DSAR Template for UK Employers: Examples and How to Use Them
Published 2 July 2026 · Last reviewed 23 June 2026
A DSAR template is a pre-written letter framework that employers adapt when responding to a data subject access request. Having the right templates ready shortens response time, reduces the risk of missing required information, and creates a consistent audit trail the ICO can review.
This guide explains which templates UK employers need, what each must include, and how to adapt them for individual SARs.
This guide covers DSAR templates for UK employer use under UK GDPR and the Data Protection Act 2018. It is not legal advice.
Why a "DSAR template" search often returns the wrong thing
Most template results when you search "DSAR template" return ICO resources for individuals making requests — data subjects, not data controllers. As an employer receiving a SAR, you need the opposite: frameworks for the letters you send back.
The templates you need are:
- SAR acknowledgement letter — confirms receipt and states the deadline
- Identity verification request — pauses the clock while you verify identity (DUAA 2025 stop-the-clock)
- Clarification request — pauses the clock while the requester narrows a broad request
- Extension notice — notifies the requester you are taking a two-month extension
- SAR response cover letter — the letter accompanying the data disclosure
- Partial refusal letter — explains which exemptions apply and what has been withheld
- Full refusal letter — explains why the request is manifestly unfounded or excessive
Each plays a different role in the SAR response process. Using the wrong template — or none at all — creates gaps in the audit trail.
What every DSAR template must include
Under UK GDPR Article 12, your written communications with data subjects must be:
- In plain, concise language — not legal boilerplate
- Addressed correctly — to the individual, or to their representative if a solicitor submitted the request
- Timely — sent within the response period
Beyond those general requirements, each template has specific content it must cover:
Acknowledgement letter must include:
- Receipt date (the date that starts the one-month clock)
- Confirmation that the request has been understood and will be processed
- The expected response date (one calendar month from receipt)
- Contact information for queries
Response cover letter must include under UK GDPR Article 15:
- Confirmation you are processing their personal data
- The categories of data included in the disclosure
- Processing purposes
- Data recipients (who the data has been shared with)
- Retention periods (or the criteria used to determine them)
- Their rights: rectification, erasure, restriction, complaint to the ICO
- If applicable: information about automated decision-making and profiling
Missing any of these elements makes a response technically incomplete, even if you have provided a full set of documents.
SAR acknowledgement letter — template framework
Adapt this for each incoming DSAR. Fill the bracketed sections with the specifics:
[Date]
[Requester name and address]
Dear [Name],
Thank you for your subject access request received on [receipt date]. We confirm that we will process your request in accordance with UK GDPR and the Data Protection Act 2018.
Your request has been logged with reference [internal reference number].
We will respond no later than [one calendar month from receipt date]. If we need further information to process your request, we will contact you.
If you have any questions in the meantime, please contact [name/role] at [email/phone].
Yours sincerely,
[Signatory name and role]
[Company name and registered address]
Key adaptation point: The deadline date is one calendar month from the receipt date — not one calendar month from the date you acknowledge the request. Log the receipt date accurately.
Extension notice — template framework
A two-month extension is available under UK GDPR Article 12A(3) (inserted by DUAA 2025 s.76) for complex or multiple simultaneous requests. You must notify the requester within the original one-month period:
[Date — must be sent within the first calendar month]
[Requester name and address]
Dear [Name],
We are writing regarding your subject access request received on [receipt date].
Your request involves [complex or multiple simultaneous requests — describe briefly]. Because of this complexity, we are extending our response period by a further two months in accordance with UK GDPR Article 12A(3) (DUAA 2025 s.76).
We will respond by [date: one month from receipt + two months].
If you have any questions, please contact [name/role] at [email/phone]. You also have the right to raise a complaint with the Information Commissioner's Office at ico.org.uk/make-a-complaint.
Yours sincerely,
[Signatory name and role]
Common mistake: Employers who intend to extend but do not send this notice within the first month are in breach of Article 12A(3), even if they ultimately respond within the extended period.
Partial refusal letter — what to explain
When you apply exemptions under the Data Protection Act 2018 Schedule 2 Part 4, you must explain the basis in writing. You do not need to describe the specific content withheld, but you must:
- Name the exemption category (e.g., "legal professional privilege under Schedule 2 paragraph 19")
- Confirm how many documents or categories of documents have been withheld
- Confirm the requester's right to complain to the ICO about the refusal
Exemptions you are NOT required to confirm or deny applying: The "neither confirm nor deny" option is available in limited circumstances — for example, where acknowledging that management planning data exists would itself prejudice the business. This is a narrow carve-out, not a general escape route.
Free DSAR templates and automated generation
The SAR response letter generator creates personalised acknowledgement letters, extension notices, and response cover letters based on your SAR details — date received, requester name, exemptions applied.
For a full breakdown of the SAR response process that these templates support, see Subject Access Request Response: A Step-by-Step Guide for UK Employers.
For an employee-specific version of the response cover letter — formatted for HR manager use — see the employee SAR template.
Checklist: before sending any DSAR letter
- Response is addressed to the correct person (requester or their solicitor)
- Date of original receipt is recorded and used for deadline calculations
- Required content for that letter type is included (see sections above)
- No personal data is disclosed without checking for third-party data issues
- Any exemptions applied are documented with a written justification
- The letter is dispatched securely (not plain email for data-containing letters)
- You retain a copy of the letter and dispatch confirmation in the audit trail
Sources
- UK GDPR — Article 12 (transparent information and communications)
- UK GDPR — Article 15 (right of access)
- Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
- Data (Use and Access) Act 2025 — Section 76 (time limits / stop-the-clock)
- ICO — Subject access request Q&As for employers
This guide provides general information about DSAR templates under UK GDPR and the Data Protection Act 2018. It is not a substitute for legal advice. For complex SARs — particularly those connected to employment tribunal proceedings — seek specialist legal counsel.
Handle your next SAR step by step
dsartracker guides UK employers through every stage of a subject access request — deadlines, exemptions, redaction, and the audit trail the ICO expects.
Related guides
Free Subject Access Request Templates for UK Employers
Free SAR response templates for UK employers — acknowledgement, identity verification, extension notice, response cover letter, and exemption explanation letters.
DSAR Software for Small Businesses: What UK SMEs Actually Need
What UK SMEs should look for in DSAR software — key features, pricing tiers, and why enterprise privacy platforms are the wrong fit for small employers.
GDPR and Subject Access Requests: An Employer's Legal Duties
What UK GDPR requires of employers when a subject access request arrives — the right of access, your obligations, the 2025 law changes, and where SMEs go wrong.