Self‑Help Toolkit

Copy‑paste templates for SARs, objections, redress, and court steps.

Self-Help Toolkit

Start with SAR → expose gaps (contract, affordability, lawful basis, risk assessment) → object to processing → escalate to ICO/FCA/council → pursue redress → settle or litigate.

A. Subject Access Request (UK GDPR Article 15)

Subject: Subject Access Request – [Your name] – [any refs]
To: [Controller or DPO email]
Text:
I am making a Subject Access Request under Article 15 UK GDPR. Please provide all personal data you hold about me, including:
• call recordings, body-worn video, visit logs, letters, emails, screenshots, internal notes, third-party data received or shared, automated decisioning, and profiling
• the purposes of processing and your lawful bases
• recipients or categories of recipient
• retention periods
• source of data if not obtained from me
• safeguards for any transfers outside the UK
Provide data from all systems and archives. Deliver electronically within one month. My details: [full name], [DOB], [address], [refs]. Identity documents available on request.
Regards, [name]

B. Law-Enforcement SAR (DPA 2018 Section 45 – only for competent authorities)

Subject: Right of Access – Section 45 DPA 2018 – [Your name] – [refs]
To: [Authority or DPO]
Text:
I request access to my personal data under Section 45 of the Data Protection Act 2018 (law-enforcement processing). Please supply all data, including operational logs, visit records, audio/video, decision records, and disclosure recipients, with the legal basis relied on. If you withhold data, specify the statutory exemption relied on and why it applies. Deliver within one month.
Regards, [name]

C. Lawful Basis Disclosure Notice

Subject: Demand for lawful basis and transparency information – [Your name]
To: [Controller]
Text:
You must identify and explain your current lawful basis for processing my data, including any reliance on “legitimate interests” under Article 6(1)(f). Provide:
• your specific lawful basis and the purposes
• your legitimate interests assessment/balancing test (if relying on 6(1)(f))
• the sources of my data and recipients you disclose to
• your retention schedule and deletion policy
Provide within 14 days. Treat this alongside my SAR if already raised.
Regards, [name]

D. Article 21 Objection

Subject: Article 21 Objection – cease processing and provide balancing test
To: [Controller]
Text:
I object under Article 21 UK GDPR to processing my personal data for enforcement, collection, profiling, and marketing. You must stop unless you demonstrate compelling legitimate interests that override my rights and interests. I am a vulnerable individual. Provide your written balancing test and safeguarding assessment within 14 days. Suspend non-essential processing and outbound contact while you assess.
Regards, [name]

E. Article 17 Erasure

Subject: Article 17 Erasure request – [Your name]
To: [Controller]
Text:
I request erasure of my personal data under Article 17 UK GDPR because your processing is unlawful and/or no longer necessary for the stated purposes. If you believe retention is required by law, specify the exact legal obligation and retention period. Confirm deletion and notify third-party recipients within 30 days.
Regards, [name]

F. Article 18 Restriction

Subject: Article 18 Restriction request – [Your name]
To: [Controller]
Text:
I request restriction of processing under Article 18 UK GDPR while you verify accuracy, lawful basis, and my Article 21 objection. Confirm the restriction in writing and identify what processing is paused.
Regards, [name]

G. Rectification (Article 16)

Subject: Rectification request – incorrect data – [Your name]
To: [Controller]
Text:
Under Article 16 UK GDPR I require you to correct inaccurate personal data and complete incomplete data. The incorrect data is: [describe]. Provide a corrected copy and confirmation that you notified recipients.
Regards, [name]

H. Consent Withdrawal (Private Parking)

Subject: Withdrawal of consent and objection to processing – [VRM/ref]
To: [Parking operator]  cc: [Landowner or managing agent if known]
Text:
I withdraw consent to process my personal data for parking enforcement and I object under Article 21. If you rely on another lawful basis, provide your assessment and landowner authority, signage, and contract evidence within 14 days. Continued processing after this notice will be treated as harassment and a GDPR breach. Do not use ANPR images or DVLA data beyond what is strictly necessary and lawful.
Regards, [name]

I. Pre‑Action Redress (Article 82 damages)

Subject: Pre‑Action – Article 82 UK GDPR compensation – [Your name]
To: [Controller legal/DPO]
Text:
This is a pre‑action letter. You processed my data unlawfully and failed to uphold my rights. Harms include distress, time cost, and vulnerability impact. Provide within 14 days:
1) your legal basis and full chronology,
2) copies of all records relied upon,
3) your proposal to resolve including compensation.
If unresolved, I will escalate to the ICO and issue a claim.
Regards, [name]

J. Harassment Cease and Desist (Ferguson principles)

Subject: Unlawful harassment – cease and desist – [Your name]
To: [Organisation]
Text:
You are engaging in repeated, unjustified contact despite disputes and vulnerability disclosure. Cease automated chasers and doorstep visits immediately. Confirm in writing within 7 days. Continued conduct will be relied on in costs and damages.
Regards, [name]

Court Forms and Litigant in Person Strategy

Further reading: My field guide can help — 📘 Buy the Book.

Need help fast? Email [email protected]