A data subject access request (DSAR) is one of the most frequently exercised rights under the General Data Protection Regulation (GDPR). Article 15 of the GDPR grants every individual the right to obtain confirmation from a data controller as to whether their personal data is being processed and, if so, to receive a copy of that data along with specific supplementary information. For compliance professionals, handling DSARs correctly is not optional — it is a legal obligation that carries significant enforcement consequences when mishandled.
According to the European Data Protection Board’s annual report, data subject access requests accounted for approximately 34% of all complaints filed with EU supervisory authorities. In the United Kingdom alone, the ICO reported a steady rise in subject access complaints year over year. These numbers reflect a clear trend: individuals are increasingly aware of their rights, and organizations must be prepared to respond efficiently and lawfully.
This guide provides a practical framework for handling every data subject access request your organization receives, from initial receipt through to final response — including the edge cases that trip up even experienced Data Protection Officers.
What Is a Data Subject Access Request Under GDPR?
A data subject access request is a formal or informal request made by an individual (the “data subject”) to a controller, asking for access to their personal data. The right is enshrined in Article 15 of the GDPR, which specifies that the individual is entitled to receive:
- Confirmation of whether their data is being processed
- A copy of the personal data undergoing processing
- Information about the purposes of processing, the categories of data, the recipients or categories of recipients, the envisaged retention period, and the existence of automated decision-making including profiling
A DSAR can be submitted in any form — by email, letter, verbally, or even via social media. There is no requirement for the individual to use a specific form or reference the GDPR explicitly. If someone asks “what data do you hold about me?”, that is a valid data subject access request.
DSARs versus other data subject rights. It is important to distinguish a data subject access request from related but distinct rights under GDPR. The right to data portability, for example, allows individuals to receive their data in a structured, commonly used, and machine-readable format for transfer to another controller. Erasure requests invoke the right to be forgotten. Rectification requests concern correcting inaccurate data. While a DSAR may arrive alongside these other requests, the response obligations differ for each.
Eligible requesters. Any living individual whose personal data is processed by your organization can submit a data subject access request. This includes employees, customers, website visitors, job applicants, and suppliers. Third parties — such as solicitors, family members, or advocacy organizations — may also submit DSARs on behalf of a data subject, provided they have proper written authorization. When your organization processes data of individuals outside the EU, remember that GDPR may still apply if the processing relates to offering goods or services to, or monitoring the behavior of, individuals in the European Economic Area.
How to Handle a Data Subject Access Request: Step-by-Step
Establishing a clear, repeatable process is essential. Organizations that lack a structured workflow for managing DSARs frequently miss the statutory deadline, provide incomplete responses, or inadvertently disclose third-party data. The following steps form a robust procedure grounded in GDPR’s core data privacy principles.
Step 1: Receive and Log the Request
Every data subject access request should be logged immediately in a centralized tracking system. Record the date received, the identity of the requester, the channel through which it was submitted, and the scope of data requested. This logging is critical for demonstrating compliance with the accountability principle. A survey by the International Association of Privacy Professionals (IAPP) found that 62% of organizations now use dedicated software to manage DSARs, a significant increase over prior years.
Step 2: Verify the Identity of the Requester
Before disclosing any personal data, you must verify that the person making the request is who they claim to be. Article 12(6) of the GDPR permits controllers to request additional information necessary to confirm the identity of the data subject. However, the verification measures must be proportionate — do not demand excessive documentation. For existing customers, verifying their identity through an account login or matching details on file is typically sufficient.
Step 3: Search, Retrieve, and Review the Data
Conduct a thorough search across all systems where the requester’s personal data may reside. This includes databases, email archives, CRM systems, HR platforms, paper files, backups, and data held by any data processor acting on your behalf. Review the retrieved data carefully to ensure that no third-party personal data is inadvertently disclosed — redaction may be necessary where data about other individuals is intertwined with the requester’s information.
Step 4: Prepare and Deliver the Response
Compile the data and supplementary information required by Article 15 into a clear, intelligible format. The response must be provided without undue delay and at the latest within one calendar month of receipt of the request. Under Article 12(3), this deadline can be extended by a further two months where requests are complex or numerous, but you must inform the data subject of the extension and the reasons within the initial one-month period. The response should be provided free of charge unless the request is manifestly unfounded or excessive, in which case Article 12(5) permits a reasonable fee or refusal.
What Are the Consequences of Failing to Respond?
The consequences of mishandling a data subject access request are severe. Under Article 83(5)(b) of the GDPR, failure to comply with data subject rights can attract administrative fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. Enforcement action in this area is not theoretical. The Italian data protection authority (Garante) has imposed fines on companies for failing to respond to DSARs within the statutory deadline. The Swedish supervisory authority has likewise sanctioned organizations for inadequate DSAR responses.
Beyond financial penalties, mishandling DSARs can trigger formal complaints to supervisory authorities, reputational damage, and erosion of customer trust. For organizations that have experienced a data breach, an influx of DSARs is common — and failing to respond properly during that critical period compounds the damage significantly.
Common Challenges and How to Overcome Them
Even well-prepared organizations encounter difficulties when processing data subject access requests at scale. Understanding these challenges in advance allows you to build more resilient processes.
Handling high volumes. Large organizations may receive hundreds or thousands of DSARs per year. A Gartner study projected that large enterprises spend over one thousand dollars per DSAR to process manually. Automation tools can reduce both cost and response time significantly.
Dealing with vague or broad requests. A data subject access request that asks for “all data you hold about me” can be challenging to scope. While you cannot require the individual to narrow their request, Article 12(1) encourages a dialogue to clarify what the individual is seeking, particularly before applying the manifestly excessive threshold.
Third-party data in DSAR responses. Where the personal data of other individuals is intertwined with the requester’s data, you must balance the requester’s right of access against the privacy rights of those third parties. Redaction of third-party identifiers is typically the appropriate approach.
Data held by processors. Your obligations extend to data held by processors on your behalf. Ensure your processing agreements include clear provisions requiring processors to assist promptly with DSARs, as mandated by Article 28(3)(e) of the GDPR.
FAQ
How long do I have to respond to a data subject access request?
You must respond within one calendar month of receiving the request. This deadline can be extended by an additional two months if the request is complex or if you receive a high number of requests, but you must notify the data subject of the extension within the first month.
Can I charge a fee for responding to a DSAR?
Generally, the first copy of the personal data must be provided free of charge. However, under Article 12(5), if a request is manifestly unfounded or excessive — particularly if it is repetitive — you may charge a reasonable fee based on administrative costs, or refuse to act on the request entirely. You must justify any refusal.
Does a DSAR have to be in writing?
No. A data subject access request can be made verbally, by email, through a web form, by letter, or via any other communication channel. There is no requirement for the request to reference the GDPR or use specific terminology. Any clear expression of intent to access personal data qualifies.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
