A Data Access Request is a formal enquiry submitted by an individual to an organisation asking for access to the personal information the organisation holds about them.

This right to access data is granted under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data access requests are a fundamental tool for individuals to exercise control over their personal data. Whether you want to see what information is being stored, how it’s being used, or whether your data has been shared with others, this type of request ensures transparency and accountability from data controllers.

What is a Data Access Request?

A Data Access Request (or a Subject Access Request, SAR) is a legal mechanism that allows individuals to ask organisations to disclose:

• What personal data they hold
• How the data is being processed
• Who it has been shared with
• How long it will be stored
• Where the data came from (if not directly collected from the data subject)
• Whether any automated decision-making or profiling is taking place

Organisations are legally required to respond to such requests within one month, though this period may be extended by an additional two months for complex or numerous requests.

How to make a Data Access Request

Using Bind, you can generate a fully formatted and legally sound Data Access Request letter. Just provide your name, contact details, and send it to the organisation in question—Bind’s template includes all required legal references and prompts a timely and complete response.

Your request does not need to cite the law verbatim, but it must clearly express your wish to receive information about your personal data. You do not need to explain why you’re making the request.

It’s good practice to include:

• Your full name and email address
• A clear statement of the request
• A list of specific information you want
• A request for confirmation if no data is held

Most organisations are not allowed to charge a fee unless the request is manifestly unfounded, repetitive, or excessive.

What happens after you send the request?

The organisation must:

1. Acknowledge receipt of your request
2. Verify your identity when necessary
3. Respond within one month with the information or an explanation if they need more time
4. Provide the information free of charge, unless exceptional circumstances apply
5. If the organisation refuses the request, they must provide a clear reason and inform you of your right to complain to the Information Commissioner’s Office (ICO) in the UK.

What kind of data will you receive? Two practical examples

Making a Data Access Request gives you insight into exactly how your personal information is being used, stored, or shared. Below are two realistic examples to illustrate the type of data you might receive in response—and why it’s worth requesting:

Example 1: Marketing and behavioural profiling
You submit a request to an online clothing retailer you regularly shop with. In response, you receive a full breakdown of the data they hold, including:

• Your purchase history and preferred styles
• Marketing email open and click behaviour
• A customer profile built using browsing data, purchase frequency, and estimated preferences
• Third-party analytics data shared with external ad platforms (e.g. Meta, Google)

Why this is useful: You learn that your data is used to target you with personalised ads on social media—even though you never explicitly agreed to such tracking. This enables you to request deletion of profiling data, limit future data use, or opt out of marketing altogether.

Example 2: Employment or HR records
You submit a request to your current or former employer. They respond with:

• Copies of emails or documents that mention you
• Interview notes, performance appraisals, and attendance logs
• Records of disciplinary actions or internal HR decisions
• Information used in an automated hiring or promotion decision

Why this is useful: You discover that a previous performance concern, which you had addressed and resolved, is still noted as "active" in your record. This gives you an opportunity to challenge the accuracy of that information and request a correction—especially important for job references or future internal applications.

Data Access Request – free template

Data Access Request

Dear Data Controller,

I am writing to request access to the personal data that your company holds about me, in accordance with applicable data protection laws.

My information
Full Name:
Email Address:

Please provide the following information regarding my personal data:

• A copy of all personal datat you hold about me 
• The period for which my personal data will be stored
• […]
• […]

If you do not hold any data related to me, I would appreciate confirmation of this.

I would also appreciate a response within the time period stipulated by applicable data protection laws. If you require any further information from me to process this request, please let me know.

---

Bind is the easiest way to create a clear and compliant Data Access Request letter. Start your request now with Bind and take control of your personal data.