Learn / DSARWhat is a DSAR? Data subject access requests, explained.
A data subject access request (DSAR) is a request from an individual to see the personal data an organization holds about them. GDPR gives everyone this right, sets a tight response clock, and expects a complete answer — including the copies most teams forget.
What it isThe right to ask 'what do you have on me?'
Under GDPR Article 15, any individual can ask an organization whether it is processing their personal data and, if so, to receive a copy of that data plus supporting information — the purposes of processing, who the data is shared with, how long it is kept, and where it came from. That request is a DSAR (also called a subject access request, or SAR).
DSARs are usually free, can be made in any format (email, web form, even verbally), and do not have to use the word 'DSAR' or cite the law. If a person asks for their data, the clock starts — whether or not they phrased it formally.
TimelinesHow long do you have to respond?
The default deadline is one calendar month from receipt. You can extend by up to two further months for requests that are complex or numerous, but only if you tell the requester about the extension and the reason within the first month.
You generally cannot charge a fee. For requests that are manifestly unfounded or excessive — for example, repetitive requests — you may charge a reasonable fee or refuse, but the bar for doing so is high and you must be able to justify it.
The hard partCompleteness is where DSARs break.
The single biggest failure mode is an incomplete answer: you export the CRM and the app database but miss the copy of the customer's data that a nightly pipeline materialized into an analytics mart, or the record still sitting in a marketing tool. A DSAR that omits data the person clearly gave you undermines trust and can trigger a complaint.
Answering DSARs reliably requires the same foundation as answering deletion requests — an accurate, live map of where each person's data lives across every system. When discovery is a property of the system rather than a manual hunt, both access and erasure requests become routine instead of stressful.