A DSAR response isn't just the documents — it's the covering letter that accompanies them. Article 15 of the GDPR requires you to provide specific supplementary information alongside the personal data. The covering letter is also where you explain any redactions, exemptions applied, and the requester's further rights.
This template covers GDPR and UK GDPR requirements. Adapt the language for your jurisdiction and organisation. For the full redaction process, see our DSAR redaction guide.
The template
[Your Organisation Name]
[Address]
[Date]
Subject: Response to your Data Subject Access Request
Dear [Requester Name],
Thank you for your request dated [date of original request] to access your personal data held by [Organisation Name]. We received your request on [date received] and have processed it in accordance with Article 15 of the [UK GDPR / EU GDPR].
Personal data enclosed
Please find enclosed [number] documents containing your personal data. These documents were identified through searches of the following systems: [list systems searched, e.g., email archive, HR information system, shared drives, CRM].
Redactions applied
Certain information has been redacted from the enclosed documents to protect the rights and freedoms of other individuals, in accordance with Article 15(4) of the [UK GDPR / EU GDPR] and [Section 45 of the Data Protection Act 2018 / equivalent national legislation]. Specifically:
— Third-party personal data has been redacted where disclosure would adversely affect the rights of other identifiable individuals and where the conditions for disclosure without consent are not met.
— [If applicable] Information subject to legal professional privilege has been withheld under [Schedule 2, Part 4, Paragraph 19 of the DPA 2018].
— [If applicable] Confidential references have been withheld under [Schedule 2, Part 3, Paragraph 24 of the DPA 2018].
— [If applicable] Information relating to ongoing [investigations / negotiations / management planning] has been withheld under [cite specific paragraph].
In each case, we have applied the exemption only to the specific data to which it applies, and have disclosed all non-exempt personal data within the affected documents.
Supplementary information
In accordance with Article 15(1) and (2) of the [UK GDPR / EU GDPR], we confirm the following:
Purposes of processing: [List purposes, e.g., employment administration, payroll, performance management, client relationship management]
Categories of personal data: [List categories, e.g., identification data, contact details, employment records, financial data, communications]
Recipients or categories of recipients: [List, e.g., payroll provider, pension administrator, HMRC, occupational health provider]
Retention period: [State period or criteria, e.g., "Employment records are retained for 6 years following the end of employment, in accordance with our data retention policy."]
Source of data: [If not collected directly from the individual, state the source]
Automated decision-making: [State whether any automated decision-making, including profiling, has been applied to the individual's data, and if so, provide meaningful information about the logic involved and the significance and envisaged consequences]
Your rights
You have the right to request rectification of inaccurate personal data, erasure of personal data in certain circumstances, restriction of processing, and data portability. You also have the right to object to processing based on legitimate interests or for direct marketing purposes.
If you are dissatisfied with our response, you have the right to lodge a complaint with the [Information Commissioner's Office (ICO) / relevant supervisory authority]. The ICO can be contacted at ico.org.uk or by telephone on 0303 123 1113.
If you have any questions about this response, please contact [DPO name / privacy team] at [email address].
Yours sincerely,
[Name]
[Title, e.g., Data Protection Officer]
[Organisation Name]
How to customise this template
For employee DSARs
Add language about the specific exemptions relevant to employment: confidential references (DPA 2018 Schedule 2, Part 3, Para 24), management forecasting (Para 22), and negotiations (Para 23). If the employee has a solicitor, address the response to the solicitor with a copy to the employee. See our employee DSAR redaction guide for detailed guidance.
For CCPA responses
Replace GDPR references with CCPA Section 1798.100 et seq. Include the categories of personal information collected, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom personal information is shared. The 45-day deadline applies. See our CCPA DSAR guide.
For extension requests
If you need additional time (up to two further months under GDPR), you must inform the requester within the original one-month period, explain the reasons for the delay, and provide a revised deadline. Use a separate letter for the extension notification — don't wait until the extended deadline to communicate.
Internal documentation template
The covering letter is the external document. Internally, you should maintain a parallel record for each DSAR that includes:
Request log: Date received, requester identity, scope of request, identity verification method and date, assigned reviewer, deadline date (including any extension).
Search log: Systems searched, search terms used, date of each search, number of results per system, any systems excluded and the reason.
Redaction log: For each document: document identifier, type (email, HR record, etc.), number of PII items detected, number redacted, exemptions applied (with specific statutory reference and reasoning), reviewer name, review date.
Delivery log: Date sent, delivery method, files included, confirmation of receipt (if applicable).
Retain these records for a minimum of three years. The ICO can investigate complaints about historical DSARs, and your documentation is your primary defence.
SafeRedact generates audit-ready documentation automatically. Every PII detection, every keep/redact decision, and every applied redaction is logged with timestamps. Export the log alongside your redacted documents to populate the redaction section of your internal records. Try it free →
Pre-send checklist
Documents: All identified personal data included. All third-party PII redacted. All exemptions documented. Metadata stripped from all output files. Correct (redacted) version confirmed — not the working draft.
Covering letter: All Article 15 supplementary information included. Redaction explanation present. Rights information included. ICO (or relevant authority) complaint details provided. Contact details for follow-up questions.
Delivery: Secure delivery method (encrypted email, secure portal, password-protected download). Electronic format for electronic requests. Second-person verification that correct files are attached.
Records: Internal DSAR log updated. Search log complete. Redaction log complete. Delivery confirmation recorded.