Subject access request solicitors

Explore how we help businesses with their commercial legal requirements.

Contact our team

When individuals exercise their legal right to access the personal data an organisation holds on them, navigating the process can be complex and time-sensitive.

Whether you are a business responding to a request or an individual seeking to understand your rights, our expert subject access request solicitors are here to provide clear, confident legal support.

At Moore Barlow, our team has specialist experience across data protection and privacy law, offering guidance that is practical, commercially aware, and aligned with the latest UK GDPR,  Data Protection Act and Data Use and Access Act (DUAA) requirements. We understand how data access obligations play a critical role in risk management, regulatory compliance, and protecting an organisation’s reputation.

What is a subject access request (SAR)?

A subject access request (SAR) is a formal request made by an individual (the data subject) under Article 15 of the UK General Data Protection Regulation (UK GDPR) to obtain a copy of the personal data that an organisation holds about them. This includes information about how that data is being used, who it has been shared with, and the source of that data. SARs are an important aspect of transparency and control for individuals and often arise during disputes, grievances or legal proceedings.

Organisations are legally obliged to respond to SARs within one calendar month, although this can be extended by a further two months for complex cases. Failure to comply with a SAR can result in regulatory penalties and reputational damage. For businesses, managing SARs efficiently and in a legally compliant manner requires expert legal and technical knowledge – particularly when handling large volumes of data, third-party references or sensitive information.

John Warchus

John Warchus

Partner | Commercial

079 6656 9299

How we can help

Our subject access request solicitors have in-depth knowledge of data protection law and provide tailored advice to businesses of all sizes and sectors. We support clients in responding lawfully, efficiently, and appropriately to subject access requests, ensuring deadlines are met and the risk of non-compliance is minimised.

Our services include:

  • Advising on the scope and validity of the request
  • Helping to locate, review and redact personal data
  • Identifying third-party information and applying appropriate exemptions
  • Drafting appropriate response letters and disclosure packages
  • Defending against SAR misuse or excessive requests by advising on the exemptions that may apply to a SAR request
  • Assisting individuals in submitting or challenging SAR responses

Whether you are receiving numerous SARs as part of a larger employee or customer data issue, or you are an individual seeking to understand the data an organisation holds about you, our team can guide you through the process with clarity and confidence.

Why choose Moore Barlow?

At Moore Barlow, we combine the deep expertise of a large law firm with a personal, client-focused approach. Our commercial and technology solicitors are known for their pragmatic advice, sector-specific insight and ability to simplify complex regulatory challenges.

When you work with us, you benefit from:

  • A highly experienced legal team with recognised data protection expertise
  • Clear, jargon-free guidance tailored to your unique situation
  • A proactive and responsive service built around your priorities
  • Access to a wider network of specialists in employment, dispute resolution, and regulatory law
  • A track record of successful outcomes for both businesses and individuals

With offices in London, Southampton, Guildford, Richmond, Lymington and Woking, we are well positioned to support clients across the South of England and nationally. Our firm has been recognised by leading legal directories, including Chambers and The Legal 500, and we pride ourselves on building long-term relationships based on trust and results.

What is a subject access request?

Explore what is a subject access request is and why it’s essential for managing personal data legally and effectively.

Key considerations for businesses responding to SARs

Managing a subject access request is not simply a matter of locating and forwarding emails. Organisations must ensure they identify all relevant personal data, consider whether it includes data about other individuals, and assess what exemptions apply. Common challenges include:

  • Handling unstructured data such as emails, messaging platforms, and handwritten notes
  • Balancing transparency with third-party confidentiality rights
  • Responding within tight deadlines, especially when GDPR exemptions apply
  • Understanding the limits of the SAR – such as repetitive or excessive requests

Our solicitors provide practical support to your internal data protection teams or act on your behalf to manage the process end-to-end, ensuring a compliant response that protects your legal and commercial interests.

Contact us

If you need clear, expert advice on subject access requests – whether you’re an organisation dealing with a complex request or an individual seeking access to your personal data – our specialist subject access request solicitors are here to help.

Please contact our Commercial & Technology team today to discuss your needs and find out how we can support you. You can reach us via phone, email or by completing our online enquiry form. We offer transparent fees and responsive, expert service that puts your legal rights and responsibilities in focus.

We are here to help

Discover how our expert commercial and technology lawyers can help you.

Contact our commercial and technology team

Frequently asked questions

What is the time limit to respond to a subject access request?

The standard time limit for responding to a SAR is one calendar month from the date of receipt. This may be extended by up to two additional months for complex or multiple requests, but the data subject must be informed of the delay and the reasons for it.

Yes, in certain situations. An organisation can refuse a SAR if it is manifestly unfounded or excessive, particularly if it is repetitive. However, the grounds must be clearly justified, and the individual must be informed of the refusal, including their right to complain to the Information Commissioner’s Office (ICO).

Organisations must provide copies of all personal data held about the individual, along with information about how the data has been processed, any recipients or categories of recipients, the retention period and the individual’s rights. However, data about other individuals, legally privileged information, or confidential references may be exempt from disclosure.

Yes. A SAR does not need to be made in writing or follow a particular format. Once a SAR is received, regardless of the medium, the organisation’s duty to respond within one month begins.

Our commercial legal service brochure

Explore our commercial and technology legal services, designed to help businesses prosper.  Our team of experienced lawyers provide tailored advice and support to clients across a range of sectors, from start-ups to multinational corporations.

Download our brochure

Our team accreditations

Testimonials