What Is a DSAR? Data Subject Access Requests Explained

A DSAR — Data Subject Access Request — is one of the most powerful rights in modern privacy law. It lets any individual ask an organisation to hand over every piece of personal data it holds about them. If your organisation processes personal data, you will receive DSARs. Here's everything you need to know.

DSAR meaning and definition

A Data Subject Access Request (DSAR) is a formal request from an individual — the "data subject" — to an organisation that holds their personal data. The request compels the organisation to provide a copy of all personal data it processes about that individual, along with information about how and why the data is being used.

The right of access exists under Article 15 of the EU GDPR, Article 15 of the UK GDPR, and Section 1798.100 of the CCPA/CPRA. Similar rights exist under Brazil's LGPD, Canada's PIPEDA, and dozens of other privacy frameworks worldwide. It is sometimes called a Subject Access Request (SAR) in UK contexts.

Who can make a DSAR?

Any living individual whose personal data is processed by an organisation. This includes customers who have provided data through purchases, accounts, or interactions; employees past and present, including contractors and temporary staff; job applicants who submitted personal information during recruitment; and members of the public whose data has been captured through CCTV, website cookies, or other means.

A third party can also submit a DSAR on behalf of the data subject — for example, a solicitor acting for a client, or a parent acting for a child. The organisation may request proof of authority before processing the request.

What triggers a DSAR?

DSARs don't require any specific format. An individual can make a request verbally, by email, through a web form, via social media, or even in a handwritten letter. The request does not need to mention "DSAR" or cite specific legislation. Any communication that makes clear the individual wants access to their personal data counts as a DSAR.

This means your front-line staff — customer service, HR, reception — need to recognise DSARs when they arrive, even when they don't look like formal legal requests.

What must be included in a DSAR response?

A complete DSAR response must include several components beyond just the data itself. You need to confirm whether or not you process the individual's personal data. If you do, provide a copy of all personal data you hold. You must explain the purposes of processing, the categories of data involved, and the recipients the data has been or will be shared with.

The response must also include the retention period or the criteria used to determine it, information about the individual's right to rectification, erasure, or restriction, their right to lodge a complaint with a supervisory authority, and the source of the data if it wasn't collected directly from the individual.

Response deadlines

Deadlines vary by regulation but are always tight:

EU GDPR and UK GDPR: One calendar month from receipt. Can be extended by a further two months for complex or numerous requests, but the individual must be informed of the extension and the reasons within the first month.

CCPA/CPRA: 45 calendar days from receipt. Can be extended by an additional 45 days with notice to the consumer.

LGPD (Brazil): 15 days from receipt.

Missing a deadline is not a minor administrative oversight. Regulators treat it as evidence of non-compliance, and it can trigger formal investigations, fines, and enforcement action.

The redaction requirement

This is where DSARs get operationally difficult. The documents you collect in response to a DSAR will almost always contain other people's personal data. An email thread will include the names and addresses of everyone in the conversation. A meeting transcript mentions every attendee. A performance review references managers, colleagues, and clients.

Article 15(4) of the GDPR is explicit: the right to a copy of personal data "shall not adversely affect the rights and freedoms of others." You must redact all third-party personal information before disclosing the documents to the data subject.

This is not a simple search-and-replace task. Names appear in different formats, email addresses are embedded in headers and signatures, phone numbers are scattered across attachments. At scale — thousands of documents across emails, PDFs, spreadsheets, and chat transcripts — manual redaction is impractical within a 30-day window. Learn more in our DSAR redaction guide.

Can an organisation refuse a DSAR?

In limited circumstances, yes. Under GDPR, an organisation can refuse a request that is "manifestly unfounded or excessive" — for example, repeated identical requests designed to disrupt operations. The organisation must explain why it considers the request unfounded or excessive, and inform the individual of their right to complain to a supervisory authority.

Specific exemptions also exist for data that is subject to legal privilege, data processed for crime prevention, and certain categories of regulatory or judicial data. However, these exemptions are narrow and must be applied on a case-by-case basis.

The cost of non-compliance

Fines for mishandling DSARs are not theoretical. Under GDPR, supervisory authorities can impose fines of up to €20 million or 4% of global annual turnover. Under CCPA, violations carry penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Beyond fines, failed DSAR responses damage trust with employees, customers, and regulators — and the reputational cost often exceeds the financial penalty.

Gartner estimates the average cost of manually processing a single DSAR at approximately $1,524. For organisations handling dozens or hundreds of requests per year, automation is not a luxury — it's a necessity.

How to handle DSARs efficiently

The organisations that handle DSARs well share a few common practices. They have a clear intake process so requests are recognised and routed immediately, regardless of which channel they arrive through. They maintain a data inventory so they know where personal data lives across their systems. They use automated tools for the redaction-heavy final step — stripping third-party PII from thousands of documents before disclosure.

SafeRedact Enterprise is built for that last step. Upload a data export, name the data subject, and the system preserves their PII while redacting all third-party personal data across up to 25,000 files per batch. Learn more about DSAR compliance requirements or explore DSAR software options.

Frequently asked questions

What does DSAR stand for?

DSAR stands for Data Subject Access Request. It is a formal request from an individual to access all personal data an organisation holds about them, guaranteed by GDPR, UK GDPR, CCPA, and other privacy regulations.

Who can make a DSAR?

Any individual whose personal data is processed — customers, employees, contractors, job applicants, or members of the public. A representative such as a solicitor or parent can submit a request on their behalf.

How long does an organisation have to respond?

One calendar month under GDPR and UK GDPR. 45 calendar days under CCPA/CPRA. Extensions are available for complex cases but must be communicated to the requester within the original deadline.

Can an organisation charge a fee?

Under GDPR, the first copy is free. A reasonable fee can be charged for additional copies or manifestly excessive requests. Under CCPA, responses must always be provided free of charge.

What happens if a DSAR is ignored?

Regulatory fines of up to €20 million or 4% of annual turnover under GDPR, or $7,500 per violation under CCPA. The individual can also complain to a supervisory authority, which may trigger a formal investigation.