The UK GDPR enables individuals to gain access, on request, to personal data that you hold about them. There’s no particular format in which such a request should be made, but you can use our form to assist them with making a request.
Form of request
Under the UK GDPR, individual data subjects have the right, on request, to obtain a copy of their personal data from you by making a data subject access request (DSAR). The UK GDPR doesn’t provide for any particular format in which a DSAR should be made but you can make available our GDPR Data Subject Access Request Form. It asks the applicant to provide their name, contact details and evidence of identity and then other information to enable you to identify both them and the personal data that they’re requesting. You must still respond though to DSARs made through other formats, e.g. by e-mail, so you can’t insist that a form be used. Where you have reasonable doubts concerning the data subject’s identity, you can request them to provide additional information necessary to confirm their identity before complying with the DSAR.
Information to be provided
Once the data subject has made their DSAR, they have a right to obtain: (a) confirmation as to whether or not their personal data are being processed by you, (b) access to copies of their specified personal data, and (c) other additional information. If the data subject makes their DSAR electronically, you must provide the information in a commonly used electronic form, unless they request otherwise. Note. Your obligation is to provide personal data, not to provide full copies of documents. However, it’s unlikely to be worthwhile for you to spend time extracting personal data from a document, unless the document is sensitive or only a small part of it constitutes personal data. The other additional information comprises: