ɫ

Book a demo

Data Subject Access Request Form Template for England and Wales

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Data Subject Access Request Form?

The Data Subject Access Request Form is a crucial document required under UK data protection legislation. It enables individuals to exercise their fundamental right to access personal data held about them by organizations. The form helps organizations process requests efficiently while ensuring compliance with the UK GDPR and Data Protection Act 2018. It should be used whenever an individual wishes to obtain information about what personal data an organization holds about them, how it's being used, and who it's being shared with.

Frequently Asked Questions

Is a Data Subject Access Request Form legally binding in England and Wales?

Yes, a properly submitted Data Subject Access Request Form creates a legally binding obligation for the organization to respond under UK GDPR and the Data Protection Act 2018. Organizations must respond within one month of receiving your request, and failure to comply can result in enforcement action by the Information Commissioner's Office (ICO) and potential fines.

How long does a company have to respond to my Data Subject Access Request under UK law?

Under UK GDPR and the Data Protection Act 2018, organizations must respond to your Data Subject Access Request within one month of receipt. This can be extended by a further two months for complex requests, but the organization must inform you of any extension and the reasons within the initial one-month period.

Can organizations charge me for responding to a Data Subject Access Request in England and Wales?

Generally no - organizations cannot charge for most Data Subject Access Requests under UK GDPR. However, they can charge a 'reasonable fee' based on administrative costs if your request is clearly unfounded, excessive, or if you request further copies of the same information. Any fees must be justified and proportionate.

How is a Data Subject Access Request different from a Freedom of Information request in the UK?

A Data Subject Access Request specifically requests your personal data under data protection law, while Freedom of Information requests seek any information held by public authorities under separate legislation. Data Subject Access Requests can be made to any organization holding your personal data, have a one-month response deadline, and are usually free.

How long does it take to prepare a Data Subject Access Request Form properly?

A basic Data Subject Access Request Form typically takes 15-30 minutes to complete properly. However, you should allow additional time to gather supporting identification documents and to clearly specify what information you're seeking, especially if requesting data from multiple departments or time periods within an organization.

Common mistakes people make when submitting Data Subject Access Requests in England and Wales?

The most common mistakes include: failing to provide adequate proof of identity, making requests too broad or vague, not specifying time periods, submitting to the wrong department, and expecting immediate responses. Being specific about what data you want and providing clear identification helps ensure a faster, more complete response.

Enforcement options if my Data Subject Access Request is ignored in England and Wales?

If your request is ignored or inadequately responded to, you can complain to the Information Commissioner's Office (ICO) for free. The ICO can investigate and order compliance, issue fines to the organization, or take other enforcement action. You may also have grounds to seek compensation through the courts under section 168 of the Data Protection Act 2018.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Reviewed by

&

Publisher

GenieAI

Category

Subject Access Request

Sector

Business

Cost

Free to use

Last updated

About the Data Subject Access Request Form

A Data Subject Access Request Form is your legal tool for obtaining information about personal data that organizations hold about you. Under England and Wales data protection law, you have the fundamental right to know what personal information companies, public bodies, and other organizations have collected about you, how they're using it, and who they're sharing it with. This form ensures your request meets legal requirements and helps organizations respond within the mandatory one-month timeframe.

When do you need this document?

You need this form whenever you want to access your personal data held by any organization operating in England and Wales. This includes requesting your employment records from current or former employers, obtaining your medical records from healthcare providers, accessing your financial information from banks or credit agencies, or retrieving your customer data from retailers or service providers. The form is also essential when you suspect your data has been processed unlawfully, when applying for jobs that require background checks, or when you need to verify what information organizations hold before making data portability or erasure requests. Organizations may require you to use their specific form format, but the core legal requirements remain consistent.

Key legal considerations

Your request must include sufficient information for the organization to verify your identity and locate your personal data. Under UK GDPR Article 15, organizations can request additional identification documents if they have reasonable doubts about your identity. The organization must provide information about the purposes of processing, categories of personal data, recipients of data, retention periods, and your rights regarding that data. They cannot charge a fee unless your request is manifestly unfounded or excessive. Organizations may refuse requests that would adversely affect others' rights and freedoms, or where specific exemptions under Schedule 2 of the Data Protection Act 2018 apply, such as national security or law enforcement purposes. You should be specific about what information you're seeking and the relevant time periods to help organizations process your request efficiently.

Legal requirements in England and Wales

Under UK GDPR and the Data Protection Act 2018, organizations must respond to your request within one calendar month of receipt, though this can be extended by two months for complex requests. The response must be provided free of charge in most circumstances. Organizations operating in England and Wales must follow Information Commissioner's Office (ICO) guidance on handling data subject access requests. They must provide information in a commonly used electronic format unless you specifically request hard copies. If an organization refuses your request, they must explain their reasoning and inform you of your right to complain to the ICO and seek judicial remedy through English courts. The ICO can impose significant fines for non-compliance, making proper handling of these requests a legal priority for organizations.

GOVERNING LAW

Applicable law

This Data Subject Access Request Form is drafted to comply with England and Wales law. Key legislation includes:

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it