23/09/2025
Why is nobody doing this? Walk into Tesco, Sainsbury’s, Morrisons — any shop using facial-recognition cameras — and demand a copy of the data they hold on you. Don’t leave until they log your request.
Under UK GDPR Article 15 and Section 45 of the Data Protection Act 2018, you are legally entitled to a copy of any personal data they hold on you — including facial recognition scans. If they refuse or fob you off, they are breaking the law.
They have one month to give you the data. If they fail to do so, you can claim compensation — easily £2,500+ in many cases.
Now imagine if a thousand people did this. The system would collapse overnight. They rely on you not knowing your rights. They rely on you walking away.
Come on peeps, there’s loads of you on here. Stop shrugging it off and start doing it. Even if just a thousand of you hit them with a Subject Access Request, the whole rotten setup would be overwhelmed.
Knowledge is power. Use it.
Keep it calm, clear, short — and get them to record it.
“Hi — I believe this store is using facial-recognition / biometric processing. I’m exercising my GDPR right of access and would like to make a Subject Access Request for any personal data you hold on me, including CCTV images, facial recognition scans/biometric templates, and any associated logs, decision records or sharing/retention information. Please record this request now and give me the name of the person you’ve logged it with and your Data Protection Officer contact details.”
If they brush you off:
“If you can’t process it here, give me the DPO’s contact details and the email/postal address to submit a written SAR. I know you must respond within one month (and inform me if you need up to two extra months for complexity).”
(That’s short and authoritative — they can’t dismiss it as ‘just CCTV’ without checking.)
⸻
Written SAR template (email / printable)
Copy/paste this and add your details:
Subject: Subject Access Request – [Your Full Name] – [Date of birth / approx. DOB to help ID]
To whom it may concern,
I am writing to make a Subject Access Request under Article 15 of the UK GDPR and Section 45 of the Data Protection Act 2018. Please provide, for the period [e.g. last 12 months]:
1. All images, photographs or CCTV footage in which I am identifiable.
2. Any biometric or facial-recognition data, templates or face-matching outputs derived from my images.
3. Any decision-logs, alerts, watchlists, or incident records related to me.
4. The lawful basis for processing, sources of the data, retention period, and any recipients or third parties the data has been shared with.
5. Copies of any Data Protection Impact Assessment (DPIA) or policies relating to use of facial recognition / CCTV at this location.
I enclose the following ID to help verify my identity: [list — e.g. photo ID, address proof]. Please confirm receipt of this request in writing and provide the name and contact details of your Data Protection Officer. I understand you have one calendar month to respond and must inform me if any extension is necessary.
Kind regards,
[Full name]
[Contact phone / email]
[Address]
Cite the email to the store and keep a copy (and any receipts / proof you were in the store at that time).
(You can hand that in at the desk and ask them to stamp/initial it as ‘received’.)
⸻
What to ask for specifically (so they can’t dodge)
1. Raw CCTV/video files where you appear.
2. Any biometric templates / face-matching outputs (these are personal data if they create an identifiable record).
3. DPIA(s) or internal justification documents for the FRT deployment. 
4. Logs showing who accessed your data, retention schedules, and onward disclosures.
5. The name/contact of the Data Protection Officer or privacy contact.
⸻
If they refuse or ignore you
• If they refuse or fail to respond within the statutory time (one month; up to three months in complex cases if they notify you), complain to the ICO with evidence (copies of your request, any replies, date-stamped receipts). 
• Keep records: who you spoke to, time, receipts, photos of signs about cameras in store, and copies of any written SARs.
• If you suffer distress or loss from unlawful processing, you can seek compensation — contact a solicitor or consumer-rights group for group action options.
⸻
Collective action idea — realistic steps
Your call-to-action is powerful. If a thousand people did SARs at once, businesses would struggle to process them — and that can force regulatory attention. A few practical improvements for a campaign:
• Provide downloadable one-page SAR form and printable script.
• Encourage people to hand the SAR in and request a receipt/stamp.
• Ask campaigners to CC an organising email address so the group can track responses and escalate bulk failures to the ICO.
• Suggest a legal-aid or consumer group partner for any mass compensation/legal action.
Useful links:
GDPR Article 15 (Right of Access): https://gdpr-info.eu/art-15-gdpr/
UK Data Protection Act 2018 Section 45: https://www.legislation.gov.uk/ukpga/2018/12/part/3/chapter/3/crossheading/data-subjects-right-of-access
ICO guide to Subject Access Requests: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/
ICO on Facial Recognition Technology: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/cctv-and-video-surveillance/guidance-on-video-surveillance-including-cctv/additional-considerations-for-technologies-other-than-cctv/facial-recognition-technology-frt-and-surveillance
Freedom of information is a powerful tool, use it against em 💪💪
Register now to hear from inspiring guest speakers and experts on subjects like cyber security, artificial intelligence and legislative reform.
