GDPR • 10 min read • January 24, 2026

Data Subject Access Requests (DSAR): A Complete Guide

Learn how to handle DSARs under GDPR and other privacy laws. Step-by-step process, timelines, exemptions, and best practices for compliance.

Last Tuesday, I received an email that started with "Under GDPR Article 15, I request access to all personal data you hold about me." My heart sank a little—not because I had anything to hide, but because I knew this was going to take time and careful attention to get right.

Data Subject Access Requests, or DSARs, are one of the most common ways users exercise their privacy rights. Under GDPR, anyone whose data you process can request a copy of that data. It sounds simple, but handling DSARs properly requires understanding the law, having processes in place, and knowing what you can and can't do.

I've handled hundreds of DSARs over the years, and I've seen businesses make every mistake in the book. Some ignore requests. Some provide incomplete information. Some take too long. Some provide too much information and violate other people's privacy.

Here's what you need to know to handle DSARs correctly.

What Is a Data Subject Access Request?

A DSAR is a request from an individual to see what personal data an organization holds about them. Under GDPR Article 15, data subjects have the right to:

  • Confirm whether you're processing their personal data
  • Access that personal data
  • Receive information about how their data is being used
  • Get a copy of their data in a portable format

Similar rights exist under other privacy laws. CCPA gives California residents the right to know what personal information is collected. Other state laws have similar provisions.

The key point: users don't need to use specific language or format. If someone asks "what data do you have on me?" or "send me my data," that's a DSAR. You need to treat it as such.

Who Can Make a DSAR?

Anyone whose personal data you process can make a DSAR. This includes:

  • Customers
  • Employees (current and former)
  • Website visitors
  • Newsletter subscribers
  • Anyone else whose data you hold

Third parties can also make requests on behalf of someone else, but you need to verify they have authority to do so. A parent requesting data about their child, or someone with power of attorney, would be examples.

You can't refuse a request just because someone isn't a paying customer or doesn't have an account. If you process their data, they have the right to access it.

What Information Must You Provide?

When responding to a DSAR, you need to provide:

1. Confirmation of Processing

Confirm whether you're processing the person's personal data. If you're not, tell them so. If you are, proceed with the rest of the response.

2. The Personal Data Itself

Provide a copy of all personal data you hold about them. This includes:

  • Data they provided directly (names, email addresses, account information)
  • Data collected automatically (IP addresses, cookies, analytics data)
  • Data derived from other sources (inferences, profiles, scores)
  • Data in all formats (databases, emails, documents, backups)

3. Processing Information

Explain:

  • Why you're processing the data (purposes)
  • What legal basis you're relying on
  • Who you're sharing data with (categories of recipients or specific names)
  • How long you'll retain the data
  • Where the data came from (if not from the person directly)

4. Rights Information

Inform them about their rights:

  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object
  • Right to data portability
  • Right to lodge a complaint with a supervisory authority

5. Automated Decision-Making

If you use automated decision-making or profiling, explain the logic involved and the consequences.

The Timeline: How Fast Do You Need to Respond?

GDPR requires you to respond "without undue delay and in any event within one month." That's 30 days from when you receive the request.

You can extend this by two additional months if the request is complex or you receive multiple requests from the same person. But you must inform the person within the first month that you're extending the deadline and explain why.

CCPA requires responses within 45 days, with a possible 45-day extension if you notify the consumer.

My advice: don't wait until the deadline. Start working on the request immediately. The faster you respond, the better the user experience and the lower your compliance risk.

Verifying Identity

Before providing personal data, you need to verify the requester's identity. This prevents unauthorized access to someone else's data.

For account holders, this is usually straightforward—require them to log in or verify their email address.

For non-account holders, you might need to request additional information:

  • Matching information you have on file (like asking them to confirm their email address or provide information only they would know)
  • Government-issued ID (for sensitive requests)
  • Proof of authority (if requesting on behalf of someone else)

    • Be reasonable here. Don't make verification so difficult that it becomes a barrier to exercising rights. But do enough to ensure you're not giving data to the wrong person.

    Finding All the Data

    This is often the hardest part. Personal data can be scattered across multiple systems:

    • Customer databases
    • Email systems
    • Analytics platforms
    • CRM systems
    • Backup systems
    • Third-party services
    • Log files
    • Document storage

    You need to search comprehensively. Missing data can lead to complaints and enforcement action.

    I recommend creating a data map—a document that lists where you store different types of data. This makes DSAR responses much faster and more complete.

    Exemptions: When You Don't Have to Provide Data

    There are limited circumstances where you can refuse or limit a DSAR:

    Manifestly Unfounded or Excessive Requests

    If a request is clearly unfounded or excessive, you can refuse it or charge a reasonable fee. But the bar is high. A request isn't excessive just because it's inconvenient.

    Examples of manifestly unfounded requests: someone making repeated identical requests after you've already responded, or requests clearly made to harass rather than exercise rights.

    Third-Party Data

    You don't have to provide data about other people. If someone's email contains information about another person, you can redact that information or exclude it entirely.

    But be careful—if the data is about the requester, you generally need to provide it even if it also mentions other people.

    Legal Privilege

    Data covered by legal professional privilege can be exempt from DSARs.

    Management Planning

    Information used for management forecasting or planning can sometimes be exempt, but this is narrow.

    Formatting the Response

    GDPR requires you to provide data in a "commonly used electronic format" if the request is made electronically. This usually means:

    • PDF for documents
    • CSV or JSON for structured data
    • Plain text for simple information

    Make the data readable and organized. Don't just dump raw database exports. Organize it logically and explain what each piece of data is.

    Common Mistakes to Avoid

    Here are mistakes I see businesses make:

    Ignoring requests. You can't ignore DSARs. Even if you think a request is unreasonable, you need to respond.

    Missing the deadline. One month means one month. Set reminders and start working immediately.

    Providing incomplete data. Search all systems, not just the obvious ones. Check backups, third-party services, and archived data.

    Violating other people's privacy. Don't provide data about other people. Redact or exclude it.

    Being unhelpful. The goal is to help people exercise their rights, not to create barriers. Be clear, helpful, and transparent.

    Charging fees unnecessarily. GDPR generally prohibits charging for DSARs. Only charge if a request is manifestly unfounded or excessive.

    Best Practices

    Here's how to handle DSARs well:

    Have a process. Document how you handle DSARs. Who receives them? Who processes them? What's the workflow?

    Train your team. Make sure customer service, legal, and IT teams know how to recognize and handle DSARs.

    Create templates. Have response templates ready. This speeds up responses and ensures consistency.

    Keep records. Document all DSARs you receive and how you responded. This helps with compliance audits.

    Automate where possible. If you can automate data extraction and formatting, do it. But keep human oversight.

    Be proactive. Don't wait for requests. Make it easy for people to access their data through account dashboards or self-service portals.

    The Bottom Line

    DSARs are a normal part of privacy compliance. They're not something to fear—they're something to prepare for.

    Have processes in place. Know where your data lives. Train your team. Respond promptly and completely.

    Most DSARs are straightforward if you're prepared. The ones that aren't—involving complex data or exemptions—benefit from having a clear process to follow.

    Remember: DSARs are about transparency and user rights. Handle them well, and you build trust. Handle them poorly, and you risk complaints and enforcement action.

    Start preparing now. Create your data map. Document your process. Train your team. When that DSAR email arrives, you'll be ready.

Legal Disclaimer

This article is for informational purposes only and does not constitute legal advice. Privacy laws vary by jurisdiction and change over time. Consult with a qualified attorney for advice specific to your situation.

Need Legal Policies for Your Website?

Generate free privacy policies, terms and conditions, and cookie policies in minutes.

Privacy Policy Generator Terms & Conditions Generator

đź“š Related Articles

GDPR

Privacy Risk Assessments: DPIA Basics

March 15, 2026

GDPR

Consent vs Contract: Choosing the Right Lawful Basis

March 12, 2026

GDPR

GDPR Legitimate Interest: When You Can Use It for Small Teams

February 28, 2026