Under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, every individual has the right to access personal data held about them by a data controller. This right is exercised through a Subject Access Request (SAR).

At Angelov Solicitors, we help clients make, review, and challenge Subject Access Requests, including those made to the Home Office, employers, public bodies, and private organisations.

What Is a Subject Access Request (SAR)?

A SAR is a request made by an individual (the data subject) to obtain a copy of their personal data held by an organisation (the data controller).

There is no formal requirement for how a SAR must be made. It can be submitted:

• Verbally (for example, during a meeting or phone call); or
• In writing (by email or post).

It does not need to be labelled as “SAR” to be valid, any clear request for personal information is sufficient. Organisations must train staff to recognise such requests and respond promptly.

For official guidance, visit Information Commissioner’s Office. 

Your Data Protection Rights Under the GDPR

Individuals have a range of rights over their personal data, including:

• Right to be informed – how and why your data is used.
• Right of access – to obtain a copy of your data.
• Right to rectification – to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) -to have data deleted in certain circumstances.
• Right to restrict processing – to limit how your data is used.
• Right to data portability – to receive your data in a transferable format.
• Right to object – to certain types of data processing, such as marketing.
• Rights regarding automated decision-making and profiling.

Key Rules for Subject Access Requests

1. Free of Charge (Except in Limited Cases)

SARs are normally free of charge. A fee can only be requested if a SAR is manifestly unfounded or excessive, which is a very high threshold. Even then, the fee must be reasonable and reflect administrative costs.

2. “Reasonable Intervals”

Individuals may make SARs at reasonable intervals. Repeated requests made within a short period may be refused if no new information is available.

3. Verifying Identity

Before releasing data, organisations must take reasonable steps to verify identity. If a representative (such as a solicitor) makes the request, written authority must be provided.

4. Providing a Copy of the Personal Data

The right of access means receiving an actual copy of your personal data, which is not merely a summary.

5. Further Copies

The first copy must be provided free of charge. Organisations may charge a reasonable fee for additional copies.

6. Clarification for Large Data Sets

Where large volumes of data are processed, the controller may ask the requester to narrow the scope. For example, to specific applications, periods, or document types.

Requests Made by Representatives

An individual may authorise a third party (for example, a solicitor or family member) to make a SAR on their behalf. The controller must confirm that proper written authority is in place before releasing data.

Children’s Rights in Scotland

In Scotland, a child aged 12 or over is generally presumed to have capacity to make their own data protection decisions. If a parent makes a SAR concerning a child of 12 or above, the organisation must confirm that the child consents to the release of data.

Children’s Rights in England & Wales and Northern Ireland

This does not apply in England and Wales or in Northern Ireland, where competence is assessed depending upon the level of understanding of the child, but it does indicate an approach that will be reasonable in many cases. A child should not be considered to be competent if it is evident that he or she is acting against their own best interests.

Amending Data after a SAR is made

A SAR relates to the data as it exists at the time of the request. Routine updates or deletions made in the normal course of business are acceptable. However, deliberate deletion or concealment of data to avoid disclosure is a criminal offence under section 173 of the Data Protection Act 2018.

Third-Party Personal Data

When responding to a SAR, information may also identify other individuals. Controllers must balance the requester’s right of access with the privacy rights of third parties. Third-party information (e.g. names, contact details) should normally be redacted unless disclosure is lawful or consent has been obtained. If consent is not available, the controller must assess whether it is reasonable to disclose the data without consent, taking into account confidentiality, the nature of the relationship, and potential harm to others.

ICO Complaints

Under section 165 of the Data Protection Act 2018, individuals can complain to the Information Commissioner’s Office (ICO) if they believe their data protection rights have been infringed. You can make a complaint via this link.

The Information Commissioner can issue a monetary penalty for any failure to comply with any of the data protection principles, any rights an individual may have under Part 3 or in relation to any transfers of data to third countries. The higher maximum amount is up to £17.5 million or 4% of global turnover, whichever is greater. If there is an infringement of other provisions, such as administrative requirements of the legislation, the standard maximum amount will apply, which is £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Subject Access Request to the Home Office for Immigration Applications

If you have previously made an immigration or visa application to the UK Home Office, you can request access to the records held about you. This may include copies of your application forms, correspondence, caseworker notes, interview records, decision letters, and biometric information. You can make a Subject Access Request directly through the Home Office online portal.

Contact Our Solicitors

At Angelov Solicitors, we are highly experienced in preparing and managing Subject Access Requests for clients across both immigration and data protection contexts. Our team liaises with the Home Office, local authorities, educational institutions and other data controllers to obtain complete and accurate disclosure of personal data.

Organisations must respond to a valid SAR within one calendar month of receipt. In limited circumstances, this deadline can be extended by up to two additional months if the request is complex or involves multiple data sources. We monitor our clients’ requests carefully to ensure compliance with these statutory timeframes. Once the response is received, our solicitors will review the disclosure for completeness, accuracy, and compliance, and advise on next steps if the organisation fails to provide all relevant information. Where necessary, we assist with escalating the matter to the Information Commissioner’s Office (ICO) or considering legal remedies for non-compliance.

Contact us via 020 8088 2555 or complete the enquiry form below if you need to make or challenge a subject access request.