Learn / DSAR

What is a DSAR? Data subject access requests, explained.

A data subject access request (DSAR) is a request from an individual to see the personal data an organization holds about them. GDPR gives everyone this right, sets a tight response clock, and expects a complete answer — including the copies most teams forget.


What it is

The right to ask 'what do you have on me?'

Under GDPR Article 15, any individual can ask an organization whether it is processing their personal data and, if so, to receive a copy of that data plus supporting information — the purposes of processing, who the data is shared with, how long it is kept, and where it came from. That request is a DSAR (also called a subject access request, or SAR).

DSARs are usually free, can be made in any format (email, web form, even verbally), and do not have to use the word 'DSAR' or cite the law. If a person asks for their data, the clock starts — whether or not they phrased it formally.


The process

How a DSAR flows, start to finish.

01 / Receive & verify

Log the request with a timestamp and confirm the requester's identity using proportionate checks — enough to prevent handing data to the wrong person, without demanding excessive documentation.

02 / Locate the data

Find every system that holds the person's data: production databases, the analytics warehouse, derived tables, backups, and connected SaaS tools. This is the step that most often goes wrong.

03 / Review & redact

Remove information about other people and any material covered by a valid exemption, while keeping the requester's own data intact.

04 / Respond

Provide the data in a concise, intelligible, accessible form — commonly a portable electronic copy — along with the required context about how it is processed.


Timelines

How long do you have to respond?

The default deadline is one calendar month from receipt. You can extend by up to two further months for requests that are complex or numerous, but only if you tell the requester about the extension and the reason within the first month.

You generally cannot charge a fee. For requests that are manifestly unfounded or excessive — for example, repetitive requests — you may charge a reasonable fee or refuse, but the bar for doing so is high and you must be able to justify it.


The hard part

Completeness is where DSARs break.

The single biggest failure mode is an incomplete answer: you export the CRM and the app database but miss the copy of the customer's data that a nightly pipeline materialized into an analytics mart, or the record still sitting in a marketing tool. A DSAR that omits data the person clearly gave you undermines trust and can trigger a complaint.

Answering DSARs reliably requires the same foundation as answering deletion requests — an accurate, live map of where each person's data lives across every system. When discovery is a property of the system rather than a manual hunt, both access and erasure requests become routine instead of stressful.


FAQ

Common questions

What is the difference between a DSAR and a deletion request?

A DSAR (Article 15) is a request to see a copy of the personal data an organization holds about someone. A deletion request, or right to erasure (Article 17), asks the organization to delete that data. Both depend on knowing exactly where the person's data lives.

How long do you have to respond to a DSAR?

One calendar month from receipt by default. This can be extended by up to two additional months for complex or numerous requests, provided you notify the requester of the extension and the reason within the first month.

Can you charge for a DSAR?

Generally no — access must be provided free of charge. You may charge a reasonable fee or refuse only where a request is manifestly unfounded or excessive, and you must be able to demonstrate why that threshold was met.

Do DSARs cover data in a data warehouse?

Yes. A DSAR covers personal data wherever it is processed, including analytics warehouses, derived tables, and backups — not just the primary application database. Missing warehouse copies is a common cause of incomplete responses.


Keep reading

The data a DSAR is about — what counts as personal data and why the scope is broad.

The live registry that makes locating a person's data fast instead of a manual hunt.