Data Subject Access Request (DSAR)

Understanding the Data Subject Access Request (DSAR)

A Data Subject Access Request (DSAR) is one of the most powerful rights you hold under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It allows you to demand a full copy of all personal information a company holds about you — whether that’s a bank, lender, or debt collection agency (DCA).

In the context of consumer credit, a DSAR is a crucial investigative step. It reveals what’s really happening behind the scenes:

  • How your data has been shared or sold

  • Whether your account was lawfully assigned to a third party

  • What internal notes, call logs, or communications exist

  • Whether your credit agreement and statements are complete

This makes it one of the most effective tools for verifying ownership, exposing non-compliance, and challenging inaccurate reporting.

What You Should Be Asking For

A properly worded DSAR should ask for:

  • Copies of all credit agreements, statements, and correspondence

  • Details of any assignment or sale of the debt (including the date and buyer)

  • Internal notes and communication logs relating to your account

  • Copies of any data shared with third parties, including DCAs or credit reference agencies

  • A list of data categories, sources, and retention periods

These disclosures help identify breaches of the Consumer Credit Act, FCA CONC rules, and data protection law.

How to Send It

  1. Write to the Data Protection Officer (DPO) or the company’s official GDPR contact.

  2. Include your full name, address, and any account references.

  3. Request all personal data held about you under Article 15 UK GDPR.

  4. You do not need to pay a fee — DSARs are free unless the request is manifestly excessive.

  5. Send it by recorded delivery or email, and keep proof of sending.

The company has one calendar month to respond.

When to Send a Reminder

If you receive no response or an incomplete reply after 30 days:

  • Send a polite reminder giving them a further 7–14 days to comply.

  • Reiterate that failure to respond may constitute a breach of UK GDPR Article 12.

If still no response, it’s time to escalate.

How to Escalate

If the organisation ignores your request, withholds key information, or provides only partial disclosure:

  • File a formal complaint with the company’s DPO, referencing UK GDPR Articles 12–15.

  • After 30 days (or sooner if they refuse outright), escalate the matter to the Information Commissioner’s Office (ICO).

  • If the issue relates to debt collection or credit reporting, you can also involve the Financial Ombudsman Service (FOS).

Why It Matters

A DSAR is not just about data — it’s about power and evidence.
It lets you see what creditors really hold, what they’ve shared, and whether they have the legal right to collect.
If a creditor or DCA can’t produce the correct documents, they may have breached both data protection law and the Consumer Credit Act 1974, giving you significant leverage in resolving or challenging the debt.

Get the Complete DSAR Template Pack

Freedom Financial has created a ready-to-use DSAR Template Pack that includes:

  • Professionally drafted request and reminder letters

  • Escalation templates for ICO or FOS complaints

  • A compliance tracker and step-by-step guide

This pack saves time, removes the guesswork, and ensures your DSAR is legally sound, properly worded, and fully traceable.