Data Subject Access Request (DSAR Management) for GDPR Compliance

Every person whose data your organization processes has the right to ask what you hold on them and what you're doing with it. That's the core of a data subject access request (DSAR), and under Europe's General Data Protection Regulation (GDPR), it's not optional. The right to submit a DSAR is baked into the regulation's foundation, and it has since been adopted by other privacy frameworks including the UK GDPR, Brazil's LGPD, and comprehensive state privacy laws in the United States. DSARs can arrive verbally or in writing through any verifiable channel, and under the GDPR a third party can submit one on someone else's behalf.

Unless a valid exemption applies or the request is demonstrably unfounded or excessive, the organization must fulfill the DSAR within the GDPR's specified timeframe. European regulators have turned data subject rights into a coordinated enforcement priority, and organizations that treat DSAR management as an afterthought are the ones getting fined.

Who Does the GDPR Apply To?

The GDPR's reach is broader than most organizations initially expect. It applies to any organization that processes personal data of individuals located in the EU or EEA, regardless of where the organization itself is headquartered. A company based in New York, Singapore, or São Paulo that collects data from EU residents through its website, app, or services is subject to the GDPR just as much as a company based in Berlin.

The GDPR applies in two scenarios. First, any organization with an establishment in the EU that processes personal data in the context of that establishment's activities. Second, organizations outside the EU that offer goods or services to individuals in the EU or that monitor the behavior of individuals in the EU. That second category gives the GDPR its extraterritorial force and is the reason the regulation has reshaped privacy practices globally.

In practice, this means the GDPR covers multinational corporations, SaaS companies with European customers, e-commerce businesses shipping to EU addresses, employers with EU-based staff, and any organization running digital advertising, analytics, or tracking that touches EU user data. Healthcare providers, fintech platforms, retailers, manufacturers, professional services firms: industry doesn't impact GDPR applicability. 

Organizations that fall within scope and receive DSARs must comply with the full set of GDPR data subject rights, including the right of access.

What Is a Data Subject Access Request (DSAR)?

A DSAR is a formal request from anyone whose personal data an organization holds. The requester (sometimes called the "data subject") can be a customer, employee, contractor, vendor, job applicant, or anyone else whose information sits in your systems. You may also see DSARs referred to as privacy requests, subject access requests (SARs), or consumer privacy requests depending on the jurisdiction and context.

DSARs vs DSRs

The terms DSAR and DSR (data subject request) are sometimes used interchangeably, but they mean different things.

A DSAR refers specifically to requests for access. The individual wants to see what data an organization holds about them and understand how it's being processed. A DSR is the broader umbrella term that covers all the rights a data subject can exercise under the GDPR, including requests to correct data, pause or restrict processing, delete data, transfer data to another controller (data portability), and object to certain types of processing. Access is just one of those rights, and it's the most commonly exercised one. According to the EDPB's 2024 coordinated enforcement report, the right of access is the data protection right that supervisory authorities receive the most complaints about across the EEA.

Why Would Someone Submit a DSAR or DSR?

People submit DSARs and DSRs for a range of reasons, and curiosity about what a company knows is only one of them.

Data privacy concerns. Someone wants to understand the full scope of data an organization holds about them and how that data is being used, shared, or sold. This is the most common trigger.

Data breach recovery. After a breach notification, individuals often file DSARs to determine exactly which of their data was involved and who had access to it.

Data correction. Information may be inaccurate or outdated. A DSAR provides the starting point: once the individual sees the data, they can follow up with a correction request.

Evidence gathering. The CJEU confirmed in Case C‑307/22 that individuals have the right to a free first copy of their personal data regardless of the reason for the request. Organizations cannot refuse an access request simply because the requester's motivations fall outside what GDPR Recital 63 describes as the "standard" purpose.

Data deletion. An individual who wants their data erased will often begin with a DSAR to verify what exists before submitting a separate deletion request.

Summary of data collection. Organizations must provide a clear accounting of data they hold on an individual, including processing purposes, retention periods, and third parties with whom data has been shared.

Who Can Submit a DSAR?

Any data subject can submit a DSAR to an organization responsible for their personal data. Under the GDPR, that includes employees, contractors, suppliers, partners, customers, former customers, job applicants, and website visitors. Basically, anyone whose personal data the organization processes. The request can be verbal, written, or electronic: email, web form, phone, or even social media.

Third parties can also submit DSARs on behalf of individuals: a parent or guardian requesting on behalf of a child, a legal representative acting for a client, or a family member acting with documented authority.

Under the GDPR, a request doesn't need to reference "DSAR," "right of access," or "Article 15" to be valid. Any communication that makes clear the individual is asking for their personal data counts. This is worth emphasizing, because organizations that require specific forms or language risk non-compliance. The GDPR places no formal requirements on how a subject makes their request.

What's Included in a DSAR Response?

A DSAR response must include a copy of all personal data the organization holds on the requester, provided in a concise, transparent, and easily accessible format. Beyond the data itself, organizations must also disclose the purposes of processing, the categories of personal data collected, the recipients or categories of recipients who have received the data, the envisaged data retention period, and information about the individual's other rights (including the right to lodge a complaint with a supervisory authority).

If automated decision-making affects the individual, the CJEU ruled in February 2025 (Case C‑203/22) that the organization must provide a genuine explanation of the procedures and principles involved, not merely a mathematical formula or algorithm reference. Any organization using AI-driven scoring, profiling, or decisioning systems should pay close attention to this ruling.

What Are the Categories of Personal Data?

The GDPR defines personal data broadly: any information relating to an identified or identifiable person, including names, identification numbers, location data, online identifiers, and factors specific to their physical, genetic, mental, economic, or social identity.

The GDPR also designates special categories of sensitive data that receive additional protections and generally cannot be processed without explicit consent or another specific legal basis: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data concerning sex life or sexual orientation.

What Are Data Subject Rights?

While DSARs cover access specifically, the GDPR grants data subjects a broader set of rights. Individuals have the right to be informed about the collection and use of their personal data, the right to access that data and learn how it's processed, the right to have inaccurate data corrected (within one month), the right to have their data erased (the "right to be forgotten"), the right to restrict processing, the right to data portability, the right to object to processing for marketing or other purposes, and the right not to be subject to automated decision-making including profiling.

These rights are interconnected. An access request often leads to a correction or deletion request. The EDPB's coordinated enforcement actions reflect this: after focusing on the right of access in 2024, the Board selected the right to erasure as its 2025 enforcement priority. Access and deletion form a natural sequence in how people exercise control over their data.

What's the Standard DSAR Response Process?

Step 1: Collect and log requests

Formalize how requests come in. Most organizations start with customer-facing web forms, but you also need to handle requests arriving by email, phone, social media, or in person. Establish intake channels including a branded online form, a dedicated email address, and documented intake procedures. A logging system that captures the requester's identity, request type, date received, applicable deadline, and fulfillment status is essential. This log becomes your compliance record if a regulator asks questions.

Step 2: Verify identity and review the request

Before disclosing any personal data, verify the requester's identity. A fraudulent access request that results in data being sent to the wrong person is itself a data breach. That said, verification needs to be proportionate. Don't demand a passport when the data in question is a marketing email list. The least intrusive approach uses information you already hold to authenticate the request: confirm an attribute on file, then send a verification code through that channel.

Once identity is confirmed, review the request. Not every DSAR is identical. Some request all personal data, others target specific systems or time periods. Acknowledge receipt, which starts the clock on your response deadline.

Step 3: Gather, package, and review the data

This is where most DSAR fulfillment processes break down. Personal data is rarely stored in one place. It's spread across CRMs, marketing platforms, HR systems, data warehouses, SaaS tools, and service providers, whether you're operating in healthcare, fintech, retail, or any other sector handling consumer data at scale.

Document which systems to search, where to compile results, and who has authorization to access each source. Plan for complications: healthcare companies may face HIPAA obligations on top of the DSAR, data involving third parties may require redaction, and data under legal hold may be exempt from deletion but still must be disclosed in an access response. Log every step, because this documentation protects you in an audit.

Step 4: Deliver the response

Deliver the response securely. The report should use clear, plain language and cover the personal data itself, processing purposes, categories of data collected, retention timelines, and recipients. Under the GDPR, requests submitted electronically must be responded to electronically unless the individual requests otherwise. Mark the request complete in your tracking system and retain the fulfillment record in line with applicable limitation periods and regulatory guidance. 

What Is the Role of a Data Protection Officer (DPO) in the DSAR Process?

The EDPS defines the DPO's primary role as ensuring that their organization processes personal data in compliance with applicable data protection rules. Under the GDPR, certain organizations must appoint a DPO: public authorities, organizations whose core activities involve large-scale systematic monitoring, and those processing special categories of data at scale. In the DSAR context, the DPO typically oversees the fulfillment program and serves as the point of contact for supervisory authorities. Any employee can receive a valid DSAR, though, and the organization must handle it properly regardless of where or how it arrives.

Who Should Respond to a DSAR?

For companies building a DSAR fulfillment program from scratch, team members with privacy regulation knowledge and fulfillment experience help significantly during setup. Once workflows are documented, day-to-day fulfillment becomes more procedural. The critical decisions around exemptions, redactions, and escalations get elevated to legal or privacy leadership while routine requests move through established processes.

How Much Time Is Allowed to Respond to a DSAR?

Under the GDPR, organizations must respond to a DSAR within one month of receipt. For complex requests or when an organization is handling a high volume of requests, the deadline can be extended by an additional two months, but the individual must be notified of the extension and the reasons for it within the initial one-month window. Other privacy laws set similar but not identical deadlines: the UK GDPR mirrors the one-month standard, while U.S. state laws typically allow 30 to 45 days with varying extension provisions.

The CJEU clarified in January 2025 (Case C‑416/23) that the frequency of requests alone doesn't make them "excessive" under the GDPR. The supervisory authority must demonstrate abusive intent. An individual who submits multiple DSARs is exercising a fundamental right, and organizations shouldn't treat volume as grounds for refusal unless there's clear evidence of bad faith.

What Happens If You Don't Respond to DSARs in Time?

Failing to fulfill DSARs on time creates three categories of risk.

Regulatory exposure. As detailed in the enforcement section above, European supervisory authorities have made data subject rights a coordinated enforcement priority. France's CNIL issued 16 separate sanctions in 2024 for access-right failures alone. GDPR fines for DSAR violations can reach €20 million or 4% of annual global turnover, whichever is greater.

Customer trust erosion. DSARs are a direct expression of consumer agency over personal data. When the process is slow, opaque, or unresponsive, it signals to customers that privacy isn't a real priority. That impression is hard to reverse.

Operational compounding. Backlogs create their own problems. As unfulfilled requests pile up, the risk of missed deadlines increases, manual coordination becomes unmanageable, and the organization becomes more vulnerable to regulatory scrutiny at exactly the moment it can least afford it.

Can My Company Charge a Fee for DSAR Response?

In most cases, no. Organizations must provide the first copy of personal data free of charge. The CJEU reinforced this principle in Case C‑307/22, ruling that controllers cannot require data subjects to pay for a first copy of their processed personal data, and that national laws cannot override this right to protect the economic interests of the controller.

If subsequent requests from the same individual are manifestly unfounded or excessive, the organization may charge a reasonable fee to cover administrative costs or refuse the request entirely. The burden of proving the request is excessive falls on the organization.

What Are Some Common DSAR Response Challenges?

Navigating GDPR requirements and evolving enforcement. The GDPR's DSAR provisions are detailed, and enforcement expectations continue to evolve through EDPB guidance and CJEU case law. Organizations that also operate under the UK GDPR or U.S. state laws face additional DSAR compliance challenges from overlapping but non-identical requirements, but getting GDPR right is the foundation.

Building a repeatable workflow. DSAR fulfillment that depends on manual action doesn't scale. Without automated systems to track intake, search connected systems, and compile responses, the process bogs down fast. Manual DSAR fulfillment at scale is where most programs fail.

Managing volume. Large organizations fielding too many DSARs to handle manually find that rising privacy awareness, low submission barriers, and automated opt-out mechanisms create a workload that keeps climbing.

Controlling costs. Teams that rely on manual coordination, ad-hoc searches across disconnected systems, and email-based tracking create bottlenecks that drive up per-request costs and increase the risk of compliance-related fines.

Where GDPR Enforcement Stands in 2026

The GDPR is approaching its eighth year, and enforcement has not plateaued. According to DLA Piper's annual GDPR Fines and Data Breach Survey, European supervisory authorities issued approximately €1.2 billion in fines during 2025, matching 2024's total and reversing the prior year's downward trend. Cumulative GDPR fines since May 2018 now stand at roughly €7.1 billion. Ireland's Data Protection Commission leads the enforcement tables at over €4 billion in aggregate fines, including a €530 million penalty against TikTok in 2025 for transferring EU user data to China without adequate safeguards.

The same survey reported that average daily breach notifications crossed 400 for the first time, a 22% year-over-year increase driven by rising cyberattacks and expanding notification requirements. Fines related to the GDPR's security principle (Article 32) continue to feature across all surveyed jurisdictions.

On the enforcement coordination side, the EDPB's coordinated enforcement framework continues to sharpen its focus. After investigating the right of access in 2024 and the right to erasure in 2025, the EDPB selected transparency and information obligations (Articles 12-14) as its 2026 enforcement priority. That means supervisory authorities across the EEA will be scrutinizing how organizations inform individuals about data collection, processing purposes, and their rights. Organizations with unclear or incomplete privacy notices should treat this as an urgent compliance gap.

A new regulation also entered into force on January 1, 2026: Regulation (EU) 2025/2518, which lays down additional procedural rules for cross-border GDPR enforcement. The regulation introduces binding deadlines for DPAs handling cross-border cases (12 to 15 months for a resolution proposal, with a 12-month extension for the most complex cases), standardized admissibility criteria for complaints, and an early resolution mechanism. It applies to investigations opened after April 2, 2027.

What to Expect Heading into 2027

Several developments will reshape GDPR compliance over the next 12 to 18 months.

Cross-border enforcement speeds up. Once Regulation 2025/2518 takes effect in April 2027, the long delays that characterized cross-border complaints under the one-stop-shop mechanism should begin to shrink. DPAs will face binding timelines and structured cooperation requirements, which will likely increase enforcement throughput and enforcement risk for organizations processing data across multiple EU member states.

The Digital Omnibus may amend the GDPR itself. The European Commission's Digital Omnibus proposal, announced in late 2025, includes targeted amendments to the GDPR alongside changes to the AI Act and other digital regulations. Proposed changes include clarifying the definition of personal data (particularly for pseudonymized data), simplifying certain compliance obligations for SMEs, and allowing processing of special-category data to address bias in AI systems. Trilogue negotiations are expected through 2026, with implementation unlikely before late 2027.

AI Act obligations converge with GDPR. The EU AI Act's high-risk system requirements were originally scheduled for August 2026 but may be delayed to as late as December 2027 under the Digital Omnibus proposal. Organizations using AI for automated decision-making, profiling, or scoring will face overlapping obligations under both frameworks, and the Commission is developing joint guidelines with the EDPB on the interplay. Any organization handling DSARs that involve automated decisions should be tracking these developments.

EDPB coordination keeps expanding. The EDPB's coordinated enforcement actions have now covered the right of access (2024), the right to erasure (2025), and transparency obligations (2026). Each cycle produces findings that set enforcement expectations across all 30 EEA supervisory authorities. Treat the published CEF reports as practical compliance guidance, because DPAs are using them that way.

Organizations that comply with the GDPR's DSAR requirements will be well positioned for other frameworks. The UK GDPR follows a nearly identical process and was updated by the Data (Use and Access) Act in 2025. U.S. state privacy laws grant similar access rights with different procedural details. Brazil's LGPD mirrors many GDPR provisions. The GDPR remains the benchmark, and getting it right means most other frameworks fall into place with targeted adjustments.

How Can DataGrail Help with Managing DSARs?

For organizations where DSAR volume, regulation complexity, or manual processes are creating risk, purpose-built DSAR software takes the pain out of fulfillment.

DataGrail Request Manager provides DSAR automation across the full request lifecycle. Branded intake forms route requests into a centralized dashboard with automatic jurisdiction detection. DataGrail's robust verification options can authenticate requesters using data you already hold, with no government IDs, no selfies, and no friction.

From there, DataGrail searches across hundreds of connected systems to locate personal data, replacing weeks of manual coordination with minutes of automated data subject request automation. Access, deletion, correction, and opt-out requests are handled through a single platform with built-in deadline tracking, audit trails, and regulatory documentation.

Enterprise privacy teams looking for DSR software that scales with volume benefit from no-code setup, continuous system detection (including shadow IT discovery), and centralized management that lets a single person operate what used to require cross-functional sprints across legal, IT, and engineering.

To see how it works, request a demo.