Subject Access Request for gig workers

What it is

A Subject Access Request (SAR) under Article 15 of the UK GDPR is your legal right to ask any organisation to confirm whether it holds your personal data, give you a copy, and explain what it does with it. For gig workers, that includes Uber, Deliveroo, Amazon Flex, Just Eat, Stuart, Bolt and FREE NOW. The ICO says there is no required wording, you can send an SAR verbally or in writing, including by email or social media. The platform has one month to respond, though the Data (Use and Access) Act 2025 lets them pause the clock in some cases if they need more information to identify you or narrow the request.

How it applies to gig workers

The SAR is the single most useful evidence tool a gig worker has after a deactivation, suspension or disputed complaint. Platforms hold trip or order history, GPS data, messages, complaint logs, fraud flags, facial recognition results, document verification records, internal notes, ratings, risk profiles, earnings records and deactivation communications. You are entitled to all of that, plus supplementary information about purposes, recipients, retention and automated decision-making. They do not have to give you other people's personal data or legal privilege material, but they cannot send a thin trip export and pretend it is the whole file.

After DUAA, precision wins SARs. A vague "send me everything" request invites a narrow "reasonable and proportionate search" response. A specific request wins more data. Take a 22 year old Uber driver in Glasgow deactivated on 18 February 2026 for alleged fraud. The strong request names the account email, phone number and driver ID, gives a date range of 1 January 2025 to 1 March 2026, and lists named categories: account notes, GPS records, complaint logs, fraud or trust flags, facial recognition checks, document verification logs, support tickets, internal escalation notes, ratings records, risk scores and records of any automated decision-making used in relation to suspension or deactivation. The request also asks for Article 15 supplementary information: purposes, recipients, retention periods, source of any complaint data, and information about automated decision-making.

If the platform stalls, replies with a thin pack, or uses stop-the-clock indefinitely, three steps follow. Reply in writing pointing out the one-month rule and asking for the stop-the-clock basis. Complain to the ICO with copies of the request, proof of delivery and the platform's replies. And if the data problem links to deactivation, discrimination or trade union activity, speak to a union or firm like Leigh Day, Bates Wells or Farore Law before the ACAS three-months-minus-one-day clock runs out. The SAR is evidence, not a magic fix. It will not reinstate you by itself, but it often forces out the internal notes, fraud flags and facial recognition traces you need to attack the deactivation properly.

What you should do about it

• Send the SAR the same day you are deactivated or receive a complaint, so the one-month clock starts early.
• Name data categories and a date range explicitly; do not ask for "everything".
• Request supplementary information under Article 15(1)(a) to (h): purposes, recipients, retention, rights, source, automated decision-making.
• Keep proof of sending and every reply, screenshot included.
• If the platform ignores you or sends a thin pack past one month, file an ICO complaint and copy in your union.

Last reviewed

19 April 2026

Internal links this page emits:

• the Data (Use and Access) Act 2025
• automated decision challenges
• SAR template for gig platforms
• ICO complaint template
• just deactivated — what now

Primary source used:

• C:\Users\thest\Documents\GigKiln\Research\Gap\G1.4-gdpr-sar-article-22.md