BlackEyes LogoBLACKEYES

Your rights · Templates

Subject access request template

Copy the letter below, fill in the brackets, and email it to the company's privacy contact. No lawyer, no fee, no reason required. There's a California CCPA version further down. If what you actually want is your data deleted, use the erasure template instead.

The template — UK GDPR

United Kingdom · Article 15

Subject: Subject access request — [Your full name]

Dear Data Protection Officer,

I am writing to make a subject access request under Article 15
of the UK GDPR and the Data Protection Act 2018.

Please provide me with:

1. A copy of all personal data you hold about me;
2. The purposes for which it is being processed;
3. The recipients or categories of recipient it has been or
   will be disclosed to, including any data brokers,
   advertisers or group companies;
4. How long it will be retained, or the criteria used to
   determine that period;
5. The source of the data, where it was not collected from
   me directly;
6. Details of any automated decision-making or profiling it
   is used in.

Information that may help you locate my records:
- Full name: [Your full name]
- Email address(es): [Email addresses the company may hold]
- Postal address: [Your address, if relevant]
- Account or customer reference: [Reference, if you have one]

If you require proof of identity, please tell me promptly what
you accept. As required, I expect your response within one
calendar month of receipt of this request.

Yours faithfully,
[Your full name]
[Date]

How to send it

  1. 1

    Find the privacy contact

    Check the company’s privacy policy for a DPO or privacy email address. privacy@ and dpo@ addresses are the usual pattern; a web form is fine too — screenshot it after submission.

  2. 2

    Send it from an address they can match

    Use the email address the company is likely to hold for you. It cuts out an identity-verification round-trip, which is the most common cause of delay.

  3. 3

    Keep dated copies

    The one-month clock starts on receipt. Your sent email is the evidence the deadline is running — and the first thing the ICO asks for if you escalate.

  4. 4

    Diary the deadline

    One calendar month, extendable by up to two more for complex requests — but they must tell you about any extension within the first month. Silence past the deadline is itself a breach.

California version — CCPA right to know

United States · CCPA/CPRA

For California residents. Businesses covered by the CCPA must respond within 45 days. Most publish a dedicated “Your Privacy Choices” or CCPA request form — using their form is fine and often faster; the letter works where there isn't one.

Subject: CCPA request to know — [Your full name]

To whom it may concern,

As a California resident, I am exercising my right to know
under the California Consumer Privacy Act (CCPA), as amended
by the CPRA.

Please disclose, for the 12-month period preceding this
request:

1. The categories and specific pieces of personal information
   you have collected about me;
2. The categories of sources of that information;
3. The business or commercial purposes for collecting, selling
   or sharing it;
4. The categories of third parties to whom it was disclosed,
   sold or shared.

Identifying details:
- Full name: [Your full name]
- Email address(es): [Email addresses the business may hold]
- Phone number: [Phone number, if relevant]

Please respond within 45 days as required by the CCPA.

Regards,
[Your full name]
[Date]

Now imagine sending 450 of these

One template handles one company. Data brokers hold your details across hundreds of sites and re-list them within months. That letter-writing at scale — sending, chasing, verifying — is what BLACKEYES automates. Start by seeing your exposure, free.

Run my free exposure check

FAQ

Does a subject access request have to be in writing?

No — a verbal request is legally valid in the UK. But a written request gives you a dated paper trail, which is exactly what you need if the company misses the one-month deadline and you escalate to the ICO. Email is ideal.

Can a company charge me for a SAR?

Not for a normal request. A fee is only allowed where a request is manifestly unfounded or excessive — for example, repeating an identical request they have just fulfilled. First requests are free.

Who do I send it to?

The organisation’s privacy or DPO contact — usually privacy@company.com, dpo@company.com, or a form linked from their privacy policy. If none is published, send it to any official contact address; the clock starts when the organisation receives it, not when it reaches the right department.

What if I get no response?

After one calendar month (UK) with no reply or an inadequate one, complain to the company in writing first, then escalate to the ICO with your dated copies. Our guide to reporting a company walks through both routes.

Can I send a SAR on behalf of someone else?

Yes, with their written authority (or a power of attorney / parental responsibility for children). The organisation will ask for evidence of the authority as well as identity.