Understanding Data Subject Access Requests (DSARs)

A Data Subject Access Request (DSAR) is a way for people to exercise their rights and learn what information an organisation holds about them and how the organisation uses that information. 

The DSAR is the process for exercising the right of access—a cornerstone of data protection under the General Data Protection Regulation (GDPR) and many other laws worldwide.

But while DSARs are a fundamental part of data protection compliance, they can also be a major challenge for organisations of all sizes. Your response to DSARs can impact your organisation’s reputation—and poor DSAR management can lead to significant legal issues.

This article explains how DSARs work, gives examples of how to respond to DSARs, and provides some tips for handling DSARs in an efficient and legally compliant way.

What is a Data Subject Access Request (DSAR)?

A DSAR allows people to find out what personal data an organisation holds about them, why the organisation has the data, where they got it, and who they share it with, among other things. DSARs help uphold people’s data protection and privacy rights by increasing transparency and accountability.

If you’re planning to collect or use personal data, you should always bear in mind that people have the right to know exactly what data you’ve collected and what you’re using it for.

Getting DSARs wrong can cause some serious problems. Poorly handled DSARs are consistently among the most common subject of GDPR complaints and can lead to reputational damage, fines, and even lawsuits.

But getting DSARs right can help your organisation build trust with its customers. If you’ve embedded good data protection practices, a DSAR is an opportunity to show your customers that you respect their rights and you’re taking good care of their data.

Key Components of a Data Subject Access Request

Broadly speaking, a DSAR entitles a data subject to two things:

1. A copy of their personal data, and
2. Information about how the controller processes their personal data.

In case you’re unfamiliar with some of those terms:

• “Personal data” means any information relating to an identifiable individual.
• “Processing” personal data means collecting it, sharing it, or otherwise using it in virtually any way,
• A “data subject” is the person to whom the personal data relates.
• The “controller” is the organisation that decided to process the personal data.

Article 15 of the GDPR sets out what sort of information an organisation must provide in response to a DSAR, including:

• A copy of the personal data you process about them. This can include many types of information, including: some text
  • Direct identifiers, like the data subject’s name or contact information
  • Unique IDs, like a customer number, username, or government-issued ID
  • Information about the person’s characteristics or behaviour, such as health data, demographic data, or browsing history
  • Technical information, like cookie data, audience segments, or device and advertising IDs

• Information about how you process their personal data:some text
  • Your purposes for processing the data
  • The types of personal data you process
  • Any recipients with whom you have shared the data
  • How long you will keep the data
  • The data subject’s rights under the GDPR
  • The data subject’s right to complain to a Data Protection Authority
  • Where you obtained the data
  • Information about “automated decision-making” under Article 22 of the GDPR (if applicable)
  • Information about “international data transfers” (if applicable)

You don’t need to provide all this information every time—but if the data subject requests something on this list, you must provide it unless an exception applies.

Example: DSAR submitted to a mobile app startup

MuscleTrack, a fitness app startup, receives an email from Anna, one of the app’s users.

The email arrives with MuscleTrack’s sales department and reads: “Hello, I read a news article about fitness trackers selling people’s health data. Please provide a copy of all the data collected by FitTrack and tell me anyone you have shared the data with”. Anna also provides her username.

Although the email does not mention the GDPR, MuscleTrack’s sales representative recognises the email as a DSAR and forwards it to the company’s legal department. While MuscleTrack has a dedicated DSAR request portal within the app, the legal team accepts the DSAR via email.

The DSAR arrives from an email address associated with Anna’s account and includes her username, so the legal department is confident that the request is not fraudulent. 

The legal department responds to Anna, acknowledging the scope of Anna’s request and providing a time frame for fulfilling her DSAR.

The legal department opens a new case in an internal DSAR tracker to help track Anna’s requset. They contact colleagues in other relevant departments to gather the personal data. Once the data has been collated, the legal department reviews it and removes any references to other data subjects.

The personal data is uploaded to a secure file-sharing platform. The legal department sends Anna a restricted link to the platform so she can access her personal data. They update MuscleTrack’s internal DSAR tracker and close the case one month after the last contact with the data subject.

When and Why to Submit a DSAR

Recital 63 of the GDPR says that DSARs enable the data subject to “be aware of, and verify, the lawfulness of the processing”. In other words, the purpose of a DSAR is for the data subject to check whether the controller is doing anything illegal with their personal data.

But is “verifying the lawfulness of the processing” the only valid reason for submitting a DSAR? This question was settled by the Court of Justice of the European Union (CJEU) in October 2023 in a case called FT v DW.

The claimant, FT, submitted a DSAR to his dentist, DW, suspecting that some bad dental work had damaged his teeth. DW said this DSAR was invalid because he believed FT was gathering evidence for a lawsuit—not verifying the lawfulness of the data processing, as specified in Recital 63.

The court sided with the patient. The judgment explains that the GDPR doesn’t limit the reasons for submitting a DSAR. In fact, the GDPR “does not require the data subject to provide reasons for his or her request”. 

An individual can submit a DSAR at any time, and there are many possible reasons to do so, including:

• Learning what personal data a controller has collected about them
• Making sure the personal data is accurate
• Finding out where the controller got the personal data

However, there are also valid reasons for a controller to refuse to comply with a DSAR, as we’ll explain below.

Step-by-Step Guide to Submitting a DSAR

Now let’s consider the DSAR process from the data subject’s perspective. 

The GDPR demands very little of the data subject during the DSAR process. 

• There’s no time limit for submitting a request.
• Virtually all personal data is in scope. The controller must provide any requested data they hold, with certain exceptions.
• The data subject can submit a DSAR via virtually any medium, whether face-to-face or via email, social media, post, or phone. The controller can provide a DSAR form but cannot force data subjects to use it.

Here are a few ways data subjects can help controllers to successfully provide the personal data requested:

• Be as specific as possible. A controller will find it much easier to handle a request like “Please provide a copy of direct messages sent from my account on 18 January 2025 " than “Please provide all my personal data.” While the latter request is likely valid, it could take much longer to fulfil.
• Be ready to provide ID. Controllers must be confident that they are providing personal data to the right person. While the controller should seek to verify a data subject based on personal data it already has, additional ID verification is sometimes necessary.
• Be polite. Processing a DSAR can be difficult. Controllers can refuse requests under certain conditions. Being courteous and cooperative could contribute to the successful fulfilment of the request.

How Organisations Should Respond to a DSAR

Now let’s look at each stage of the DSAR process from the controller’s perspective.

Recognising a DSAR

Few people know what a DSAR is or understand their rights under the GDPR. As such, the data subject does not need to use terms like “DSAR”, “access”, or even “personal data” when making a DSAR.

As noted, DSARs can arrive via any means of communication, so any of your employees might receive one. That’s one reason why data protection awareness and training is important for all organisations.

If you understand that the data subject wants to access their personal data, you must treat the request as a DSAR. If the request is unclear, you can ask the data subject to clarify it. But do not disregard a request because the data subject fails to use the “right” language.

Verifying the data subject’s identity

The GDPR says that if you have “reasonable doubts”, you can request additional information to verify the data subject’s identity. This part of the DSAR process can be surprisingly tricky.

If you fail to verify the data subject’s identity, you risk exposing people to identity fraud. But collecting unnecessary data for verification violates the GDPR’s “data minimisation” principle and can deter people from exercising their rights.

In 2022, a Dutch company was fined €525,000 for requiring data subjects to provide government-issued ID documents to access relatively low-risk data, such as names and email addresses.

On the other hand, the Spanish regulator once fined a bank €25,000 for making the opposite mistake-—handing over personal data to the wrong person after failing to verify the data subject’s identity.

Here are some DSAR verification tips to help you get the balance right:

• Consider the potential risks of providing the relevant personal data to the wrong person. The more sensitive the personal data requested, the more rigorous your verification process should be.
• Remember that you should only require additional personal data for verification if “necessary” and if you have “reasonable doubts” about the data subject’s identity.
• You might be able to verify the data subject’s identity via personal data your company already has. As part of the verification process, you could ask the data subject to:some text
  • Use a web form or portal that is only accessible through their account,
  • Submit their DSAR via an email address associated with their account, or
  • Confirm details of their recent purchases with your company or other account activity.

Reviewing the request

Once you have received a DSAR and verified the data subject’s identity (if necessary), you must ensure you understand what personal data the data subject is looking for.

If the request is unclear, you can ask the data subject to clarify it. If the request would return a very large volume of personal data, you can ask the data subject to narrow down the request, for example by limiting the DSAR to a particular period or type of personal data.

However, as the UK Information Commissioner’s Office (ICO) notes: 

“…you cannot force an individual to narrow the scope of their request, as they are still entitled to ask for ‘all the information you hold’ about them. If an individual responds to you and either repeats their request or refuses to provide any additional information, you must still comply with their request by making reasonable searches for the information.”

As such, you must not pressure the data subject to narrow down their request. The right of access is comprehensive and, in theory, entitles the data subject to all the personal data you process about them.

Gathering the personal data

Collecting the personal data required to fulfill a DSAR can take minutes or months, depending on the complexity of the request and the amount of personal data.

Here are some examples of difficult DSARs that are likely to be valid—but that could require a lot of resources to complete:

• A former employee requests copies of all emails, chat messages, and documents mentioning their name.
• A vulnerable person requests all recorded information about them from across multiple public services, some of which is archived in paper files.
• An unsuccessful loan applicant requests all the personal data that contributed to the loan decision, plus information about the logic involved in the credit-scoring algorithm.

When gathering personal data for a DSAR, remember that the definition of “personal data” is very broad. It includes anything that allows you to identify the data subject (including when combined with other personal data accessible to your organisation).

Strong data governance practices are a solid foundation for facilitating DSARs. Retrieving personal data is much easier if your organisation’s data is well-organised and accessible, you limit the number of software applications used by your employees, and you discourage the use of personal devices.

A DSAR might involve many different teams and departments across your organisation. If your organisation receives DSARs regularly, you should implement a process for communicating between departments and cooperating.

Specialist enterprise software can help track and manage the DSAR process by integrating with popular email, instant messaging, and cloud storage apps to help retrieve personal data.

Removing data about other people

One of the most time-consuming aspects of responding to a DSAR is removing personal data about people other than the requestor.

Article 15 (4) says that controllers must not “adversely affect the rights and freedoms of others” when responding to a DSAR. This suggests that, in general, the response should not include personal data about other people.

For example, if the data subject has requested copies of emails that include other people’s names or personal data, you should redact the emails so that they only contain personal data about the requestor.

This matter is further addressed in some country’s national laws. For example, the UK Data Protection Act 2018 says that you can only disclose personal data about another person in response to a DSAR if:

• The other person has consented to the disclosure; or
• It is reasonable to comply with the request without that person’s consent.

The safest approach is usually to redact third parties’ personal data using a secure, non-reversible redaction method.

Delivering the personal data

The GDPR does not provide many firm rules about how to deliver personal data when completing a DSAR.

Article 12 (1) says that controllers must provide the requested personal data: 

• “In writing”, 
• By “electronic means”, where appropriate, or 
• “Orally”, at the data subject’s request, if they have verified their identity “by other means”.

Recital 63 says that “where possible”, the controller should deliver the personal data by giving the data subject “remote access to a secure system”. So consider delivering personal data via an encrypted file-sharing platform.

If you need to provide the requested personal data via email, consider using password-protected attachments and sending the password via a separate email.

Meeting or extending the deadline

Here are the general principles around the deadlines for fulfilling a DSAR:

• You must complete a DSAR “without undue delay and in any event within one month of receipt”.
• You can extend the deadline by a further two months if necessary, depending on “the complexity and number of the requests”.
• If you have decided to extend the deadline, you must tell the data subject within the initial one-month period.

It’s good practice to acknowledge the DSAR as soon as you receive it.

If you need to clarify the request or verify the data subject’s identity, some regulators say you can “stop the clock” until this process is complete. However, this advice varies from country to country, so you wish to check with your local DPA.

Failing to complete DSARs on time can have consequences. In December 2022, a Swedish debt collection company Alektum Oy was fined €750,000 for repeatedly delivering DSARs late or ignoring them altogether.

Refusing a DSAR or charging a fee

If a DSAR is “manifestly unfounded or excessive”, you can:

• Refuse to deal with it, or
• Charge a fee to cover the administrative cost.

The GDPR does not provide much detail on what constitutes a “manifestly unfounded or excessive DSAR”, except to say that it includes “repetitive” requests. 

The Irish Data Protection Commission (DPC) provides the following interpretation:

• “Manifestly unfounded” means “the request does not concern personal data at all… or, although it does concern personal data, it is obvious that the data are not handled by you”.
• “Excessive” means that the request is repetitive or goes beyond what is “reasonable in terms of time and money, taking into account the circumstances of the case”.

The UK ICO suggests that controllers can consider refusing a DSAR if the data subject “explicitly states” that the request is intended to cause disruption or the data subject it “targeting a particular employee against whom they have a personal grudge.” But the burden of proof is on the controller.

If you decide to refuse or charge for a request, you must notify the data subject within the initial one-month deadline period. 

The bar for refusing a DSAR is high, and a refusal could cause the data subject to complain to their regulator. As such, it is often easier to fulfill the DSAR than to refuse to act on it.

Frequently Asked Questions about DSARs

What are the penalties for not responding to a DSAR?

Violations involving DSARs can be sanctioned via the highest tier of GDPR penalties, namely:

• Up to €20 million, or
• Up to 4 % of the total worldwide annual turnover of the preceding financial year

Regulators have a range of other sanctions available, from issuing reprimands to ordering a controller to stop processing personal data.

What are the rules on other types of GDPR requests?

Along with submitting a DSAR under the right of access, individuals can exercise various other rights over their personal data under the GDPR and other data protection laws. For example:

• The right to erasure: People can request that you delete personal data about them under certain conditions, such as if you no longer need the data for its original purpose or if you’ve been processing it unlawfully.
• The right to rectification: People can request that you correct inaccurate personal data about them, update outdated personal data, or complete incomplete personal data.
• The right to data portability: People can request a portable, “machine-readable” copy of their personal data, and can also request that transfer it to another controller.

The same basic approach, deadlines, and exceptions apply when handling requests under these other rights: You’ll need a strong foundation of good data governance, employee awareness, and transparent communication.

Can a DSAR be submitted by someone else on behalf of an individual?

Yes. The GDPR does not prohibit the data subject from having their DSAR submitted by someone else, such as a parent, carer, or lawyer. However, the controller must be confident that the data subject has requested this and should document their assessment of the third party’s identity.

To prove they are acting on the data subject’s behalf, the third party might present a signed letter from the data subject, provide evidence that they have power of attorney, or demonstrate that they are the data subject’s parent or guardian, depending on the circumstances.

What should be included in a DSAR response?

A DSAR response should include the personal data or other information requested by the data subject. It’s good practice to include an overview of the request, including the dates on which the data subject contacted your organisation and a summary of any communications with the data subject.

How often can individuals submit DSARs?

There’s no limit to how many DSARs an individual can submit. However, the controller may charge an administrative fee or refuse to act on a request deemed “excessive”, particularly if the request is repetitive.

The GDPR also allows the controller to charge an administrative fee to provide multiple copies of the same personal data.

Each DSAR should be reviewed on a case-by-case basis, and a DSAR should not be refused merely because the data subject has made a DSAR before.

What are the exceptions to fulfilling a DSAR?

The controller is not required to fulfil a DSAR that is “manifestly unfounded or excessive”. For example, if the data subject is deliberately trying to cause disruption, is pursuing a grudge against a particular employee, or has submitted many DSARs in a short period.

Each country’s national law might also provide exceptions to the “right of access”. For example, Schedule 2 of the UK Data Protection Act 2018 provides limited exceptions in the following areas:

• Crime and taxation
• Immigration
• Public safety

In each case, the exception applies only in specific circumstances. For example, where fulfilling the DSAR would prejudice the outcome of a criminal investigation.

Best Practices for Managing DSARs Effectively

Here are some tips to help your organisation get DSARs right:

• Implement data governance strategies to keep personal data well-organised and accessible.
• Provide a standardised form or web portal for submitting DSARs (but remember that you cannot force the data subject to use it).
• Provide regular data protection training to help employees recognise and facilitate DSARs.
• Develop a clear, documented policy for managing DSARs.
• Consider using specialist software to help track and fulfil DSAR requests.
• Verify the data subject’s identity if you have reasonable doubts about who they are, but don’t ask for excessive personal data for verification purposes.
• Keep data subjects updated throughout the process and respond within the mandatory time periods.
• Use a secure file-sharing platform to provide the requested personal data, where appropriate.

Many DSARs come from unhappy customers or aggrieved ex-employees. Handling the DSAR process helpfully and efficiently can help improve the data subject’s impression of your organisation. And conversely, mismanaging a DSAR can cause reputational damage and legal issues.

Ensuring Compliance and Transparency with Effective DSAR Management

The “right of access” has been a crucial way to help individuals keep control of their personal data since the very earliest data protection laws. 

Facilitating DSARs is a major part of GDPR compliance and among the most important obligations of controllers. Understandably, people can become upset if a controller misses deadlines, fails to provide personal data, or refuses a DSAR without a valid reason.

Through good data governance, clear data protection policies, and well-informed and responsive employees, your organisation can make DSARs an opportunity to build customer trust while avoiding legal risks and reputational damage.

Additional Resources

• Information Commissioner’s Office (ICO): A guide to subject access
• European Data Protection Board (EDPB): Guidelines 01/2022 on data subject rights - Right of access
• Irish Data Protection Commission (DPC): Subject Access Requests: A Data Controller’s Guide