types of personal data can I request through a SAR?

You can request any personal data that the organisation holds about you, including details of how your data is processed, the purposes for processing, and who the data has been shared with.

These FAQs provide a clear understanding of the Subject Access Request Form and the process of requesting access to personal data, helping individuals exercise their rights under GDPR and the Data Protection Act 2018.

George Harris
Latest posts by George Harris (see all)