A subject access request (SAR) is a request made to a data controller by an individual for a copy of their personal data (as opposed to original documents) which that data controller holds on that individual. Under Article 15 of the General Data Protection Regulation (GDPR) you have a right to obtain a copy of any information relating to you which is kept on computer or in a structured manual filing system or intended for such a system, by any entity or organisation. Making a subject access request allows an individual see what information an entity or company holds on them. 

In addition, under Article 15(1) of the GDPR, the data subject has the right to obtain information from the data controller such as:

1. The purposes of processing;

2. The categories of personal data concerned;

3. The recipients or categories of recipients to whom the personal data have been or will be disclosed;

4. Where possible, the envisaged period for which the personal data will be stored;

5. The existence of the right to rectification, erasure, restriction of processing;

6. The right to lodge a complaint with the supervisory authority;

7. Where the personal data are not collected from the data subject, any available information as to their source;

8. The existence of automated decision-making, including profiling.

Individuals might wish to check the data controller’s privacy policy on their website first to identify if they provide any guidance on how to submit a SAR in their organisation, for example, which email address to use. Then we would suggest you write to that entity or organisation, making your request for whatever personal data and information you wish to access in line with Article 15 of the GPDR and request a written response. Although a SAR can be submitted verbally, the DPC suggests that you do so in writing as this means you have written evidence that you submitted the SAR to the data controller. Your request could read as follows:

Dear...
I wish to make an access request under Article 15 of the GDPR for a copy of any information you keep about me, on computer or in manual form in relation to (fill in as much information as possible to assist the organisations to locate the data that you are interested in accessing). 

In submitting a SAR you are not entitled to access non-personal data or the personal data of third parties, for example, the time a bus arrived in the city centre is not your personal data and so would not fall for release under data protection legislation. Likewise the name of the person driving the bus is the bus driver’s personal data and would be considered third-party information to you and so would not fall for release under data protection legislation. 

Data controllers cannot apply a charge or fee for fulfilling initial access requests except in limited circumstances such as where the request is ‘manifestly unfounded or excessive.’ (Article 12(5) of the GDPR). However, they are allowed under the legislation to charge a reasonable fee based on administrative costs for any further copies of a document which has been previously released and is requested by the data subject for a second time under Article 15(3) of the GDPR.