How long does it take to implement ComplyDog?

ComplyDog can be initially set up in 30 minutes and fully implemented in an afternoon.

Who is ComplyDog for?

ComplyDog is designed for B2B SaaS founders and startups that are compliant with GDPR but want to automate tedious tasks such as when a prospect requests a signed DPA or requests for more information on security practices.

What kind of integrations does ComplyDog provide?

ComplyDog comes with integrations with Docusign and Dropbox Sign so that your prospects and users can request signed DPAs without your manual involvement.

Subject access requests: Individual rights and business obligations

Name: ComplyDog
Price: 42 USD
Rating: 4.50 (2 reviews)
Author: ComplyDog

Complete content in English

When someone asks for copies of their personal information, organizations face one of the most common privacy requests under data protection law. The subject access request — often abbreviated as SAR or DSAR (Data Subject Access Request) — represents a fundamental right that every person possesses regarding their personal data.

But there's more to this than meets the eye. Organizations regularly stumble over these requests, not because they're trying to be difficult, but because they genuinely don't know what they're supposed to do. And honestly? The consequences of getting it wrong can be pretty steep.

What is a subject access request?
Legal foundation and rights
Who can submit a subject access request?
Information organizations must provide
How individuals can submit requests
Identity verification requirements
Response timeframes and deadlines
Fees and costs
When organizations can refuse requests
Third-party requests and authorization
Organizational responsibilities
Common challenges and solutions
Best practices for compliance

What is a subject access request?

A subject access request gives individuals the right to obtain copies of their personal information from any organization that processes their data. Think of it as your digital receipt — proof of what information companies hold about you and what they're doing with it.

The request doesn't need fancy legal language. Someone could simply email asking "What information do you have about me?" and that counts as a valid SAR. No magic words required.

This right exists under various data protection laws worldwide, most notably the General Data Protection Regulation (GDPR) in Europe and similar legislation in other jurisdictions. The core principle remains consistent: people should know what personal data organizations collect and process about them.

Organizations process these requests more frequently than you might expect. Customer service departments, HR teams, and marketing divisions all receive them. Sometimes they arrive through official channels, other times via social media or even casual phone calls.

Legal foundation and rights

The right of access stems from fundamental privacy principles that emerged long before digital technology dominated our lives. However, modern data protection laws significantly expanded these rights and made them more enforceable.

Under GDPR Article 15, individuals can request access to their personal data to verify lawful processing. Similar provisions exist in other privacy frameworks, including the UK GDPR, California Consumer Privacy Act (CCPA), and various national data protection laws.

These laws recognize that data transparency builds trust between organizations and individuals. When people understand how their information gets used, they can make informed decisions about sharing it.

The legal framework also establishes specific obligations for organizations. They must respond within defined timeframes, provide information in accessible formats, and maintain records of their compliance efforts.

Who can submit a subject access request?

Anyone whose personal data an organization processes can submit a SAR. This includes:

Current and former employees seeking copies of HR records, performance reviews, or disciplinary files
Customers and clients wanting to see transaction histories, marketing profiles, or support interactions
Website visitors curious about tracking data, cookies, or behavioral analytics
Business partners and contractors requesting copies of communication records or contract-related data

The scope extends beyond direct business relationships. Organizations often process personal data from various sources — referrals, public databases, social media platforms, or third-party data brokers. Individuals can request access to any personal information, regardless of how the organization obtained it.

No specific reason or justification is required. Someone might submit a SAR out of curiosity, as part of legal proceedings, or simply to understand their digital footprint better.

Age doesn't automatically disqualify someone from making a request, though organizations must consider capacity and consent issues when dealing with minors.

Information organizations must provide

Organizations must provide several categories of information when responding to a SAR:

Confirmation of processing: A clear yes or no answer about whether the organization processes the individual's personal data.

Copy of personal data: Actual copies of the personal information being processed, typically in electronic format unless the individual specifically requests hard copies.

Processing purposes: Detailed explanations of why the organization collects and uses the personal data.

Data categories: Descriptions of the types of personal information being processed (contact details, financial information, behavioral data, etc.).

Recipients and sharing: Information about any third parties who receive or have access to the personal data.

Retention periods: How long the organization plans to keep the data, or the criteria used to determine retention periods.

Data sources: Where the personal data originated, especially if not collected directly from the individual.

Automated decision-making: Details about any automated processing, including profiling, that affects the individual.

Individual rights: Information about the person's rights to rectification, erasure, restriction, objection, and data portability.

International transfers: Details about any transfers of personal data outside the individual's country or region.

This information must be provided in a concise, transparent, and easily understandable format. Technical jargon should be avoided or clearly explained.

How individuals can submit requests

Subject access requests can arrive through virtually any communication channel. Organizations need to be prepared to receive and recognize them regardless of format or delivery method.

Online submission forms provide the most structured approach. Many organizations create dedicated web pages where individuals can submit detailed requests with necessary identification and specification of required information.

Email requests remain extremely common. These can range from formal letters attached as PDFs to casual messages sent to general inquiry addresses. The key is recognizing the request regardless of formality level.

Phone calls present particular challenges because they require immediate recognition and proper documentation. Staff members need training to identify SARs during routine customer service interactions.

Postal mail still occurs, especially from individuals who prefer traditional communication methods or lack digital access.

Social media increasingly serves as a platform for submitting requests. Someone might tweet at a company or send a Facebook message asking for their personal data.

The submission method doesn't affect the validity of the request. Organizations must establish internal procedures to capture, log, and route requests from all channels to appropriate response teams.

Individuals should provide sufficient information to help organizations locate their data efficiently. This typically includes full names, contact information, account numbers, and specific date ranges or types of information sought.

Identity verification requirements

Organizations must verify the identity of individuals making subject access requests to prevent unauthorized disclosure of personal data. However, verification requirements must remain proportionate and not create unnecessary barriers to exercising rights.

Reasonable verification measures vary depending on the context and sensitivity of the information requested. Online services might use existing authentication mechanisms like username and password combinations. Physical businesses might require in-person identification.

Email verification often provides sufficient confirmation for straightforward requests, especially when the request comes from a previously verified email address associated with the individual's account.

Photo identification becomes necessary for high-risk situations or when requesting particularly sensitive categories of data like medical records or financial information.

Documentation requirements should be clearly communicated to individuals. Organizations should explain what verification materials they need and why, avoiding requests for excessive or unnecessary documentation.

The verification process shouldn't be used as a delay tactic or barrier to legitimate requests. Organizations must balance security concerns with accessibility and efficiency.

Some individuals may have difficulty providing standard identification documents due to personal circumstances, security concerns, or accessibility issues. Organizations should consider alternative verification methods when appropriate.

Response timeframes and deadlines

Organizations typically have one month to respond to subject access requests, calculated from the day they receive the request, necessary fees, or required verification information.

Extension circumstances allow organizations to extend the response period by up to two additional months when requests are particularly complex or when they receive multiple requests from the same individual.

Notification requirements mandate that organizations inform individuals about any extensions within the original one-month period, explaining the reasons for the delay.

Complexity factors that might justify extensions include:

Requests covering extensive time periods or large volumes of data
Multiple simultaneous requests from the same person
Requests requiring coordination across multiple systems or departments
Technical challenges in extracting or formatting requested information

Clock starts ticking from the moment an organization receives a valid request with sufficient information to identify the individual and locate their data. Incomplete requests don't trigger the deadline until all necessary information is provided.

Organizations should establish internal tracking systems to monitor response deadlines and prevent accidental delays that could result in regulatory complaints or enforcement actions.

Fees and costs

Most subject access requests must be handled free of charge. Organizations cannot routinely charge fees for providing copies of personal data or required information.

Exceptional fee circumstances allow for reasonable administrative charges only when requests are clearly unfounded or excessive in nature.

Unfounded requests might include those submitted with malicious intent, lacking any genuine purpose, or designed primarily to harass or disrupt business operations.

Excessive requests could involve repeated submissions of identical or nearly identical requests within short time periods, or requests requiring disproportionate effort compared to their legitimate purpose.

Fee calculation must be based on actual administrative costs, not profit margins. Organizations should document their fee structures and be prepared to justify charges to regulatory authorities.

Historical precedent shows that charging fees for subject access requests carries significant regulatory risk. Several high-profile enforcement actions have resulted from inappropriate fee charging practices.

When organizations believe a fee is justified, they should clearly communicate the rationale to individuals and provide detailed cost breakdowns. Fees should never be used as a deterrent to legitimate requests.

When organizations can refuse requests

Organizations can refuse to comply with subject access requests in limited circumstances, but refusal decisions carry substantial regulatory scrutiny and potential liability.

Manifestly unfounded requests lack any genuine purpose for exercising access rights. Examples might include requests submitted solely to cause disruption, with no intention of using the information constructively.

Manifestly excessive requests place unreasonable burdens on organizations relative to their legitimate purposes. This could include requests for enormous volumes of data with no specific focus or repeated identical requests within short periods.

Legal exemptions vary by jurisdiction but commonly include:

National security considerations
Prevention or detection of crime
Legal professional privilege
Regulatory investigations
Protection of other individuals' rights and freedoms

Refusal procedures require organizations to inform individuals about their decision, explain the reasoning, and provide information about complaint and appeal mechanisms.

Organizations refusing requests must be prepared to defend their decisions to regulatory authorities and potentially in court proceedings. The burden of proof lies with the organization to demonstrate that refusal is justified.

Documentation requirements mandate that organizations maintain detailed records of refusal decisions, including the rationale and supporting evidence for their position.

Third-party requests and authorization

Subject access requests can be submitted by individuals personally or through authorized representatives acting on their behalf.

Parental requests for children's data require careful consideration of the child's age, maturity, and capacity to understand the implications of disclosure.

Legal representatives including solicitors, attorneys, and other legal professionals can submit requests with appropriate authorization documentation.

Power of attorney documents provide clear authorization for representatives to act on behalf of individuals who cannot submit requests personally.

Guardian appointments for individuals with diminished capacity create similar authorization relationships.

Workplace representatives such as union officials might submit requests on behalf of employees, but organizations should verify the scope and legitimacy of representation.

Family member requests require particularly careful handling. Organizations must verify that the family member has genuine authorization and consider whether disclosure might conflict with the data subject's interests or wishes.

Authorization verification should be proportionate to the sensitivity and volume of information requested. Simple written consent might suffice for basic requests, while formal legal documentation could be required for sensitive data categories.

Organizations should establish clear policies about what authorization documents they accept and how they verify their authenticity and current validity.

Organizational responsibilities

Organizations must establish comprehensive procedures and systems to handle subject access requests efficiently and compliantly.

Designated response teams should have clear roles and responsibilities for processing different types of requests. Larger organizations might need specialized teams for employee, customer, and third-party requests.

Request logging systems must capture all relevant details about incoming requests, including submission dates, requester information, response deadlines, and processing status.

Data location mapping helps organizations identify where personal data resides across their systems, databases, and third-party integrations.

Standard response templates ensure consistent communication while allowing customization for specific circumstances and request types.

Quality control processes should verify that responses are complete, accurate, and appropriately formatted before being sent to individuals.

Staff training programs must cover request recognition, proper handling procedures, escalation protocols, and legal requirements.

Documentation practices should maintain detailed records of all requests, responses, and any unusual circumstances or decisions.

Common challenges and solutions

Organizations frequently encounter practical difficulties when implementing subject access request procedures.

Data fragmentation across multiple systems, databases, and third-party integrations makes comprehensive responses challenging. Organizations need systematic approaches to identify and extract data from all relevant sources.

Legacy system integration often presents technical obstacles when trying to export data in usable formats. Some older systems lack modern data export capabilities or require manual intervention.

Volume management becomes problematic for organizations receiving large numbers of requests. Manual processing approaches quickly become unsustainable without appropriate technology solutions.

Staff coordination across different departments and teams requires clear communication protocols and shared tracking systems.

Response formatting must balance completeness with readability. Raw database dumps aren't user-friendly, but overly simplified summaries might omit required information.

Third-party data complications arise when personal information spans multiple organizations or service providers. Coordination and data sharing agreements become necessary.

Successful organizations typically invest in dedicated privacy management platforms that automate request intake, data discovery, response generation, and deadline tracking.

Best practices for compliance

Effective subject access request management requires strategic planning and ongoing attention to operational details.

Proactive preparation through regular data mapping exercises helps organizations understand their data landscape and identify potential response challenges before requests arrive.

Clear communication channels should be established and prominently displayed on websites and in privacy notices. Individuals should know exactly where and how to submit requests.

Response standardization through templates and checklists ensures consistency and completeness while reducing processing time and potential errors.

Regular training updates keep staff members informed about evolving legal requirements and internal procedures.

Performance monitoring through metrics tracking helps identify bottlenecks, improve efficiency, and demonstrate compliance to regulatory authorities.

Technology integration with existing systems reduces manual effort and improves accuracy in data identification and extraction.

Stakeholder coordination between legal, IT, privacy, and business teams ensures that all perspectives are considered in policy development and response procedures.

Modern compliance requires sophisticated technology platforms that can automate much of the subject access request process. Tools like ComplyDog integrate with existing business systems to streamline data discovery, automate response generation, and maintain compliance records. These platforms transform what was once a manual, error-prone process into an efficient, auditable workflow that helps organizations meet their legal obligations while building trust with individuals who exercise their privacy rights.