Finance Editor, Kael Tripton Ltd - LBS MBA - Verified against FCA Handbook: 14 June 2026
Quick answer
Under Article 15 of the UK GDPR, you can request all personal data held by any financial firm -- your bank, insurer, mortgage lender or credit card company. The firm must respond within 1 calendar month. Use a SAR to get call recordings, underwriting files and claims correspondence to support an FOS complaint or court claim.
What Is a Subject Access Request and How Do You Use It Against a Financial Firm?
Direct answer
Can I request all personal data my bank or insurer holds about me?
Yes. Under Article 15 of the UK GDPR (ico.org.uk/your-data-matters), you can submit a Subject Access Request to any financial firm. The firm must provide all personal data they hold about you within 1 calendar month, free of charge. This includes call recordings, underwriting files, claims correspondence and any profiling data used in pricing or lending decisions.
FCA Handbook - UK GDPR Article 15 - Verbatim Rule Text Source: handbook.fca.org.uk
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information about the processing.
Write to the firm's Data Protection Officer
Address the SAR to 'The Data Protection Officer'. State: 'I am making a Subject Access Request under Article 15 UK GDPR. Please provide all personal data you hold about me.' Include your name, account number and date of birth.
Note the 1-month deadline
The firm must respond within 1 calendar month of receiving your request. Diarise this date.
Request specific data types
You can narrow your SAR to specific data: call recordings from a specific date, underwriting files, claims correspondence. Specific requests get faster responses.
Use the data in your FOS complaint
If the SAR reveals information contradicting the firm's account of events, include it in your FOS submission.
Complain to the ICO if refused or delayed
ico.org.uk/make-a-complaint. The ICO can require the firm to comply and can impose fines for non-compliance.
| Data type | Typically available via SAR | Useful for |
|---|---|---|
| Call recordings | Yes -- if recorded and retained | Proving what you were told at sale or claim |
| Underwriting file | Yes | Understanding why a claim was declined or premium was high |
| Claims correspondence | Yes | FOS complaints about claims handling |
| Credit score data | Yes | Challenging lending decisions |
| Profiling and pricing data | Yes | Consumer Duty fair value challenges |
| Third-party disclosures | Yes -- list of who data was shared with | Identifying data sharing without consent |
Related KT guides
Frequently Asked Questions
What is a Subject Access Request to a financial firm?
A Subject Access Request (SAR) is a request made under Article 15 of the UK GDPR (General Data Protection Regulation) and the Data Protection Act 2018 for a copy of all personal data a firm holds about you. You can submit a SAR to any FCA-authorised firm including your bank, insurer, mortgage lender or credit card company. The firm must respond within 1 calendar month and must provide a copy of all your personal data in a commonly used electronic format.
How do I submit a Subject Access Request to my bank or insurer?
Write to the firm's Data Protection Officer (DPO) or data privacy team. State clearly that you are making a Subject Access Request under Article 15 of the UK GDPR. You do not need to give a reason. Include enough information to identify your account (name, account number, date of birth). The firm must respond within 1 calendar month. If the request is complex, they can extend by a further 2 months but must tell you within the first month.
What information must a bank or insurer include in a SAR response?
The SAR response must include: all personal data held about you, the purposes for which it is being processed, the categories of data, any third parties to whom it has been disclosed, how long the data will be kept, and your rights (to rectification, erasure, restriction of processing). For financial firms this may include: account transaction history, call recordings, credit scores, correspondence, claims history, and any profiling data used for underwriting or pricing.
Can a financial firm refuse my Subject Access Request?
A firm can refuse a SAR only in limited circumstances: if the request is manifestly unfounded or excessive (e.g. repetitive requests made to harass), or if certain exemptions apply (e.g. legal professional privilege, preventing crime). The firm cannot refuse simply because providing the data would be time-consuming. If a firm refuses your SAR, you can complain to the ICO at ico.org.uk/make-a-complaint.
Can I use a SAR to help a financial complaint?
Yes -- and this is one of the most valuable uses of a SAR for financial disputes. A SAR can reveal: call recordings showing what you were told when taking out the product, underwriting data showing how the insurer priced your policy, communications between departments about your claim, and credit scoring data used in a lending decision. This information can be directly relevant to an FOS complaint or court claim.
Primary sources
Kael Tripton Ltd is registered with the Information Commissioner's Office under registration number ZC135439.
