Subject Access Request (SAR)
A formal request by an individual for a copy of all personal data held about them by an organisation, as a right under UK GDPR and EU GDPR.
Also known as: SAR data access, right of access, GDPR access request
Last reviewed: 10 June 2026
A Subject Access Request (SAR) is the mechanism by which individuals exercise their right of access under Article 15 of the UK GDPR. On receiving a SAR, an organisation must — generally within one month and at no charge — provide a copy of all personal data it holds about the requester, the purposes for which it is processed, the categories of data, recipients, retention periods, and information about the individual's other data rights.
SARs are a valuable tool for fraud and identity theft victims. By sending a SAR to a financial institution, credit bureau, or debt collector, a victim can obtain records of all transactions, account-opening events, or credit inquiries linked to their identity — helping to map the full extent of fraudulent activity and gather evidence for disputes. Under the FCRA in the US, the analogous right is to a free annual credit report and to dispute specific inaccurate entries.
Organisations cannot refuse a SAR because the data might be embarrassing or damaging to them. Refusals are permissible only in limited circumstances — for example, where disclosure would prejudice a criminal investigation or reveal privileged legal advice. Disputes about SAR compliance in the UK are referred to the Information Commissioner's Office (ICO).
Examples
- An identity theft victim sends a SAR to a bank asking for all records associated with her name and date of birth, discovering three accounts she never opened.
- A consumer sends a SAR to a data broker to understand what personal data is held about him before exercising the right to erasure.