Personal
Real estate
Business
Log in
Create
Last will and testament
Modern slavery statement
Stock transfer form
Funeral plan
Declaration of trust
Disciplinary procedure
Health and safety policy
Grievance procedure
Whistleblowing policy
Flexible working request
Business continuity plan
Cease and desist letter
Eviction notice
Living will
Power of attorney
Invoice template
Resignation letter
Self certification form
Tenancy agreement
Section 21
Business plan
Affidavit
Deed of variation
Fire risk assessment
Section 8 notice
Privacy policy
Reference letter
Codicil
Safeguarding policy
Home
/
Personal
/
Data subject access request

FREE Data Subject Access Request Template & Example

Data subject access request
Create Document
Updated on
06
/
09
/
2025
Written by
Katryn Broadhurst
|
Legally reviewed by
Sofia Kalyt
Similar names
DSAR, Subject access request, Personal data request
+ 0 more
Show Less
Similar Tag Sample
Create and legal docs quick and easy
No need for expensive lawyers
Accessible anytime, anywhere in the world
Personalized legal documents for your needs
Data subject access request
Create Document

A data subject access request (DSAR) is a formal way for individuals to find out what personal data an organisation holds about them and how that data is being used. It is one of the key rights granted under the UK GDPR and Data Protection Act 2018, designed to give individuals more control over their information.

Submitting a DSAR is not just about accessing raw data; it also provides insight into why the data is collected, how long it is kept, and whether it has been shared with third parties. This transparency strengthens trust between individuals and organisations while holding businesses accountable to data protection laws.

In this article, we will explain what a data subject access request is, outline common scenarios where making one is appropriate, describe how to write a strong DSAR, highlight the essential elements it must contain, share legal tips for compliance, and summarise the most important takeaways.

Table of Contents

What Is a Data Subject Access Request?

A data subject access request allows individuals to obtain copies of their personal data along with explanations of how that information is processed. It is more than a simple data dump; organisations must explain the purposes for processing, categories of data involved, recipients of the data, retention periods, and safeguards for international transfers.

For example, an individual may learn that their email address is used for marketing campaigns, their purchase history is stored for customer service purposes, and their financial information is shared with payment processors. These insights help people challenge inaccuracies, request corrections, or even object to certain types of processing.

Under UK GDPR, organisations must respond within one month unless an extension applies. Similar laws exist globally, such as the EU GDPR and California’s CCPA, which means businesses operating internationally must be prepared to meet multiple compliance standards. For further reading, the Information Commissioner’s Office (ICO) guide on accessing personal information provides practical details for individuals making a DSAR in the UK.

When Should You Use a Data Subject Access Request?

There are many situations where submitting a DSAR is valuable. Understanding when to use one helps individuals assert their rights effectively.

1. Checking How a Business Uses Your Data

When you submit a DSAR, you gain insight into the specific purposes for which your personal data is processed. This is important because businesses must have a lawful basis, such as contract performance, legal obligation, or legitimate interest, to justify their use of your information. 

A DSAR response might show that your details are stored for warranty claims, used for fraud prevention, or kept solely for marketing purposes. Understanding this context not only clarifies whether the processing is lawful but also empowers you to object to uses you consider intrusive, like targeted advertising or profiling, which may not align with your expectations.

Expert Tip: 

“Always ask whether the organisation relies on 'legitimate interest' as the legal basis for processing your data. This is one of the most flexible grounds under the UK GDPR, but it also gives you the strongest ability to object if you disagree with how your data is used.”

2. Correcting or Deleting Information

Inaccurate or outdated personal information can have serious consequences, ranging from credit report errors that impact loan approvals to medical records containing incorrect details that could influence treatment. A DSAR helps you uncover these inaccuracies and exercise your right to rectification or erasure under the UK GDPR. 

For example, a former tenant may discover their old address is still linked to utility accounts, exposing them to potential billing mistakes. By formally requesting corrections or deletions, individuals ensure that organisations not only store accurate information but also respect the principles of data minimisation by not holding unnecessary data longer than necessary.

Expert Tip: 

“When requesting rectification or erasure, keep your communication concise and include supporting evidence, such as utility bills for an updated address or official documents correcting errors. This increases the likelihood of your request being processed quickly without disputes.”

3. Investigating Data Sharing

Personal data rarely stays within one organisation; it is often shared with third parties such as payment processors, analytics providers, or international subsidiaries. A DSAR enables you to see exactly who your data has been disclosed to and for what reason. This can reveal whether your sensitive information is transferred outside the UK or EU, in which case additional safeguards, such as Standard Contractual Clauses, should be in place. 

If a DSAR shows your details have been shared without adequate legal grounds, you may have a basis to raise a complaint with regulators or demand that the organisation stop sharing your data. This transparency is critical in an era where third-party sharing is a leading cause of data breaches and privacy concerns. The ICO’s guidance on complaints explains the next steps if you believe your rights are being breached.

4. Understanding Automated Decision-Making

Automated decision-making systems increasingly shape major aspects of life, from credit approvals to hiring processes. A DSAR allows you to uncover whether your data is being fed into algorithms that make such decisions without human oversight. 

This matters because individuals have the right not to be subject to decisions based solely on automated processing that significantly affect them, unless certain legal exceptions apply. By reviewing DSAR disclosures, you might learn that your job application was filtered by AI software or that your loan eligibility was determined by a scoring system. With this knowledge, you can demand an explanation of the logic involved, challenge the outcome, or request human intervention, ensuring fairness and accountability in automated systems.

How to Write a Data Subject Access Request

Writing a DSAR request (UK) should be clear, professional, and legally precise. While it does not need to follow a rigid format, ensuring the right details are included makes the process smoother. Using a Legally.io DSAR request template helps ensure nothing is overlooked while tailoring the request to your needs.

Step 1: Identify Yourself Clearly

Start by giving your full legal name, current address, and any additional details that help the organisation locate your records, such as customer numbers, account IDs, or employee references. 

Many businesses handle thousands of records, so clarity at this stage prevents unnecessary back-and-forth. Some organisations may even require proof of identity, such as a utility bill or driver’s license, before processing the request. Providing this information upfront speeds up verification and reduces the risk of delays.

Step 2: State the Purpose of the Request

Make it clear whether you want access to all personal data or specific categories. For example, you may only be interested in “all email correspondence between January 2022 and July 2023” or “records related to my employment contract.” 

Narrowing the scope can save time and prevent being overwhelmed with irrelevant data. On the other hand, asking for a full report might be best if you suspect the organisation is using your data in ways you’re not aware of. Being precise ensures the organisation delivers useful information rather than generic responses.

Step 3: Reference the Legal Basis

A DSAR carries weight because it is a legal right. To ensure your request is recognised as such, explicitly state that you are making it under the UK GDPR, the Data Protection Act 2018, or another applicable regulation, depending on jurisdiction. 

By citing the law, you signal that you understand your rights and expect the organisation to comply with its statutory obligations. This step discourages companies from treating your inquiry as informal and helps protect you if you need to escalate the matter to a regulator later.

Step 4: Specify Delivery Format

Organisations are legally obliged to provide data in a commonly used format, but you can make their job easier by stating your preference. Electronic formats like PDFs or spreadsheets are often the most practical since they can be searched, stored, and shared easily. 

If you prefer paper copies, for example, for legal records or court proceedings, say so in advance. If sensitive data is involved, you may also request secure delivery methods such as encrypted email or password-protected files. Setting expectations up front minimises the risk of delays or technical issues.

Expert Tip: 

“Request encrypted files or password-protected PDFs when dealing with sensitive categories of data such as health, financial, or criminal records. This ensures compliance with security obligations and reduces the risk of your personal information being intercepted.”

Step 5: Include Any Deadlines or Clarifications

Remind the organisation that they are legally required to respond within one month of receiving your request. This demonstrates that you are aware of your rights and establishes a clear timeline. If your request is complex, acknowledge that the law allows a two-month extension, but insist that the organisation inform you within the first month if they plan to use this extra time. 

Including these details not only demonstrates awareness of the law but also ensures the company takes your request seriously from the outset.

What Should a Data Subject Access Request Contain?

If you’re wondering how to make a DSAR request effective, here are the key elements you must include to make it legally binding and operationally clear. Using a subject access request template, free and online, will make the process quicker and easier.

  • Identity Information: Your full legal name, address, and contact details are essential. Without this, the organisation may reject the request due to a lack of proof of identity.
  • A Formal Request Statement: Include a line such as: “I am making a data subject access request under the UK GDPR and request access to all personal data you hold about me.” This leaves no ambiguity.
  • Scope of the Request: Define whether you want all personal data or only specific categories. For example, an employee may want “performance reviews between 2020 and 2023,” while a customer may want “purchase and account history from the past two years.”
  • Preferred Delivery Method: Clarify whether you want digital copies via email, access through an online portal, or printed documents. Stating this up front prevents unnecessary back-and-forth.
  • Supporting Identification Documents: Some organisations may require proof of identity, such as a scanned passport or a utility bill. Including these early can prevent delays.

Legal Tips for Writing a Data Subject Access Request

  • Be Precise Without Limiting Rights: Narrowing the scope can make responses quicker, but always be clear that you reserve the right to request broader data later if needed.
  • Track Timeframes and Keep Records: Keep a dated copy of your request and monitor the response deadline. If an organisation fails to reply within one month, escalate to the Information Commissioner’s Office (ICO) or relevant authority.
  • Request Explanations, Not Just Data: Ask for information about how data is processed, who it is shared with, and how long it will be retained. This provides a full picture of how your data is being managed.
  • Use a Trusted DSAR Template: A well-drafted Legally.io template ensures your DSAR covers all necessary legal points, aligns with GDPR, and minimises the risk of the request being rejected for missing details.

Expert Tip: 

“If the organisation refuses your DSAR on grounds of being “manifestly unfounded or excessive,” challenge this decision in writing. Regulators like the ICO often require companies to justify refusals, and many organisations withdraw objections when pressed for evidence.”

Key Takeaways

A data subject access request is one of the most effective tools for exercising control over personal data. 

Using a structured, well-drafted request ensures organisations cannot ignore or delay your inquiry. 

Referencing your legal rights, stating the scope, and tracking response deadlines make your request stronger.

Leveraging Legally.io’s DSAR templates provides peace of mind that your request meets regulatory requirements while saving time and effort.

Frequently Asked Questions

How long does a business have to respond to a data subject access request?
How will a business respond to data subject requests?
What if a business doesn’t respond to your DSAR?
Data subject access request
Create Document
Close Preview
Document Popup Title
This is a preview example. The final document will be tailored to your needs based on the information you provide in the next steps.
Create this document