Subject Access Request — template + walkthrough
A Subject Access Request (SAR) is the most powerful tool you have for finding out what an organisation knows about you. It's free, the organisation has one month to respond, and it works against private companies, state departments and almost anyone else who holds your personal data. This page covers what to ask for, includes a copy-paste template, walks through what the response should look like, and tells you what to do when an organisation fails to comply.
The short version
- You have a right under Article 15 GDPR to a copy of all personal data an organisation holds about you, plus information about how they use it.
- It costs you nothing. The organisation cannot charge you (with very narrow exceptions for manifestly excessive or repeat requests).
- Response deadline: one month from receipt. Extendable by two more months only in specific complex cases — and they must tell you, with reasons, within the first month.
- You don't have to explain why you're asking. There is no "good reason" test.
- If they fail to respond, your remedy is to complain to the DPC.
What you can ask for
A complete SAR asks for:
- A copy of all personal data they hold about you.
- The purposes of processing.
- The categories of personal data concerned.
- Recipients or categories of recipient with whom the data is or will be shared (especially anyone outside the EEA).
- The retention period (or the criteria used to determine it).
- The source of the data, if not collected directly from you.
- Whether any automated decision-making, including profiling, applies — and if so, the logic involved and the significance/consequences for you.
- The existence of your other GDPR rights (rectification, erasure, restriction, complaint to the DPC).
SAR template — copy and adapt
Template — copy from here
To: [Data Protection Officer / Privacy Officer / DPO] [Organisation name] [Email address — usually dpo@.ie or privacy@ .ie] Subject: Subject Access Request under Article 15 GDPR Dear Data Protection Officer, I am writing to make a Subject Access Request under Article 15 of the General Data Protection Regulation (GDPR). I would like: 1. A copy of all personal data you hold about me, in a commonly used electronic format. 2. The purposes of the processing. 3. The categories of personal data concerned. 4. The recipients or categories of recipients to whom my personal data has been or will be disclosed, including any recipients outside the European Economic Area. 5. The envisaged retention period (or the criteria used to determine it). 6. The source of the data, where not collected from me directly. 7. The existence of any automated decision-making, including profiling, under Article 22 GDPR — and, if so, meaningful information about the logic involved and the significance and envisaged consequences for me. My identifying details: Full name: [your full legal name] Date of birth: [DD/MM/YYYY] Address: [your current address] Account / customer reference (if any): [any ID the organisation uses for you] Email registered on the account: [the email you use with this organisation] For the purposes of identity verification, please accept this email as my formal request. If you require additional identity verification, please let me know what you specifically require and your justification for requesting it under data-minimisation principles. Please respond within one month, as required by Article 12(3) GDPR. Yours sincerely, [Your name] [Date]
How to send it
- Find the right address. Most organisations publish a DPO or Privacy address in their privacy policy. If they don't have one, send to their general contact email AND post a copy by registered post.
- Send by email where possible. Keep the sent copy with the timestamp — it starts the one-month clock.
- Don't include your PPS number, financial details, or photographs of identity documents in the initial request. If the organisation needs additional verification, they should ask for it specifically, and you can then send the minimum required directly.
What the response should contain
A complete response typically includes:
- A cover letter or email summarising the response.
- A copy of your data — usually as a PDF, CSV, or set of exported records. Larger organisations may use a secure portal.
- Answers to each numbered request item.
- Information about your further rights (rectification, erasure, complaint to the DPC).
What the response often doesn't contain — and how to push back
| What's missing | What to do |
|---|---|
| Internal notes, memos, or correspondence about you | Reply specifying that you want all personal data, not only structured records. Internal emails and free-text notes that identify you are personal data. |
| Audit logs of who accessed your account | Reply asking for access logs. Most modern systems can produce them. |
| Recordings of phone calls you made to them | Reply asking specifically for any recordings or transcripts of calls in which you were a party. |
| CCTV footage from a location where you were a customer | Reply asking for any CCTV footage that identifies you within retention. Provide the date and approximate time you were on premises. |
| Third-party recipients listed only as categories | Reply asking for specific named recipients where retention obligations require them to know. |
| "You will need to attend in person with ID before we can respond" | Push back. GDPR allows the controller to ask for additional information to verify identity, but only what is strictly necessary. In-person attendance is almost never necessary for written requests. |
If they fail to respond within one month
Send a reminder, dated
"On [date] I made a Subject Access Request. The one-month deadline under Article 12(3) GDPR has passed. Please respond immediately."
Give them one further week
This is courtesy, not legal requirement; it just demonstrates good faith for any later complaint.
File a DPC complaint
See how to file a complaint with the DPC. Include your original request, the date it was sent, the reminder, and the absence of response.
Filing an SAR with the Department of Social Protection (MyGovID / PSC)
The Department's DPO contact is published on gov.ie. A complete SAR to the Department for MyGovID-related data should ask specifically for:
- Account creation and verification logs.
- Login history with timestamps, IPs and devices.
- Identity attributes held about you (name, DOB, PPS, address as on record, photograph, signature).
- SAFE registration records, including documents you submitted and biometric data captured.
- Audit trail of who has accessed your record internally.
- Records of data sharing with other state bodies.
The Department has historically responded to SARs but coverage is uneven. If their response is incomplete, the DPC has form on enforcing SAR compliance — see the DPC's earlier findings.