Data Subject Access Request (DSAR)
What is Data Subject Access Request (DSAR)?
Data Subject Access Request (DSAR)A formal request from an individual to a controller asking which of their personal data is being processed and obtaining a copy of it, as guaranteed by GDPR Article 15 and similar laws.
A Data Subject Access Request (DSAR) is the procedure through which an individual exercises the right of access under GDPR Article 15, UK DPA 2018, CCPA Section 1798.110, LGPD Article 18, and other regimes. The controller must confirm whether personal data is processed, provide a copy, and disclose purposes, recipients, retention, sources, automated decision-making, and international transfers. Responses are typically due within one month for GDPR and 45 days for CCPA, free of charge for the first request. Operationally, organizations identify the requester, search structured and unstructured systems, redact third-party data, log decisions, and may extend timelines for complex cases. Repeated, manifestly unfounded, or excessive requests can be refused or charged a reasonable fee.
● Examples
- 01
A former employee asks for all personal data held in HRIS, email backups, and CCTV footage.
- 02
A customer requests a portable export of their order history under GDPR Article 20 alongside a DSAR.
● Frequently asked questions
What is Data Subject Access Request (DSAR)?
A formal request from an individual to a controller asking which of their personal data is being processed and obtaining a copy of it, as guaranteed by GDPR Article 15 and similar laws. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Data Subject Access Request (DSAR) mean?
A formal request from an individual to a controller asking which of their personal data is being processed and obtaining a copy of it, as guaranteed by GDPR Article 15 and similar laws.
How does Data Subject Access Request (DSAR) work?
A Data Subject Access Request (DSAR) is the procedure through which an individual exercises the right of access under GDPR Article 15, UK DPA 2018, CCPA Section 1798.110, LGPD Article 18, and other regimes. The controller must confirm whether personal data is processed, provide a copy, and disclose purposes, recipients, retention, sources, automated decision-making, and international transfers. Responses are typically due within one month for GDPR and 45 days for CCPA, free of charge for the first request. Operationally, organizations identify the requester, search structured and unstructured systems, redact third-party data, log decisions, and may extend timelines for complex cases. Repeated, manifestly unfounded, or excessive requests can be refused or charged a reasonable fee.
How do you defend against Data Subject Access Request (DSAR)?
Defences for Data Subject Access Request (DSAR) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Data Subject Access Request (DSAR)?
Common alternative names include: DSAR, Subject Access Request, Right of Access.
● Related terms
- privacy№ 932
Right to Be Forgotten
The right of an individual to obtain the erasure of personal data concerning them when there is no overriding legal reason to keep processing it, under GDPR Article 17.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- privacy№ 818
Personally Identifiable Information (PII)
Any data that can identify a specific individual on its own or when combined with other information, such as names, identifiers, or biometric records.
- privacy№ 210
Consent Management
The processes and tooling used to collect, record, refresh, and honor user permissions for processing personal data and setting cookies, in line with privacy law.
- privacy№ 284
Data Retention
The policies and controls that define how long different categories of data are kept and when they are securely deleted, archived, or anonymized.
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.