The Complete Guide to Data Subject Access Requests (DSAR)

Posted by Kevin Yun | August 24, 2023

If you're wondering "What is a DSAR?", you've come to the right place.

The General Data Protection Regulation (GDPR) established key rights for individuals regarding their personal data. One of the most important rights is the ability to make a Data Subject Access Request (DSAR) to obtain copies of personal data from controllers. This article provides an in-depth look at DSARs under GDPR including the process, requirements, and best practices for compliance.

In this article, we've broken down the topic of DSARs into ten sections:

  1. What is a DSAR?
  2. Data subject rights to access personal data
  3. Process for submitting a DSAR
  4. What information is provided for a DSAR
  5. Reasons to make a DSAR
  6. Who is responsible for complying with DSARs
  7. Timeframe to respond to a DSAR
  8. Format for providing data for a DSAR
  9. Exceptions for not providing data for a DSAR
  10. Penalties for non-compliance with DSARs
Example of a data request form. Image source:

I. What is a DSAR?

DSAR, or data subject access request, is a request made by a data subject for the personal data that a controller holds about them. DSARs allow individuals to ask organizations for copies of their personal data under the General Data Protection Regulation (GDPR). DSAR is often used interchangeably with data subject requests (DSR).

Under the GDPR, data subjects have the right to:

  • Know what personal data is being processed
  • Access their personal data
  • Verify the lawfulness of the processing

A valid DSAR must be made in writing (email is acceptable) and include:

  • Name and contact information of data subject
  • Details to help verify their identity
  • Specification of the personal data being requested

The GDPR requirements for responding to DSARs include:

  • Providing the data subject's information free of charge
  • Responding within 30 calendar days
  • Explaining where the personal data originated
  • Details on whether the data will be retained or erased
  • Notifying any third parties who receive the data subject's personal data

Controllers must provide the data in a commonly used electronic format. They should focus on making the data easy to access and understand.

DSARs can apply to many types of personal data including:

  • Contact details
  • Banking information
  • Photos
  • Social media posts
  • Medical records
  • Internet search history
  • IP addresses
  • Biometric data
Type of Organization Examples
Companies Retailers, technology firms, banks
Government agencies Tax authority, law enforcement
Healthcare providers Hospitals, insurance companies, GP
Educational institutions Schools, colleges, universities

DSARs are a key right of data subjects under GDPR to understand what personal data is held about them by controllers and how it is used.

II. Data subject rights to access personal data

The GDPR provides specific rights to data subjects regarding their personal data. The key right related to DSARs is the right to access and receive a copy of the personal data that a controller has about the data subject.

This right allows data subjects to understand what personal data is held, why it is processed, who it is shared with, where it originated from, and more. Under Article 15 of the GDPR, the data subject has the right to obtain the following from the controller:

  • Confirmation that their personal data is being processed
  • Access to their personal data
  • Purposes of the processing
  • Categories of personal data concerned
  • Recipients or categories of recipients the data has been disclosed to
  • How long the data will be stored or criteria used to determine retention
  • Info about other rights including correction, erasure, restriction of processing
  • Right to lodge a complaint with the supervisory authority
  • Info about sources of data if not collected directly from data subject
  • Automated decision making, profiling, and related logic

The controller must provide this info in a commonly used electronic form such as email. They cannot refuse to act on data subject requests or charge a fee unless the requests are manifestly unfounded, excessive, or repetitive.

Data subjects have the right to access both automated and manual processed personal data held in systems like:

  • CRM databases
  • Email servers
  • Backup systems
  • Document management systems
  • HR databases
  • Marketing databases
Data Type Examples
Identity Data Name, address, phone number, email address, IP address, identifiers
Financial Data Bank account details, payment card details, income, purchases
Tracking Data Website history, location data, online identifiers
Technical Data Device information, connection data, software use
Profiling Data Inferences drawn from data to analyze or predict aspects like performance at work, economic situation, etc

Controllers must provide the info in a commonly used electronic form. They should focus on making the data provided easy to access and understand for the data subject.

Overall, DSARs empower data subjects with transparency into how their personal data is used. Controllers are obligated to provide the detailed info listed above when a valid DSAR is made under the GDPR.

III. Process for submitting a DSAR

When a data subject wants to exercise their right to access their personal data from a controller, they need to submit a valid DSAR. Here is an overview of the key steps in the DSAR process:

  1. Identify the controller(s) that processes your personal data. This could be a company, government agency, healthcare provider, etc. You can submit a DSAR to any controller.

  2. Make the request in writing via email or postal mail. Include your name, contact details, and requested info. Provide details to verify your identity.

  3. The controller will confirm receipt of the DSAR and may ask for more details to verify your identity before disclosing personal data.

  4. Verify your identity. The controller must confirm your identity before sending your personal data. They may ask for info like passport, driver's license, address, date of birth, etc.

  5. The controller searches databases and systems that hold personal data to find all data related to the data subject. This includes structured databases as well as emails and documents.

  6. The controller reviews, redacts, and prepares the personal data for disclosure to make sure it doesn't reveal information about other data subjects.

  7. The controller provides the personal data to the data subject electronically in a commonly used format like PDF within 30 days.

  8. If there is a backlog of DSARs, the controller can extend the response timeframe by two additional months but must inform the data subject within one month and provide reasons.

  9. If the controller cannot provide certain personal data, they must inform the data subject and explain the reasons why (such as exemptions).

  10. If the data subject is not satisfied with the controller's response, they can complain to the supervisory authority. This allows the appropriate oversight body to review compliance with DSAR obligations.

When handled properly, DSARs allow data subjects to receive their personal information in a timely manner. The GDPR sets requirements for controllers to make the process smooth and accessible for individuals exercising their privacy rights.

IV. What information is provided for a DSAR

When a controller receives a valid DSAR, they must provide the data subject with their personal data in a concise, transparent, and easily accessible way. Here are key types of information that should be provided:

  • Categories of personal data collected and processed including names, addresses, dates of birth, location data, online identifiers, etc.

  • Purposes for processing the personal data, such as provision of goods and services, recruitment, marketing, security, etc.

  • Any recipients or categories of recipients the personal data has been disclosed to, such as vendors, advertising partners, or third party apps.

  • Details on where the controller sourced the personal data if it wasn't collected directly from the data subject.

  • Time periods that the personal data will be stored or criteria used to determine retention periods.

  • Confirmation that the controller uses automated decision making, profiling, or targeting related to the personal data and how those techniques work.

  • Other supplementary information that would help explain how and why the controller processes the data subject's personal data.

The key is that the controller should provide full visibility into how they use the individual's information beyond just providing copies of the raw data. Details must include:

  • Who has access
  • Why it is processed
  • What it is used for
  • How decisions are made using it
Data Type Details
Contact data Where it's stored, sources, sharing, retention policy
Financial info Processing purposes, who it's shared with, security controls, retention
Health records Sources, retention policy, details of automated decision systems using the data
Social media posts Sources, how it relates to targeting/profiling, analysis performed, who has access

The GDPR requires transparency around sharing, security, and retention. The controller should explain the protection, risk mitigation, governance, and accountability measures related to the personal data.

Overall, the DSAR response should provide a full picture of what personal data the controller has, why they have it, what they do with it, and who has access. This allows the data subject to understand their digital footprint.

V. Reasons to make a DSAR

There are many valid reasons why a data subject may want to exercise their right to make a DSAR to a controller. Here are some of the key motivators:

  • Gain transparency into what personal data a controller holds, why they have it, how they use it, and who they disclose it to. This insight helps data subjects understand their digital footprint.

  • Verify data accuracy. Reviewing provided data can help individuals identify any mistakes in their personal data so they can request corrections to ensure it is accurate and up to date.

  • Check compliance. DSARs allow data subjects to validate that a controller is processing their personal data in a legal, ethical, and compliant manner according to regulations.

  • Close account or object to processing. After reviewing their personal data, the data subject may wish to deactivate accounts, object to types of processing, or request erasure of data.

  • Detect fraud or misuse. Checking personal data can uncover suspicious activity or potential misuse of information that requires investigation and remediation.

  • Monitor data sharing. The DSAR response provides visibility into who personal data is shared with which may reveal unexpected or unauthorized disclosures.

  • Recover lost data. In some cases, users may have lost access to their personal data held by a service and can recover it via a DSAR.

  • Migration to new service. Obtaining personal data via a DSAR can make it easier to migrate accounts and data to another service or provider.

Scenario DSAR benefits
Online platform use Identify how data is tracked, shared, or monetized
Data breach incident Understand impact of breach on your personal data
Leaving a service Retrieve data to close account or switch platforms
Suspicious activity Check for misuse or compromised account/data

Overall, DSARs empower data subjects with information, choice, and control over their digital footprint. Organizations should make DSARs accessible and easy to exercise without placing unnecessary burdens on the data subject. The proper use of DSARs builds trust and accountability.

VI. Who is responsible for complying with DSARs

Under the GDPR, the controller is the entity that is responsible for meeting DSAR requirements and providing the personal data to the data subject.

The controller is the person or organization that controls and is responsible for the processing of personal data. Key obligations include:

  • Verifying the identity of the data subject making the DSAR
  • Locating all relevant personal data across databases and systems
  • Assessing what data can be provided and any redactions needed
  • Preparing the response and transmitting the personal data

Even if the controller has third party processors or vendors that handle the personal data, the controller remains ultimately accountable for the DSAR response.

Some guidelines on identifying the responsible controller:

  • For online services, the website owner or service provider is the controller
  • For employment records, the employer is the controller
  • For medical records, the healthcare provider is the controller
  • For financial records, the bank or lender is the controller
  • For retail transactions, the business is the controller

If a processor handles the DSAR instead of the controller, they must meet the 30 day timeframe for response. The GDPR does not allow contracted processing agreements to interfere with a data subject's access rights.

Type of Controller Responsibilities
Retail company Provide transaction data, purchase history, website/app usage
University Provide student records, course enrollment, campus usage data
Hospital Provide patient treatment records, lab tests, medical images
Smartphone manufacturer Provide device data, usage statistics, location history
Advertising network Provide ad targeting data, clickstream data, analytics on conversions

Any controllers and processors that handle the personal data must assist in preparing the DSAR response, even if they are not the main point of contact. All organizations in the data processing chain need to comply.

Overall, the controller is legally obligated to provide data subjects access to personal data when a valid DSAR is made. They cannot avoid responsibility by contracting it out to a third party.

VII. Timeframe to respond to a DSAR

Under the GDPR, the controller must respond to a DSAR without undue delay and within one month of receiving the request. The timeframe for response is:

  • 30 calendar days from the date the controller receives the DSAR
  • This can be extended by two additional months if complex or multiple requests are made
  • The controller must inform the data subject within one month if an extension is needed

The 30 day response window ensures timely access within a reasonable period.

Steps the controller can take within the initial 30 day timeframe:

  • Validate the DSAR is sufficient and identity is verified
  • Search all relevant systems and databases for the personal data
  • Assess what data can be provided and prepare response
  • Provide the personal data in a commonly used electronic format

Exceptions where the controller can extend the response time:

  • Large quantities of diverse personal data are requested
  • Multiple DSARs have been made by the data subject

Even with an extension, the personal data must be provided within 3 months total from the initial DSAR date.

If the controller needs clarification on what personal data is being requested, they can initiate a dialogue with the data subject within the first month. This pause does not extend the 30 day timeframe.

Scenario Response Timeframe
DSAR for past 6 months of account data 30 days
DSAR for all account data ever collected Can extend up to 90 days total
DSAR for data from 5 different systems Can extend up to 90 days total

If the controller fails to meet the response deadline, they are violating GDPR and data subjects can file a complaint with the supervisory authority.

In summary, the 30 day DSAR response timeframe ensures data subjects can access their personal data in a timely manner. Extensions for complex requests should still result in delivery within 3 months total to respect individual rights.

VIII. Format for providing data for a DSAR

When responding to a DSAR, the GDPR requires the controller to provide the personal data in a commonly used electronic format. The main guidelines include:

  • Use a structured, commonly used format like CSV, JSON, XML, etc. Avoid proprietary formats.
  • Ensure the file is machine readable and structured for easy analysis
  • Provide metadata descriptions for columns and data fields
  • Use standard encoding like UTF-8 and provide data dictionary
  • Encrypt sensitive data like financial info or healthcare data
  • Format data exports per system rather than combined files

Recommended practices for controller to optimize DSAR response format:

  • Consult with data subject on preferred file formats if possible
  • Use secure online portal for delivery instead of email attachments
  • Separate exempt data from disclosed data into different files
  • Label all files appropriately for easy identification
  • Provide an index file listing contents of all data exports

When assessing format, consider data subject's ability to:

  • Access - easily open and read the files
  • Comprehend - understand what each data field means
  • Interpret - make sense of the personal data provided

Table view of common file formats, pros and cons:

Format File Extensions Pros Cons
CSV .csv Simple, compact No relationships between tables
JSON .json Good for web APIs Verbose
XML .xml Flexible structure Verbose, hard to parse manually
XLSX .xslx Familiar for most users Not as portable across platforms

The controller should ensure filenames, headers, and documentation enable clear understanding. The aim should be usability and transparency versus just delivering raw files.

When formatting the response, the controller needs to consult the preferences and capabilities of the specific data subject. There are many acceptable options, as long as the personal data is provided in an accessible electronic format.

IX. Exceptions for not providing data for a DSAR

While the GDPR establishes a data subject's general right to obtain a copy of their personal data through a DSAR, there are certain exceptions where the controller can refuse to provide all or some of the requested data.

The main exceptions include:

  • Data that may adversely affect the rights and freedoms of others
  • Trade secrets or intellectual property
  • Legal professional privilege
  • Compliance with legal obligations
  • Crime prevention or detection
  • Even when exempting certain data, the controller should still provide as much of the requested personal data as possible.

    Examples where exemptions may apply:

    • Redacting data about other individuals
    • Withholding trade secrets like source code or recipes
    • Not providing information subject to legal professional privilege
    • Following laws that prohibit providing certain classified data

    If the controller refuses to provide data, they must explain their reasoning and inform the data subject of their right to complain to the supervisory authority.

    Exception When it might apply
    Rights of others Withholding third party data or minors' data that requires parental consent
    Legal privilege Excluding attorney-client communications
    IP protection Withholding trade secrets or patented information
    Legal obligations Blocked from providing data by security laws

    Controllers should narrowly interpret and apply exceptions based on the specifics of each DSAR. They need to assess exemptions in good faith without overreaching just to avoid disclosing data.

    The data subject must be provided clear explanations if any personal data is redacted or withheld when responding to their DSAR. They need transparency into exemptions claimed by the controller.

    Overall, exceptions should be limited and well justified. Controllers must take care not to abuse exemptions to withhold more data than is necessary under the specific DSAR circumstances.

    Here is a 500 word section on penalties for non-compliance with DSARs using markdown formatting and LSI keywords:

    X. Penalties for non-compliance with DSARs

    Under the GDPR, there are significant penalties that can be imposed on controllers and processors for not complying properly with DSARs. This motivates response accountability.

    The two tiers of administrative fines under the GDPR are:

    • Up to €10 million or 2% of annual global turnover for less severe violations
    • Up to €20 million or 4% of annual global turnover for more severe violations

    Examples of violations related to DSAR non-compliance:

    • Failing to respond to a DSAR within the 30 day timeframe
    • Charging excessive fees for responding to DSARs
    • Failing to verify the data subject's identity
    • Withholding or destroying requested personal data
    • Providing incomplete, inaccessible, or unusable data

    Other consequences like reputational damage, lawsuits, injunctions, and criminal liability may also stem from DSAR non-compliance.

    Violation Severity Potential Fines
    Minor Failure to meet 30 day response time, unreasonable fees, not verifying identity properly
    Major Destruction of requested data, incomplete or unreadable responses, repeated DSAR failures

    Any data subjects who believe a controller improperly handled their DSAR can lodge a complaint with the supervisory authority for investigation.

    If found non-compliant, the supervisory authority will decide on a fine amount based on factors like intent, negligence, transparency, accountability, previous issues, cooperation with authorities, etc.

    Process if a DSAR complaint is filed with the supervisory authority:

    1. Complaint filed and case opened
    2. Investigation into controller's DSAR practices
    3. Assessment of compliance with obligations
    4. Determination of any penalties like fines
    5. Ongoing monitoring and remediation

    Fines and sanctions act as an incentive for controllers to prioritize DSAR compliance . Proper DSAR handling demonstrates accountability and helps mitigate potential enforcement actions.


    DSARs are a critical data subject right that provide individuals transparency and control over their personal data. Organizations must have proper procedures and tools in place to handle DSARs efficiently and comply with GDPR obligations. Using GDPR management software like ComplyDog can streamline the DSAR fulfillment process and reduce the risk of penalties. With the right solutions, companies can respond to access requests in a timely manner while also gaining insights into their data processing activities. Handling DSARs properly demonstrates accountability and trustworthiness.

    With ComplyDog, take the complexity out of handling and fulfilling requests with an automated data subject request mechanism that works out-of-the-box. Easily manage and fulfill requests from an admin dashboard. We offer a 14-day free trial, no credit card required. Sign up today.

    You might also enjoy

    The 7 Essential Principles at the Heart of GDPR Compliance

    The 7 Essential Principles at the Heart of GDPR Compliance

    GDPR's principles-based approach represents a major shift in how personal data must be lawfully governed and protected. Here are the 7 key principles to understand.

    Posted by Kevin Yun | August 17, 2023
    What is a DPA? Data Processing Agreement for GDPR Explained

    What is a DPA? Data Processing Agreement for GDPR Explained

    A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor under the EU's GDPR. A DPA establishes each party's data protection responsibilities when processing personal data.

    Posted by Kevin Yun | August 5, 2023
    GDPR Compliance Checklist For B2B SaaS Companies

    GDPR Compliance Checklist For B2B SaaS Companies

    The General Data Protection Regulation (GDPR) is a major piece of legislation that impacts how businesses handle personal data of EU citizens. Failing to comply can result in hefty fines, so it's crucial for companies to get up to speed on GDPR requirements. This checklist outlines key steps B2B SaaS Companies should take to ensure GDPR readiness.

    Posted by Kevin Yun | August 4, 2023
    GDPR Implementation Examples: Success Stories for B2B SaaS Companies

    GDPR Implementation Examples: Success Stories for B2B SaaS Companies

    Discover GDPR implementation examples in our latest blog post. See how SaaS companies succeed in GDPR compliance and gain actionable insights.

    Posted by Kevin Yun | June 1, 2023
    GDPR Cookie Consent (Banner): An Essential Guide, Checklist, and Examples

    GDPR Cookie Consent (Banner): An Essential Guide, Checklist, and Examples

    Learn how to create a GDPR cookie consent banner for your B2B SaaS company with our guide, checklist, and real-world examples.

    Posted by Kevin Yun | May 2, 2023

    Choose the easy way to become GDPR compliant

    Start your 14-day free trial of ComplyDog today. No credit card required.

    Trusted by B2B SaaS businesses

    Blink High Attendance Requestly Encharge Wonderchat