Subject Access is an informational website providing resources and tooling related to data protection law, privacy rights, and subject access requests (SARs). The site is designed to help individuals better understand their rights and the mechanisms available to them under applicable data protection legislation.

No. Subject Access does not provide legal advice, regulatory advice, or professional services. All content is provided for general informational purposes only. If you require legal advice, you should consult a qualified solicitor or data protection professional.

A Subject Access Request is a formal request made by an individual to an organisation, asking for confirmation as to whether their personal data is being processed and, if so, access to that data. This right exists under data protection laws such as the UK GDPR and EU GDPR.

Any individual has the right to make a Subject Access Request regarding their own personal data. In certain circumstances, requests may also be made by authorised representatives acting on behalf of an individual.

No. Subject Access is an independent website and is not affiliated with, endorsed by, or operated on behalf of any government body, regulator, or supervisory authority.

Yes. Subject Access offers two modes of use. Users may generate Subject Access Requests themselves using client-side tools and templates, or they may elect for Subject Access to submit a valid Subject Access Request on their behalf as an agent.

Self-generated requests are created by the user using interactive tools provided by Subject Access and are submitted directly by the user to the target organisation. Requests submitted by Subject Access are sent on the user’s behalf, based on information provided by the user, using a structured and compliant submission process.

In most cases, organisations subject to data protection law are required to respond to a valid Subject Access Request within statutory time limits (typically one month). However, there are exceptions, exemptions, and extensions that may apply depending on the circumstances.

Under UK GDPR and EU GDPR, organisations generally have one month to respond. This period may be extended by up to two additional months for complex or numerous requests, provided the organisation informs the requester.

Yes. Organisations may lawfully refuse or partially refuse a request in certain circumstances, such as where exemptions apply, the request is manifestly unfounded or excessive, or disclosure would adversely affect the rights of others.

Generating a Subject Access Request using Subject Access tools may be offered free of charge. Where Subject Access submits a request on a user’s behalf or provides additional services, a fee may apply. Any applicable fees will be clearly disclosed prior to submission.

No. Fees, where applicable, relate solely to the preparation and submission of a request. Subject Access does not guarantee that an organisation will respond, comply, or disclose particular information. Outcomes remain subject to applicable law, exemptions, and the organisation’s obligations.

A SAR should clearly identify you, describe the data you are requesting, and provide sufficient information for the organisation to locate your data. Organisations may request proof of identity before responding.

Subject Access processes limited technical and user-provided data necessary to operate the website and, where selected, to prepare and submit Subject Access Requests on a user’s behalf. Data handling practices are described in detail in the Privacy Policy.

No. Where Subject Access submits a request on your behalf, it does so as a technical and administrative agent only. Subject Access does not act as a solicitor, law firm, or regulated legal representative.

While Subject Access does not require account registration, certain technical data (such as IP addresses or browser information) may be processed for security and operational purposes, in line with the Privacy Policy.

Yes. Subject Access uses essential cookies necessary for the website to function. Non-essential cookies are used only where consent is provided. Full details are available in the Privacy Policy and Cookie Policy.

Yes. Where applicable, you may exercise your data protection rights, including the right to request deletion of personal data. Requests can be submitted via the website contact form.

Yes. Subject Access is accessible globally. However, the content is primarily focused on UK and EU data protection frameworks. Users are responsible for understanding and complying with applicable local laws.

If an organisation fails to respond or you believe your rights have been infringed, you may escalate the matter to the relevant data protection authority (such as the UK Information Commissioner’s Office) or seek independent legal advice.

No. Subject Access does not guarantee that a request will be successful, complied with, or produce a particular result. Outcomes depend on the organisation, the request, and applicable legal exemptions.

You can contact Subject Access using the contact form available on the website. Queries relating to privacy, data protection, or site operation will be reviewed as appropriate.

Yes. This FAQ may be updated periodically to reflect changes in law, guidance, or the operation of the website. The most current version will always be available on the site.