Your data rights
Your Right of Access Under UK GDPR, Explained
The right behind every DSAR, explained as a concept: what the right of access actually gives you, what you can ask an organisation for, what you should receive in return, and the limits that apply — anchored to the ICO's guidance.
In short
The right of access is your UK GDPR right (Article 15) to ask any organisation to confirm whether it holds personal data about you and, if it does, to give you a copy along with information about how and why it is used. A Data Subject Access Request, or DSAR, is simply how you exercise it.
What the right of access actually is
The right of access is one of the individual rights the UK GDPR gives everyone, set out in Article 15. In plain terms, it lets you ask an organisation a simple question — are you holding personal data about me? — and, if the answer is yes, to receive a copy of that data together with an explanation of how it is being used. The Information Commissioner's Office (ICO), the UK's data-protection regulator, describes it as your right to obtain a copy of your personal data and other supplementary information.
It is worth separating the right from the request. The right of access is the underlying entitlement that the law gives you. A Data Subject Access Request, usually shortened to DSAR, is simply the act of exercising that right — the message you send to put it into effect. People often use 'DSAR' and 'right of access' interchangeably, but one is the principle and the other is the mechanism.
The right belongs to you as an individual and applies to your own personal data, not anyone else's. It is one of the foundations of UK data-protection law: before you can correct, question, or ask to remove data about yourself, it helps to be able to see what is held in the first place. This is general information, not legal advice.
What you can ask for, and what you should receive
When you exercise the right of access, you are entitled to more than just a raw export of records. The ICO sets out a defined list of what a response should include, so you can check what you receive against it rather than guessing whether it is complete.
In most cases the organisation cannot charge a fee, and it usually has one calendar month to respond from the point it receives your request and is satisfied of your identity. The aim of the right is transparency: not only the data itself, but enough context to understand what is held and why.
- Confirmation of whether the organisation is processing personal data about you at all.
- A copy of that personal data, in an accessible form.
- The purposes — why your data is being used.
- The categories of personal data concerned, such as contact details or account history.
- Who your data has been, or will be, shared with (the recipients or categories of recipient).
- How long the data will be kept, or how that period is decided.
- The source of the data, where it was not collected directly from you.
- A reminder of your other rights, including correction, erasure, and the right to complain to the regulator.
The limits of the right — and where it leads
The right of access is broad, but it is not unlimited. An organisation can withhold parts of a response under specific, narrow exemptions — for example, where releasing the data would reveal personal information about another identifiable person, or where another legal restriction applies. Where it withholds something, it should normally tell you that it has done so. The right also covers your own personal data, not internal documents or commercial information that does not relate to you.
Because the response depends on what an organisation genuinely holds and on these limited exemptions, no particular outcome is promised in advance — the right gives you a process and an entitlement, not a guaranteed result. If you believe a response is incomplete or wrongly refused, you can ask the organisation to reconsider, and you retain the right to complain to the Information Commissioner's Office (ICO).
For many people, the right of access is a starting point rather than an end in itself. Seeing what an organisation holds is what makes the next decision possible — whether to ask for a correction, to question why certain data is held, or to request erasure of specific records. You stay in control of each of those choices. If you want the practical mechanics of putting a request together, our DSAR guide walks through it step by step. This is general information, not legal advice.
Frequently asked questions
Is the right of access the same thing as a DSAR?
They are closely related but not identical. The right of access is the entitlement the UK GDPR gives you under Article 15. A Data Subject Access Request (DSAR) is how you exercise that right — the written request you send. In everyday use the terms are often treated as the same, which is fine, but the distinction is simply principle versus mechanism.
Do I have to pay to exercise my right of access?
In most cases, no. Under the UK GDPR an organisation usually cannot charge a fee to respond to a request for access to your personal data. According to the ICO, a reasonable fee may be charged only in limited situations, such as where a request is manifestly unfounded or excessive, or for further copies of the same information.
How long does an organisation have to respond?
Usually one calendar month, counted from the point it receives your request and has confirmed your identity. For a complex request it can extend this by up to two further months, but it must tell you about any extension within the first month. The ICO publishes guidance on these time limits.
Can an organisation refuse to give me everything?
Sometimes, in part. The right of access has limited exemptions — for example, where releasing data would disclose another person's personal information. An organisation should normally tell you if it has withheld something. If you think a refusal is wrong, you can ask it to reconsider and you have the right to complain to the data-protection regulator. This is general information, not legal advice.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Ready to put the right into practice?
OSINTA helps you see your own digital footprint and frame and route your own rights requests — you decide every step. It does not delete data for you and cannot promise any outcome.