Data Subject Access Request (DSAR)

What is Data Subject Access Request (DSAR)?

Data subject access requests (DSAR) are requests made by an individual to an organization for access to a copy of their personal information or related materials, and should be observed as an expression of the individual’s “right of access” as described in the General Data Protection Regulation (GDPR). Such requests for personal information or otherwise sensitive data, may be communicated to an organization by written or verbal means, via all verifiable platforms, and may also be made by a third-party on the individual’s behalf.

Unless a valid exemption or restriction applies, or a request is demonstrably incoherent or unreasonable, the organization must provide the information requested in the DSAR within a specified timeframe in order to remain in compliance with the data subject rights and privacy laws, outlined in the GDPR.

What is the purpose of DSAR?

The purpose of a Data Subject Access Request, in most cases, is to satisfy an individual’s right to access their personal data. There are a variety of specific reasons an individual might file the DSAR request, but it is generally in the interest of transparency, and a means of understanding and keeping track of how, and for what purposes, an organization is using their personal information. The DSAR request can be made in any terms, and individuals are not required to use any specific language or formal references, as long as it is an obvious request for their personal data.

While it is possible a DSAR might be made by a third-party on behalf of an individual, it is the responsibility of the third-party to prove their entitlement to do so according to privacy law, and the organization should feel confident about the evidence provided before giving access to personal data and should seek legal advice if concern is evident. Even children have the right to request a copy of their personal data or consumer data, and can be responded to directly if an organization has reason to believe they are competent enough to understand their rights. 

DSAR Request Process and Compliance

It is important that an organization is always prepared to respond to a Data Subject Access Request, provided it is lawful and reasonable, and to be able to do so in a timely manner, typically no more than one month after receiving the request. Extensions may be allowed in cases where a request is complicated or contains various items. If a DSAR is unspecific, an organization can ask for the individual to specify the request, and will not be obligated to provide information until clarification is received.

Formal identification can, and should, be asked for by the organization upon receiving a Data Subject Access Request, and all usual security precautions related to personal data should be applied. Requested data may be supplied to the requester in whatever format they prefer, wherever it can be done securely, and the organization should verify the requester’s preference upon receiving a data subject request. 

Data Subject Access Request Exemptions

It is possible for an organization to refuse, or partially refuse, to comply with a DSAR where legal restrictions may apply to the fulfillment of the requested data processing. Roadblocks to compliance might include criminal liability, confidentiality preservation, and a number of other regulatory exemptions as detailed in the GDPR. If an organization has any legitimate reason to refuse to provide personal data in response to a DSAR, it must inform the individual of the specific exemption, as well as of their right to seek legal or disciplinary recourse.

Organizations should consult all relevant information and legal resources regarding privacy law exemptions and restrictions before responding to a request.


Privacy Primer: Mastering the Data Privacy Basics
Learn More