A Controller Gave a Partial or Non-Responsive DSAR Reply
If a data controller responded to your Subject Access Request (SAR) but their response was incomplete, evasive, or failed to provide all the personal data you are entitled to, you have several escalation routes: a follow-up letter, an ICO complaint, and if necessary, a court order.
Quick Answer
Write to the controller identifying specifically what is missing from their SAR response and requesting full compliance within 14 days. If they fail to respond adequately, complain to the Information Commissioner's Office (ICO). You can also apply to the court for an order compelling disclosure under UK GDPR Article 15 and Data Protection Act 2018 s.167. Compensation for damage or distress caused by non-compliance may be available under Article 82.
Full Explanation
Under UK GDPR Article 15, a data subject is entitled to receive a copy of all personal data held about them and specified ancillary information (the purposes of processing, recipients, retention periods, and data subject rights). The controller must respond within one month of receipt of the SAR (extendable by two months for complex or numerous requests, with notice to the data subject).
A partial or evasive SAR response is a breach of the controller's obligations. Common failures include: providing some data but omitting data held in certain systems or departments; providing data in a format that is effectively unreadable; withholding data on spurious grounds (for example, claiming a legal professional privilege exemption where none applies); or failing to provide the required ancillary information.
The first step is to write a detailed follow-up letter to the controller's Data Protection Officer (or privacy team) identifying precisely what has been omitted, citing Article 15 UK GDPR, and requesting full compliance within 14 days. Keep a copy of this letter.
If the controller does not respond adequately, complain to the ICO (Information Commissioner's Office) using the ICO's online complaints form. The ICO will assess your complaint and may require the controller to comply. While the ICO does not award compensation directly, its enforcement action can compel disclosure.
In parallel or as an alternative, you can apply to the court under Data Protection Act 2018 s.167 for an order requiring the controller to comply with the SAR. The court has jurisdiction in the County Court or High Court. If the non-compliance has caused you damage or distress, you may also claim compensation under Article 82 UK GDPR — both material and non-material (distress) damages are recoverable.
In Vidal-Hall v Google [2015] EWCA Civ 311, the Court of Appeal confirmed that damages for distress alone are recoverable under the data protection legislation, removing the requirement for pecuniary loss. More recently, the Supreme Court in Lloyd v Google LLC [2021] UKSC 50 limited class actions for loss of control damages — individual claims for specific distress remain available.
Legal Basis
- §UK GDPR Art 15 — right of access to personal data
- §UK GDPR Art 12 — controller's obligations to respond to requests
- §Data Protection Act 2018 s.45 — right of access (Part 3 — law enforcement processing)
- §Data Protection Act 2018 s.167 — court order for compliance with data subject rights
- §UK GDPR Art 82 — right to compensation for material or non-material damage
What To Do
Itemise Specifically What Is Missing From the Response
Review the SAR response carefully. List every category of personal data you believe the controller holds but has not provided, every piece of ancillary information missing (e.g. retention periods, recipients), and any data you have evidence exists (from prior correspondence or otherwise). Be specific — vague complaints are harder to enforce.
Write a Formal Follow-Up Letter to the Controller's DPO
Send a letter to the controller's Data Protection Officer (details usually on their privacy notice) identifying precisely what is missing and requesting full compliance within 14 days. Cite UK GDPR Article 15 and state that you will escalate to the ICO if you do not receive a complete response. Send by recorded delivery and keep a copy.
Complain to the Information Commissioner's Office
If the 14-day deadline passes without an adequate response, file a complaint with the ICO using the online complaints form at ico.org.uk. Provide all relevant correspondence and specify exactly what data you believe is being withheld. The ICO typically takes several weeks to investigate but can require the controller to comply.
Apply to the Court for an Order Under DPA 2018 s.167
You can apply to the County Court for an order compelling the controller to comply with your SAR under Data Protection Act 2018 s.167. This can be done alongside or instead of an ICO complaint. Consider instructing a data protection solicitor — some will take these cases on a no-win no-fee basis.
Claim Compensation Under UK GDPR Article 82
If the incomplete response has caused you damage (financial loss) or distress, include a claim for compensation in your court application under Article 82 UK GDPR. Both material and non-material (distress) damages are recoverable. Document any distress carefully with a witness statement.
Important Deadlines
Important Warnings
The controller has a one-month deadline to respond to your SAR from the date of receipt — not from the date you consider the original request was submitted. Make sure your request was clearly communicated in writing.
Some exemptions under the Data Protection Act 2018 (Schedules 2-4) legitimately restrict what a controller must disclose — for example, data that would reveal legal advice. However, controllers sometimes over-rely on these exemptions — challenge any exemption that seems spurious.
Do not confuse a SAR with a freedom of information (FOI) request — the two are separate regimes with different rules. SARs relate to your personal data; FOI relates to information held by public authorities.