Subject Access Request (UK / EU)

An individual's right under GDPR Article 15 and the UK Data Protection Act 2018 to obtain a copy of all personal data an organisation holds about them, along with information about how that data is processed, shared, and retained.

What Is a Subject Access Request?

Key Takeaways

  • A subject access request (SAR) is a request by an individual (the data subject) to obtain a copy of all personal data an organisation holds about them. It's a fundamental right under GDPR Article 15 and the UK Data Protection Act 2018.
  • Organisations must respond within 30 calendar days (one month under GDPR). This can be extended by a further 2 months for complex or voluminous requests, but the individual must be informed of the extension within the first 30 days.
  • SARs are free. Organisations can only charge a "reasonable fee" if the request is manifestly unfounded, excessive, or repetitive. The bar for refusing or charging is high.
  • The response must include: a copy of the personal data, the purposes of processing, categories of data, recipients (or categories of recipients), retention periods, the source of the data (if not collected directly), and information about the individual's rights.
  • Employment-related SARs are among the most common and most complex. They often arise during or after disciplinary processes, grievances, discrimination claims, and dismissals, and can include emails, meeting notes, performance reviews, CCTV footage, and internal communications about the individual.

SARs are one of the most operationally demanding data protection obligations for HR teams. When an employee (current or former) submits a SAR, the organisation must search across every system and file that might contain their personal data: HRIS, email, shared drives, messaging platforms, paper files, CCTV systems, access logs, payroll records, and performance management tools. The 30-day clock starts when the request is received, not when HR gets around to looking at it. Missing the deadline is a compliance failure that the ICO can investigate and penalise. SARs have increased significantly in recent years, driven by greater awareness of data rights, the rise of no-win-no-fee employment claims, and the strategic use of SARs in litigation. Many employment solicitors advise clients to submit a SAR as the first step before bringing a tribunal claim, because it forces the employer to reveal all data, including internal emails and notes that might support a discrimination or unfair dismissal case.

30 daysMaximum time an organisation has to respond to a subject access request (calendar days, extendable by 2 months for complex requests)
FreeOrganisations can't charge a fee for responding to a SAR unless the request is manifestly unfounded or excessive
67%Increase in SARs received by UK employers between 2019 and 2023 (ICO annual report data)
GBP 17.5MMaximum fine the ICO can impose for failing to comply with data subject rights (4% of global turnover or GBP 17.5M, whichever is higher)

How to Handle a SAR: Step-by-Step

A structured process is essential for meeting the 30-day deadline and avoiding compliance failures.

Step 1: Identify and log the request

A SAR doesn't have to use the words "subject access request." Any request for personal data triggers the obligation. It can be verbal, by email, through a web form, or via social media. Train all staff to recognise SARs and escalate them immediately. Log the date received (this starts the 30-day clock), the identity of the requester, the scope of the request (specific data or everything), and the assigned handler.

Step 2: Verify the requester's identity

You must be reasonably confident the request is from the data subject (or an authorised representative). For employees, this is usually straightforward if the request comes from their work email. For former employees or external requests, you may need to request photo ID, proof of address, or security questions. Verification must be proportionate. Don't ask for excessive documentation. The ICO has criticised organisations that use identity verification as a delaying tactic.

Step 3: Search and collect data

Search all systems where personal data may be held: HRIS, payroll, email (including archived and deleted items in retention), instant messaging, shared drives, paper files, CCTV, access control logs, call recordings, social media monitoring tools, and any third-party processors (recruitment agencies, occupational health providers, benefits platforms). Personal data includes anything that identifies or relates to the individual: name, employee ID, opinions about them, performance ratings, disciplinary notes, and internal communications that mention them.

Step 4: Review and redact

Before disclosing, review all data for: third-party personal data (you can't disclose data about other identifiable individuals without their consent or unless it's reasonable to do so), legally privileged material (exempt under Schedule 2, Part 5 of the DPA 2018), confidential references (exempt if given in confidence for employment, education, or training purposes), management planning information (exempt if disclosure would prejudice management forecasting or planning), and negotiations information (exempt if disclosure would prejudice negotiations with the data subject). Redaction must be done carefully. Over-redacting can be challenged; under-redacting can breach other individuals' data protection rights.

Step 5: Respond within 30 days

Provide the data in a commonly used electronic format (PDF, CSV) unless the request was made in paper form. Include the supplementary information required by Article 15 (purposes, categories, recipients, retention, rights). If the response will take longer than 30 days due to the volume or complexity of the request, notify the individual within 30 days explaining the extension and the reasons for it. The maximum extension is 2 additional months (3 months total).

Employment-Specific SAR Challenges

SARs from employees and former employees create unique challenges that don't arise in other SAR contexts.

Strategic SARs in employment disputes

It's increasingly common for employees to submit SARs during or shortly before bringing a tribunal claim. The SAR forces the employer to disclose emails, notes, and internal communications that might support a discrimination, harassment, or unfair dismissal claim. While the motivation behind a SAR doesn't affect the obligation to respond, HR teams should be aware that: every internal email mentioning the employee by name is potentially disclosable, informal or careless comments in internal communications can become evidence, and the SAR response may be used to compare against the employer's tribunal disclosure (highlighting inconsistencies).

Scope and proportionality

An employee asking for "all my personal data" requires a genuinely thorough search. However, you can ask the requester to clarify the scope. If an employee has been with the organisation for 15 years and sends a SAR for "everything," it's reasonable to ask: "Can you help us focus the search? Are you looking for data from a specific time period, system, or topic?" Asking for clarification doesn't stop the 30-day clock unless the SAR genuinely can't be responded to without the additional information (in which case the clock starts when clarification is received).

Key SAR Exemptions for Employers

The DPA 2018 Schedule 2 provides several exemptions that allow employers to withhold certain data from a SAR response.

ExemptionDPA 2018 ReferenceWhen It Applies
Legal professional privilegeSchedule 2, Part 5, Para 19Data subject to legal privilege (communications with lawyers for legal advice or litigation purposes)
Confidential referencesSchedule 2, Part 4, Para 24References given (not received) in confidence for employment, education, or training. References received about the individual aren't exempt.
Management forecastingSchedule 2, Part 4, Para 22Data processed for management forecasting or planning where disclosure would prejudice those activities
NegotiationsSchedule 2, Part 4, Para 23Data about the employer's intentions in negotiations with the data subject where disclosure would prejudice those negotiations
Crime prevention and detectionSchedule 2, Part 1, Para 2Data processed for preventing or detecting crime, apprehending or prosecuting offenders, where disclosure would prejudice those purposes
Third-party dataGDPR Article 15(4) / DPA 2018 s.45Data that would reveal personal data about another identifiable individual (must be redacted unless the third party consents or it's reasonable to disclose)

When Can an Employer Refuse a SAR?

Organisations can refuse a SAR only in very limited circumstances.

Manifestly unfounded requests

A request is manifestly unfounded if the individual clearly has no intention of exercising their data protection rights. Examples include requests made purely to cause disruption or harassment. The bar is extremely high, and the ICO expects organisations to demonstrate (not just assert) that the request is unfounded. In practice, this exemption is almost never applied to employment SARs because the individual typically does have a legitimate interest in their personal data.

Manifestly excessive requests

A request may be excessive if it's repetitive (the individual has already received a response and is submitting the same request again without reasonable interval) or the volume of data is so large that compliance would be disproportionate. Even then, the organisation can't simply refuse. It must either charge a reasonable fee for the administrative cost or refuse to act. In either case, it must inform the individual within 30 days, explain why, and tell them about their right to complain to the ICO. Exercising this exemption is risky. If the ICO disagrees with the assessment, the organisation has committed a compliance failure.

Penalties for SAR Non-Compliance

Failing to respond to a SAR within the deadline, providing an incomplete response, or wrongly refusing a request can trigger enforcement action.

ICO enforcement

The ICO can issue: assessment notices (requiring the organisation to demonstrate compliance), enforcement notices (requiring specific action to comply with the SAR), and monetary penalty notices of up to GBP 17.5 million or 4% of global annual turnover (whichever is higher) for serious infringements. In practice, fines at the maximum level for SAR failures alone are rare, but the ICO has issued six-figure fines for systemic failures to handle data subject requests. The ICO also publishes enforcement actions, creating reputational damage.

Compensation claims

Under Article 82 of the UK GDPR, individuals can claim compensation for material and non-material damage caused by data protection breaches, including SAR failures. Compensation claims can be brought in the county court (or High Court) without going through the ICO first. Awards for distress caused by failure to comply with a SAR have ranged from GBP 500 to GBP 12,500 in reported cases, with higher awards where the failure was deliberate or caused significant distress.

SAR Statistics [2026]

Data on the volume and handling of subject access requests in the UK.

67%
Increase in SARs received by UK organisations between 2019 and 2023ICO annual reports
30 days
Standard deadline for responding to a SAR (one calendar month)UK GDPR Article 12(3)
GBP 17.5M
Maximum fine the ICO can impose for failure to comply with data subject rightsUK GDPR Article 83(5)
41%
Of data protection complaints to the ICO involve data subject access rightsICO, 2023/24

Frequently Asked Questions

Can an employee submit a SAR verbally?

Yes. SARs don't have to be in writing. A verbal request (in person, by phone) is valid. This is why training staff to recognise SARs is important. If a manager hears "I want to see all the data you have on me," that's a SAR, and the 30-day clock starts. Best practice is to log verbal requests immediately and confirm in writing what was requested and when.

Does the employer have to provide copies of emails about the employee?

Yes, if the emails contain the employee's personal data. This includes emails where the employee is discussed by name, employee ID, or other identifying information, even if the employee isn't copied on the email. Internal emails between managers discussing an employee's performance, disciplinary situation, or restructuring plans are personal data about that employee. Third-party names in those emails may need to be redacted.

Can a former employee submit a SAR?

Yes. The right to make a SAR isn't limited to current employees. Former employees, former job applicants, former contractors, and anyone whose personal data the organisation holds can submit a SAR. The organisation's data retention policy determines what data is still available. Data that's been lawfully deleted in accordance with the retention policy doesn't need to be produced. But if data should have been deleted but hasn't been, it's still disclosable.

Can an employer ask why the employee wants their data?

You can ask, but the individual isn't obliged to tell you, and you can't make providing a reason a condition of responding. The right to a SAR exists regardless of motivation. Even if you suspect the SAR is being used to support a tribunal claim, you must respond fully and on time. The only exceptions are the manifestly unfounded or excessive provisions, which relate to the nature of the request, not the individual's motivation.

What about CCTV footage showing the employee?

CCTV footage where an individual can be identified is personal data and is within scope of a SAR. The employer must provide a copy (usually on a USB drive or secure download) or allow the individual to view the footage. Other people captured in the footage should be redacted (blurred) unless it's reasonable to disclose their images. The retention period for CCTV (typically 30 days) means the footage may have been overwritten by the time the SAR is processed. If it's been lawfully deleted in line with the retention policy, no disclosure is required.

Can a solicitor submit a SAR on behalf of an employee?

Yes. An individual can authorise a third party (solicitor, trade union representative, family member) to make a SAR on their behalf. The organisation should verify the authority (a signed letter of authority from the data subject is standard practice). The response should be sent to the authorised representative unless the data subject has requested otherwise. Solicitor-submitted SARs are common in pre-litigation contexts and should be handled with the same deadline and thoroughness as any other SAR.
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next