Subject Access Request (SAR) Procedure

Reviewed: 29 January 2026

At a glance

  • You can request a copy of your personal data and related information under UK GDPR Article 15.
  • Free of charge; we may charge a reasonable fee or refuse where requests are manifestly unfounded or excessive.
  • We aim to acknowledge within 2 working days and respond within one month (30 days); we may extend by up to two further months for complex or multiple requests (we’ll tell you why).
  • We verify identity and may ask you to narrow the scope so we can respond faster and more completely.
  • We do not disclose third‑party data without a lawful basis and we redact where required.

Purpose

To explain how to submit a Subject Access Request (SAR), how UK Postbox verifies, searches, reviews, redacts and securely delivers personal data to you, and the timelines and exceptions that apply under the UK GDPR and Data Protection Act 2018.

Scope and roles

  • This procedure covers personal data that UK Postbox processes as a controller (e.g., account, billing, support, analytics, CCTV, call recordings).
  • For personal data where we act as a processor (e.g., mail‑content scans processed on your documented instructions), we will refer you to your organisation/the relevant controller or follow their instructions in line with our Data Processing Agreement (DPA).
  • Applies to requests from individuals, and authorised representatives with valid authority.

How to submit a SAR

Email: dpo@ukpostbox.com

Post: DPO, UK Postbox Limited, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom

Please include:

  • Your full name, account email, postal address and Account ID (if you have one).
  • The data you want (systems, dates, topics) and any names used in your account (recipient names).
  • Any references that will help us search (ticket numbers, tracking numbers, item IDs).
  • If you are an authorised representative, provide signed authority and a copy of the data subject’s ID (see section 4).

Accessibility: We can provide reasonable adjustments—contact accessibility@ukpostbox.com.

ID verification

We must verify your identity before releasing personal data. ID verification is proportionate to the sensitivity of the data requested; for low-risk requests (e.g., confirming marketing preferences), lighter verification may be appropriate. We typically request:

  • For account holders: verification via logged‑in account plus a security challenge, or two documents (photo ID and address proof).
  • For non‑account requests: government photo ID and address proof.

  • For representatives: written authority (or power of attorney) and ID for both the data subject and the representative.

    ID documents are transmitted via secure upload or encrypted email, stored temporarily in access-controlled systems, and deleted within 30 days of verification unless required for compliance evidence.

Timeline

  • Acknowledge within 2 working days.
  • Respond within one calendar month from receipt of a valid request (e.g., a request received on 15 January is due by 15 February).
  • Extension: add up to two months for complex/multiple requests—if used, we will notify you within one month explaining why.
  • The clock may pause while we await ID verification or clarifying information.

What you will receive

Under Article 15 you are entitled to:

  • Confirmation whether we process your personal data;
  • A copy of your personal data we process as controller;
  • Supplementary information includes: (a) the purposes of processing; (b) categories of personal data; (c) recipients or categories of recipients; (d) retention periods or criteria; (e) your rights (rectification, erasure, restriction, objection, complaint to ICO); (f) the source of data (if not collected from you); (g) existence of automated decision-making and meaningful information about the logic involved; (h) safeguards for international transfers.

Format: We deliver electronically in a commonly used format (e.g., PDF/CSV/JSON). If you request paper copies, charges may apply for additional copies or postage.

Search and retrieval (systems we check)

We search relevant systems based on your scope, which may include: account/profile databases, billing and payment records (with PCI redaction), support/ticketing, email logs relevant to your case, platform logs (where identifiable), CCTV (time/location bound), call recordings (if used), and complaint files. Mailbox content processed as processor will be handled per section 2.

Redaction and third‑party data

We may redact or withhold information to protect the rights and freedoms of others, including third‑party personal data, legal professional privilege, or trade secrets. Exemptions under DPA 2018 Schedule 2 (e.g., crime prevention, legal proceedings, regulatory functions) may also apply. Where feasible, we will provide partial disclosure (e.g., masking names, contact details). If we refuse in whole or part, we will explain why (unless doing so would prejudice the exemption) and inform you of your options to complain.

Fees

SARs are free. We may charge a reasonable fee (administration, printing, postage) or refuse the request if it is manifestly unfounded (e.g., made with malicious intent) or excessive (e.g., repetitive requests for the same data within 3 months or requests for multiple additional copies). If a fee is charged, we will calculate it based on administrative costs and inform you of the amount before proceeding; we will not charge more than necessary to cover our reasonable costs. We will explain our reasoning if we refuse or charge.

Delivery and security

  • We deliver via a secure download link or to your logged‑in account. For email delivery we may use encrypted files/passwords separately.
  • We will not send data to new addresses without additional verification.
  • Download links typically expire within 14 days for security. We retain a record of what was disclosed for 12 months to evidence compliance; the actual data package is deleted from our secure delivery system after 30 days.

Special cases

  • CCTV: Provide date/time range and location; we cannot disclose images of other individuals without lawful basis and may blur faces or refuse where not feasible. CCTV footage is typically retained for 30-90 days; if your request is received after footage has been deleted under our standard retention, we will inform you that the data no longer exists.
  • Call recordings: Provide date/time/number; we will extract your portions where possible.
  • Backups/archives: Deleted data may remain in encrypted backups for a limited window and will expire through rotation (see Data Retention & Deletion Policy).
  • Children: Our services are 18+; we do not knowingly hold children’s data.
  • Mail content (processor role): We will redirect you to the relevant controller or act on controller instructions.

Records and retention (for SAR cases)

We maintain an internal request log for at least 3 years to evidence compliance. SAR records include: date received, data subject identity, scope of request, verification steps, systems searched, redactions applied, disclosure date, and any extensions or refusals with reasons. We keep copies of disclosures for up to 12 months after completion unless needed longer for a dispute.

Complaints and escalation

If you are unhappy with our response, complete via https://www.ukpostbox.com/forms/complaints-form for a review. You can also complain to the Information Commissioner’s Office (ICO):

  • ico.org.uk | Tel: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Related documents

  • Privacy Notice
  • Data Protection Policy
  • Data Processing Agreement (DPA)
  • Data Retention & Deletion Policy
  • Mail Inspection & Handling Policy

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907