A Data Subject Access Request (DSAR) is your right under Article 15 of the GDPR and the UK GDPR to ask any organisation what personal data it holds about you and to receive a copy. Organisations must usually respond within one calendar month and cannot charge a fee for a first request.

Is this letter legally valid?

The letter cites the correct legal basis and includes the elements a controller needs to act. A DSAR has no mandatory format — a clear written request is enough. This builder structures it properly, but it is a template, not legal advice.

How long does the company have to respond?

One calendar month from receipt under both UK GDPR and EU GDPR. They may extend by up to two further months for complex or numerous requests, but must tell you within the first month if they do.

Generally no. The first copy of your data must be provided free of charge. A reasonable fee or refusal is only allowed if the request is manifestly unfounded, excessive, or repetitive — and they must justify that decision to you.

Does my data go anywhere when I use this tool?

No. The letter is assembled entirely in your browser from what you type. Nothing is uploaded, stored on a server, or logged — you simply copy or print the finished text.

GDPR Data Subject Access Request Letter Builder

A correctly structured access request, instantly

Article 15 of the GDPR (and the identical UK GDPR provision) gives you the right to ask any organisation what personal data it holds about you, why, where it came from, who it is shared with, and how long it is kept — and to receive a copy. A Data Subject Access Request has no required format, but a well-structured letter that cites the right law and asks for the right categories makes it far harder for a controller to delay or fob you off. This builder produces exactly that from a short form.

How it works

The tool maps your inputs onto the elements of a compliant Article 15 request:

It states the legal basis (UK GDPR / EU GDPR Article 15) and that you are the data subject making the request in person.
It lists the categories of information you select — a copy of your personal data, the purposes of processing, the recipients or categories of recipients, the retention period, the source of the data, and confirmation of any automated decision-making.
It sets out the one-calendar-month statutory deadline and asks for the response in a commonly used electronic format.

Everything is concatenated client-side into a plain-text letter with a date and signature block. Nothing is transmitted.

Tips and notes

Send the request to the organisation’s privacy or data protection contact (often dpo@ or a “privacy” address listed in their privacy policy) and keep proof of when you sent it — the one-month clock starts on receipt. If they ask you to verify your identity that is allowed, but the deadline then runs from when you provide the verification. This builder gives you a solid template; for a contested or complex case, or to escalate to the ICO or your supervisory authority, consider proper legal advice.