Independent consumer guide. Not affiliated with Fox & Sons or Connells Group. Not legal advice.
A Data Subject Access Request (DSAR) is a legal request under Article 15 of the UK GDPR that forces a company to hand over the personal data it holds about you — including internal emails that mention you, file notes, call logs and complaint records. It is free, it takes five minutes to send, and in our experience it changes corporate behaviour faster than any complaint letter.
Why it works
Companies say one thing to you and sometimes another thing internally. A DSAR collapses that gap. Once a company knows its internal correspondence about you is legally disclosable, unsupported claims have a way of getting corrected — in writing. In the case study on this site, a formal retraction of a serious false allegation followed the data access process.
Your rights
- They must respond within one calendar month (extendable by two months only for genuinely complex requests — and they must tell you within the first month)
- It is free in almost all cases
- They must provide the data itself, not just a summary
- “Personal data” includes emails about you, not just emails to you
- You do not have to give a reason, and making a DSAR cannot lawfully be held against you
Copy-paste DSAR template
Send by email to the company’s data protection contact (and copy the complaints team), with the subject line “Data Subject Access Request”:
Dear Data Protection Officer,
I am making a Subject Access Request under Article 15 UK GDPR and the Data Protection Act 2018.
Please provide copies of all personal data you hold about me, including but not limited to: all emails referring to me by name or by property address [insert address]; all internal correspondence, file notes, call recordings and call logs; all complaint records; and all records shared with third parties, together with the identity of those third parties.
Please include data held by [branch name] branch and by area and regional management.
My details for identification: [full name, address, and the property address the relationship concerns].
I look forward to your response within one calendar month, as required by law.
Yours faithfully,
[Name]
What happens next
- They comply: read everything. Compare their internal record with what they told you. Inconsistencies become exhibits.
- They miss the deadline or withhold data: that is itself a breach — and it goes to the ICO. See our ICO complaints guide.
- They correct themselves: get the correction in writing and keep it forever.
One warning: a DSAR gets you your personal data, not the company’s general business records. Keep the request focused on you and your property — that’s exactly where the leverage is anyway.