The Safe Web Guide.
Privacy & Identity Protection, Data Privacy, Online Safety BasicsMonday, April 6, 2026

Subject Access Requests (SAR): How to See What Companies Know About You

We often talk about data privacy as something abstract—like a 'cloud' of information floating somewhere in space. But for companies like Tesco, Amazon, Facebook, and even your local GP, your data is very concrete. It’s a file. It contains every purchase you've made, every complaint you've ever filed, every website click, and every time you've walked into a store with your smartphone turned on. To them, you are a collection of habits to be analyzed and sold.

But here is the exciting part: under the UK GDPR and the Data Protection Act, that file actually belongs to *you*. You have a powerful legal right called a Subject Access Request (SAR). This allows you to knock on the door of any company and say, 'Show me everything you have on me.' If you are asking how to request personal data from company uk, you are about to discover the most empowering tool in cyber security. Today, we'll give you a simple, non-technical guide to taking your data back.

Why Would You Want to Make an SAR?

Making a request isn't just about curiosity. It's a vital part of identity protection. Here are three practical reasons to do it:

  • To Check for Errors: If a bank or insurance company is charging you more than your neighbor, they might have a 'mistake' in your file. An SAR allows you to find and correct it.
  • To Find Leaked Info: If you suspect you've been a victim of identity fraud, an SAR to a credit agency or a store can reveal exactly what a scammer changed in your account.
  • To Reduce Your Footprint: Seeing the massive amount of data a company holds often gives you the motivation to finally use your Right to be Forgotten and delete the account.

The 3 Rules of the Request

UK law makes this incredibly easy for you, but there are a few things to remember:

Rule 1: It is 100% Free

A company cannot charge you a penny to provide your data. In the past, they could charge £10, but that was scrapped under gdpr. If a company asks for a fee, report them to the ICO.

Rule 2: You Don't Need a Reason

You do not have to explain *why* you want the data. You don't have to be 'complaining.' You can simply say you want a copy for your own records.

Rule 3: One Month Deadline

The company has exactly one calendar month to send you the information. If they need more time because the request is 'complex,' they must tell you within the first month.

How to Send the Request (The 2026 Template)

You can call them, but a short email is better. Send it to their 'Data Protection Officer' or their main customer service address:

Subject: Formal Subject Access Request (SAR) - [Your Name]

Dear [Company Name],

I am writing to formally request a copy of all personal data you hold about me under Article 15 of the UK GDPR. Please include all information associated with my name, email [Your Email], and account number [If known].

Please provide the information in a digital format. I look forward to receiving my data within the one-month legal deadline.

Sincerely, [Your Full Name]

What to Do Next

When you receive the file, it will likely be a massive PDF or a spreadsheet. Look through it. If you see information that is wrong, you have the 'Right to Rectification.' If you see information you don't think they should have (like your location history), you can then move on to how to request data deletion from company uk. Reclaiming your data is the first step toward true online privacy.

The Golden Rule: You own your identity. Don't be afraid to ask companies what they are doing with your property. Knowledge is the ultimate shield against data-harvesters and scammers alike.

Ready for more insights?