How to Write a Data Subject Access Request Letter

If a company holds personal data about you and will not explain what it has, a data subject access request letter is often the cleanest way to force the issue. It turns a vague back-and-forth into a formal request the organisation is expected to handle under UK data protection law.

What a data subject access request letter actually does

A data subject access request letter asks an organisation to provide the personal data it holds about you. In the UK, this right sits under UK GDPR and the Data Protection Act 2018. You do not need to be in a dispute to use it, but it is especially useful when you are trying to understand what information a business, employer, lender, insurer, landlord or public body has recorded.

That could include account notes, call records, complaint logs, emails mentioning you, CCTV footage, internal correspondence linked to your case, or copies of documents you have previously supplied. It can also reveal whether your data has been shared with third parties and how long it is being kept.

The point is not to make a dramatic legal threat. The point is to create a clear paper trail and ask for specific information in a way that is difficult to ignore.

When sending a data subject access request letter makes sense

Sometimes an online form or email is enough. But a posted letter can carry more weight, especially if the organisation has already been slow, evasive or inconsistent. Physical post also helps when you want a more formal record of what was sent and when.

A data subject access request letter is often worth sending when you are dealing with a complaint that has stalled, trying to understand the basis of a decision, checking what has been logged about arrears or defaults, or gathering evidence before escalating a dispute. It can also help if you believe inaccurate information is being used against you.

That said, it is not always the right first move. If you simply want one document or one straightforward answer, a normal customer service request may be faster. A formal access request is better when the issue is broader and you need the organisation to search its systems properly.

What to include in a data subject access request letter

A good letter is direct and specific. You do not need legal jargon, but you do need enough detail for the organisation to identify you and locate your data.

Start with your full name, current address, and any reference details the organisation will use to find your records, such as an account number, policy number, booking reference or employee ID. If relevant, include previous addresses, email addresses or mobile phone numbers linked to the account.

Then state clearly that you are making a subject access request for your personal data under UK GDPR. Ask for a copy of the personal data they hold about you and, where relevant, the related information they are required to provide, such as the purposes of processing, categories of data, recipients or categories of recipients, retention periods, and the source of the data if it was not collected directly from you.

It is often smart to narrow the scope slightly. That does not weaken your request. It can make it easier to process and harder to delay. For example, you might ask for all personal data held from January 2023 onwards, or all records relating to a complaint, account closure, credit decision, insurance claim or tenancy issue.

If there are specific formats or records you want, say so. You can ask for call recordings, screen notes, emails, chat logs, internal case notes, copies of correspondence, and CCTV footage that identifies you. The more precise you are, the less room there is for a selective response.

A simple structure that works

Most people do not need a complicated template. A clear letter usually follows this order:

Your identifying details first, then a sentence confirming that this is a subject access request. After that, list the categories of personal data you want disclosed, add any date range or account reference that helps them search, and ask for the response in electronic form if that suits you. End by requesting confirmation of receipt and reminding them of the usual one-month timeframe.

Keep the tone calm. You are asserting a right, not starting an argument.

How specific should your request be?

This is where a lot of people overdo it. If your letter is too broad, the organisation may come back asking for clarification. If it is too narrow, you may miss something useful.

The best approach depends on your situation. If you are in an active dispute, it often makes sense to focus on the records tied to that issue. If you suspect a wider problem, such as incorrect profiling, unlawful sharing, or poor record keeping over time, a broader request may be justified.

There is a trade-off. A tightly framed request can get a quicker and more useful result. A wider request may uncover more, but it can also produce a large volume of material and more room for pushback.

Can an organisation ask for ID?

Yes, sometimes. If the organisation reasonably needs proof of identity to protect your data, it can ask for it. That is normal, especially where the information is sensitive or the request comes from a new email or address.

What it should not do is use ID requests as a stalling tactic when it already knows exactly who you are. If you are writing, include enough information upfront to reduce the chance of delay. If ID is requested, send only what is necessary and avoid handing over more personal data than needed.

How long does it have to respond?

In most cases, the organisation should respond without undue delay and within one month of receiving the request. That period can be extended by up to two further months for complex requests, but it should tell you if that happens and explain why.

There is usually no fee. A charge is only likely in limited situations, such as manifestly unfounded or excessive requests, or where you ask for further copies.

If the organisation does not respond properly, responds late, or withholds information without a valid reason, keep a record of everything. That paper trail matters if you later complain or escalate the issue.

Common reasons requests go wrong

The biggest problem is vagueness. If your letter does not include enough information to identify your records, you invite delay. The second problem is asking for things that are not personal data, such as generic policy documents or explanations that go beyond the access right.

Another issue is expecting every internal document to be disclosed in full. Some information may be redacted to protect other people’s personal data or because an exemption applies. That does not mean the organisation can simply refuse the whole request, but it does mean results are not always complete in the way people first imagine.

It is also common for people to send the request to the wrong place. If the organisation has a data protection contact, privacy team or registered address for formal correspondence, use it.

Should you send the letter by post or email?

Email is often quicker. Post is often more formal. If you have already had poor communication, a printed letter can be a better choice because it signals seriousness and gives you a clearer dispatch record, especially if you use tracked delivery.

For some people, that is the difference between meaning to sort it out and actually doing it. Services such as PostRight make that process easier by letting you prepare and send a professional physical letter without printing it at home or visiting the Post Office.

What happens after you get the response?

Read it carefully. Check whether the organisation has answered the full request, whether anything appears to be missing, and whether the data is accurate. Look closely at internal notes and timestamps. They often tell you more than polished customer service replies ever will.

If the response is incomplete, write back and identify the gaps. If the data is wrong, you may want to follow up with a request for rectification. If the material supports a wider complaint, keep it organised and use it to strengthen your next step.

A data subject access request letter will not solve every dispute on its own. But it can shift the balance. Once you have the records, you are no longer arguing in the dark, and that usually puts you in a much stronger position to act.