File a Subject Access Request
Know your rights. Get your data. Use it to correct mistakes, evidence your case, and push for fair outcomes.
What is a Subject Access Request?
A Subject Access Request (SAR) is how you ask any organisation to give you the personal data they hold about you and information about how they use it. In the UK, your right of access is set out in the UK GDPR and the Data Protection Act 2018. Organisations usually have one month to respond (they can extend by up to two months if the request is complex) and it’s generally free of charge.
Who should you send a SAR to?
In ECO4/retrofit cases, your data is often spread across multiple organisations. Typical targets include:
- Your Installer
- Scheme & oversight bodies (e.g., TrustMark, Ofgem, DESNZ)
- Accreditation & certification bodies (e.g., MCS, NICEIC/Certsure, NAPIT, Stroma)
- EPC & Retrofit accreditors (e.g., Elmhurst, ECMK, Quidos)
- ADR/ombudsman services you’ve interacted with (e.g., Dispute Resolution Ombudsman, HIES)
- Your obligated energy supplier under ECO4 (find their Data Protection/Privacy contact in their privacy policy)
Send your SAR to the organisation’s Data Protection Officer (DPO) or the email listed in their Privacy page. You can make SARs by email; you don’t need to use a special form.
What to ask for
Ask for all personal data relating to you and your property, in any system or format, plus the Article 15 “right of access” details (purposes, categories, recipients, retention, source, and any automated decisions). You can also be specific to save time:
- All surveys, site notes and photographs (e.g., damp, ventilation, air-tightness, roof, property condition)
- Heat-loss calculations (with inputs/assumptions), room-by-room designs, and all design changes/variations
- Commissioning data, as-built documentation, warranties/registrations
- TrustMark/MCS/EPC lodgements and any technical monitoring/audit records (EPC XMLs, QA comments, invalidations)
- Complaint logs, internal correspondence, and call recordings referencing you or your address
What to expect
- Time limit: one month to respond (with a possible two-month extension for complex requests)
- Format: electronic copies are common (ZIP/secure link)
- ID checks: reasonable proof of identity/address may be requested
- Redactions: limited redactions (e.g., third-party data, legal privilege) must be explained
- Fees: usually free; fees apply only if a request is manifestly unfounded or excessive
If things go wrong: escalate to the ICO
If you don’t get a complete response within the time limit, or it’s refused without good reason, you can complain to the ICO:
Make a data protection complaint to the ICO | ICO Helpline: 0303 123 1113 (Mon–Fri, 9am–5pm)
Which laws govern SARs?
- UK GDPR – Article 15: Right of Access
- Data Protection Act 2018 – UK implementation and exemptions
- ICO guidance – practical detail on scope, timelines and format
Copy-paste SAR template
Use this template for email. Replace the [brackets] with your details and attach simple proof of ID/address.
Subject: Subject Access Request – [Your Full Name], [Property Address + Postcode]
Hello [Organisation/DPO Name],
I am making a Subject Access Request under UK GDPR Article 15 and the Data Protection Act 2018.
Please provide all personal data you hold about me and my property at [full address including postcode], in any system or format (emails, databases/CRMs, tickets, call recordings, photographs, documents, notes, logs, technical files, EPC data including XMLs, audit/QA records).
In line with Article 15, please also provide the required supplementary information: purposes of processing; categories of personal data; recipients (including any processors, sub-processors, accreditors, scheme providers, energy suppliers, auditors and ADR bodies); retention periods; the data source(s); and details of any automated decision-making or profiling relevant to me.
If feasible, please supply all information electronically (e.g., secure download link or ZIP). If any material is being withheld or redacted (e.g., due to third-party data or legal privilege), please describe what is withheld and the legal basis.
If you need anything else to identify the data, please let me know promptly. I understand you must respond within one month of receipt (and should explain any extension up to two months for complex requests).
I attach proof of identity and address: [e.g., photo ID and council tax bill].
Many thanks,
[Your Name]
[Your Email] | [Your Phone]
[Today’s date]
Useful data/privacy contacts in ECO4 & retrofit (exc-installers)
- TrustMark – dataprotection@trustmark.org.uk
- Ofgem (regulator) – dpo@ofgem.gov.uk
- DESNZ (government department) – dataprotection@energysecurity.gov.uk
- MCS (Microgeneration Certification Scheme) – GDPR@mcscertified.com
- NICEIC / Certsure – DPO@certsure.com
- NAPIT – dpo@napit.org.uk
- Stroma – dataprotection@stroma.com
- Elmhurst Energy – enquiries@elmhurstenergy.co.uk
- ECMK – support@ecmk.co.uk
- Quidos – info@quidos.co.uk
- HIES Consumer Code – info@hiesscheme.org.uk
- Dispute Resolution Ombudsman – info@disputeresolutionombudsman.org
- Example energy suppliers (find your supplier’s privacy/DPO page):
- Octopus Energy – dpo@octoenergy.com
- ScottishPower – dataprotection_corporate@scottishpower.com
Plain-English note: This page is general information, not legal advice. If an organisation refuses your SAR or fails to respond within one month, use the ICO link above.