Send a Subject Access Request
Step-by-step guide · 7 min read
Write your SAR email
Use the template below. An email is all you need — despite what some companies claim, you do NOT need to fill in their internal form. The GDPR is clear: a request can be made “by any means.”
Dear Data Protection Officer, I am writing to make a Subject Access Request under Article 15 of the General Data Protection Regulation (GDPR). Please provide me with a copy of all personal data you hold about me, including but not limited to: - Account records and transaction history - Internal notes and communications regarding my account - Records of any data shared with third parties (including the Central Credit Register) - Records of any complaints or disputes - Any automated decision-making or profiling data - Correspondence records (emails, letters, call logs) My details are as follows: - Full Name: [YOUR FULL NAME] - Date of Birth: [YOUR DATE OF BIRTH] - Address: [YOUR CURRENT ADDRESS] - Account Number: [YOUR ACCOUNT NUMBER] - PPS Number: [YOUR PPS NUMBER — include if relevant] Under GDPR, you are required to respond to this request within 30 calendar days of receipt. This email constitutes a valid Subject Access Request — I am not required to use any internal form. If you require verification of my identity, please note that I am an existing customer contacting you from my registered email address. Any request for identity verification should be proportionate under Article 12(6) GDPR. Please provide the data in a commonly used electronic format. Yours faithfully, [YOUR NAME] [DATE]
Include your key details
Replace all the [PLACEHOLDER] fields with your actual details:
- Full name (as it appears on your account)
- Date of birth
- Current address
- Account number
- PPS number (if relevant, e.g., for credit unions or CCR-related requests)
Send to the right email address
Send your SAR to the company's Data Protection Officer (DPO) or their data protection email address. This is usually found in their privacy policy or on their website.
Common formats: dpo@company.ie, dataprotection@company.ie, privacy@company.ie
Note the date — the 30-day clock starts NOW
The moment the company receives your email, they have 30 calendar daysto respond. Note the date you sent the email. Set a reminder for day 25 to follow up if you haven't heard anything.
Important:The clock starts on receipt, not on acknowledgement. If they acknowledge on day 10, they don't get a fresh 30 days from that point.
If they ask you to fill their form — you don't have to
Some companies will reply saying you need to fill in their internal SAR form. You don't. Reply politely stating that your email constitutes a valid SAR under Article 15 GDPR and that the 30-day response period has already begun. The GDPR does not require any specific format for requests.
If they demand ID — assess whether it's legitimate
Under Article 12(6), a company can request identity verification if they have “reasonable doubts” about the requester's identity. But:
- If you're an existing customer emailing from a registered address, they shouldn't have doubts
- Demanding a certified passport copy for an existing customer is disproportionate
- A utility bill or a copy of a statement with your address is usually reasonable
Even if you provide ID, the 30-day clock does NOT restart. It runs from the original request.
Review the data you receive
When you receive your SAR response, examine it carefully. Look for:
- Internal notes about your account (especially write-off decisions)
- Dates that contradict what you were told
- CCR submission records (what was reported and when)
- Any evidence of data being shared without your consent
- Gaps in the data (are they withholding anything?)
Red flags in SAR responses
Watch for these issues:
- Incomplete data: If the response seems thin, they may not have provided everything. Ask specifically for what's missing.
- Late response: Over 30 days = GDPR breach. File a DPC complaint.
- Internal write-off date differs from CCR data: This is powerful evidence for a CCR amendment or FSPO complaint.
- Notes showing awareness of errors they didn't correct: Evidence of knowing inaccuracy.
What happens next
The SAR data you receive is ammunition. Use it to identify errors in your CCR report, build evidence for formal complaints, and establish a timeline of what really happened. If the company breached GDPR in how they handled your SAR, file a DPC complaint alongside your other actions.
Need help with your specific case?
Our guides cover the process — but every case is different. If you want someone to review your situation and tell you exactly what to do next, we can help.
Was this guide helpful?
Related Guides
Make a Formal Complaint
Write and submit a formal complaint to your financial provider.
Read guideFile an FSPO Complaint
File a complaint with the Financial Services and Pensions Ombudsman.
Read guideGet Your Credit Report
Request your free CCR report and learn how to read it and spot errors.
Read guide