A Data Subject Access Request is not a customer service inquiry. It is a legally binding obligation under GDPR Article 15 that requires your organization to locate, compile, review, redact, and deliver every piece of personal data you hold about an individual within 30 calendar days. Failure to respond — or responding incompletely — exposes your organization to regulatory complaints, supervisory authority investigations, and potential fines.
The challenge is operational, not legal. Most organizations understand the legal requirement. What they struggle with is execution: finding personal data scattered across dozens of systems, determining what qualifies as personal data in context, redacting third-party information without destroying the data subject's record, formatting a response that satisfies the regulator, and doing all of this within 30 days while handling the rest of the privacy program.
This guide provides the documented workflow for handling DSARs from receipt to response, covering identity verification, data discovery, exemptions, redaction, response formatting, deadline management, and automation.
DSAR Legal Foundation: What Article 15 Actually Requires
GDPR Article 15 grants data subjects the right to obtain confirmation of whether their personal data is being processed, and if so, access to that data along with specific supplementary information. The supplementary information requirements are often overlooked — providing just the raw data without the required context is an incomplete response.
Required Information in Every DSAR Response
| Requirement | Article | What You Must Provide |
|---|---|---|
| Copy of personal data | Art. 15(1) | All personal data being processed, in an intelligible form. Not raw database dumps — formatted so the individual can understand what data you hold. |
| Processing purposes | Art. 15(1)(a) | The specific purposes for which each category of data is processed (marketing, service delivery, fraud prevention, etc.) |
| Categories of data | Art. 15(1)(b) | The types of personal data processed (contact details, financial data, behavioral data, location data, etc.) |
| Recipients or categories | Art. 15(1)(c) | Who the data has been or will be shared with — specific names where possible, categories where specific disclosure is not feasible |
| Retention periods | Art. 15(1)(d) | How long each category of data will be stored, or the criteria used to determine retention periods |
| Data subject rights | Art. 15(1)(e-f) | Information about the right to rectification, erasure, restriction, objection, and the right to lodge a complaint with a supervisory authority |
| Source of data | Art. 15(1)(g) | Where the data was collected from, if it was not obtained directly from the data subject |
| Automated decision-making | Art. 15(1)(h) | Whether automated decision-making or profiling is used, the logic involved, and the significance and consequences for the data subject |
| International transfers | Art. 15(2) | Whether data is transferred outside the EEA, and the safeguards in place (SCCs, adequacy decisions, BCRs) |
The Seven-Step DSAR Workflow
Every DSAR follows the same operational workflow, regardless of the size of your organization or the volume of requests. The steps must be executed in order — skipping or reordering steps creates compliance gaps and operational failures.
Step 1: Receive and Log
DSARs can arrive through any channel — email, web form, phone call, social media direct message, postal mail, or even verbally in person. There is no required format. A customer emailing "I want to know what data you have about me" is a valid DSAR even if they do not use the term "data subject access request" or cite Article 15.
When a request arrives, log it immediately in your DSAR tracking system with: the date received (this starts the 30-day clock), the requestor's name and contact information, the channel through which it was received, the specific data or information requested, and the assigned handler. Every detail matters because supervisory authorities will ask for your DSAR logs during audits.
Step 2: Verify Identity
Identity verification prevents a different kind of data breach — releasing someone's personal data to an unauthorized person. The verification method should be proportionate to the sensitivity of the data and the risk of the request:
| Risk Level | Data Type | Verification Method |
|---|---|---|
| Low | Newsletter subscription, public profile data | Confirmation email to the address on file. If they can click the link, they control the email account associated with the data. |
| Medium | Purchase history, account data, customer records | Account login verification plus security questions. Request must come from the registered email address or authenticated account. |
| High | Financial records, health data, HR records | Government-issued photo ID matching the name on record. For employee DSARs, verification through HR with manager confirmation. |
| Agent request | Any (third party submitting on behalf of data subject) | Written authorization from the data subject plus verification of both the agent's and the data subject's identity. |
Step 3: Scope the Request
Many DSARs are broad — "give me everything you have on me." While you are required to provide all personal data, you can contact the data subject to clarify the scope. GDPR Recital 63 states that where an organization processes a large quantity of data, it may ask the data subject to specify the information or processing activities to which the request relates.
This is not an opportunity to narrow the request against the data subject's wishes. It is an opportunity to deliver a more useful response more quickly. If the data subject insists on everything, you must provide everything.
Step 4: Data Discovery
This is the step where most organizations fail. Personal data is rarely centralized. A typical mid-size organization stores personal data across 15 to 40 systems:
| System Category | Examples | Common Data Found |
|---|---|---|
| CRM | Salesforce, HubSpot, Pipedrive | Contact details, interaction history, deal notes, communication preferences |
| Marketing platforms | Mailchimp, Marketo, ActiveCampaign | Email address, engagement metrics, campaign interactions, consent records |
| Analytics | Google Analytics, Mixpanel, Amplitude | Behavioral data, device information, IP addresses, session recordings |
| Support systems | Zendesk, Intercom, Freshdesk | Support tickets, chat transcripts, satisfaction scores, complaint records |
| HR platforms | Workday, BambooHR, Personio | Employment records, payroll, performance reviews, disciplinary records |
| Finance | Stripe, QuickBooks, SAP | Payment records, invoices, billing addresses, bank details |
| Cloud storage | Google Drive, SharePoint, Dropbox | Documents mentioning the data subject, shared files, collaboration records |
| Email systems | Google Workspace, Microsoft 365 | Emails from/to/about the data subject across all employee mailboxes |
| Third-party processors | Payroll providers, analytics vendors | Data shared with processors under data processing agreements |
Step 5: Review and Apply Exemptions
Not all personal data must be disclosed. GDPR provides several exemptions that allow (or require) you to withhold certain information:
| Exemption | Legal Basis | Application |
|---|---|---|
| Third-party data | Art. 15(4) | Data that would reveal personal data about another individual must be redacted unless that individual consents or it is reasonable to disclose |
| Legal privilege | National law | Communications between the organization and its lawyers regarding the data subject (legal professional privilege) |
| Trade secrets | Recital 63 | Proprietary algorithms, scoring models, or business processes — but you must still explain the logic of automated decisions without revealing the trade secret itself |
| Ongoing investigations | Art. 23 | Data related to active fraud investigations or regulatory proceedings where disclosure would prejudice the investigation |
| Manifestly unfounded | Art. 12(5) | Requests that are clearly made with no intention of exercising data protection rights (harassement, disruption). This exemption is very narrow and rarely applicable. |
Step 6: Redaction
Redaction is the most labor-intensive step. Every document, email, chat transcript, and record must be reviewed for third-party personal data, legally privileged content, and trade secrets. Manual redaction of a single DSAR response containing 500 pages of data can take 20 to 30 hours.
Automated redaction tools (Microsoft Presidio, Amazon Comprehend, Google DLP API) can identify and redact common patterns (names, email addresses, phone numbers, national ID numbers) but require human review because false positives (redacting the data subject's own information) and false negatives (missing unusual identifiers) both create compliance problems.
Step 7: Format and Deliver
The response must be provided in a "concise, transparent, intelligible and easily accessible form, using clear and plain language" (Article 12(1)). In practice, this means:
- Cover letter — summarizing the response, listing all systems searched, describing any exemptions applied and why, and informing the data subject of their right to complain to the supervisory authority.
- Data package — the actual personal data, organized by system or category. Common formats include PDF (for human readability) and JSON or CSV (for machine readability when the right to data portability applies).
- Secure delivery — the response must be transmitted securely. Encrypted email, secure file transfer link with password, or secure portal access. Never send unencrypted personal data packages by regular email.
Deadline Management and Extensions
| Scenario | Deadline | Requirements |
|---|---|---|
| Standard request | 30 calendar days from receipt | No action required beyond timely completion |
| Identity verification needed | 30 days from successful verification | Clock does not start until you have confirmed the requester's identity. Document the verification timeline. |
| Complex request (extension) | 90 calendar days (30 + 60 extension) | Must notify the data subject within the original 30 days that you are extending, with the reason. The complexity must stem from the request itself. |
| Excessive or repetitive | Varies | You may charge a reasonable fee or refuse to act. Must justify the determination and inform the data subject of their right to complain. |
The Five Most Common DSAR Mistakes
| Mistake | Why It Happens | Consequence | Prevention |
|---|---|---|---|
| Missing the 30-day deadline | Data discovery takes longer than expected. No tracking system in place. Handler goes on leave. | Data subject complains to supervisory authority. Investigation reveals systemic compliance failure. Potential fine. | Automated deadline tracking with escalation alerts at Day 14, Day 21, and Day 25. Designate backup handlers. |
| Incomplete data search | Organization does not have a comprehensive data inventory. Systems get added without being recorded. | Supervisory authority finds data the organization did not disclose. Treated as deliberate concealment. | Maintain a living data inventory. Cross-reference every DSAR search against the records of processing activities (ROPA). |
| Releasing third-party data | Redaction step skipped or poorly executed. Reviewer does not recognize all identifiers as personal data. | Separate data breach notification required. Complaint from the affected third party. Reputational damage. | Standardized redaction checklist. Automated PII detection as first pass. Manual review as second pass. Never skip both. |
| No identity verification | Team treats DSAR as customer service request. Sends data without confirming identity. | Personal data disclosed to unauthorized person. This is a data breach under GDPR Article 4(12). Mandatory 72-hour breach notification. | Verification is a mandatory step before any data processing begins. Document the verification method used for each DSAR. |
| Providing raw data without context | Team dumps database exports into a ZIP file without formatting or supplementary information. | Response is technically non-compliant. Data subject cannot understand the data. Follow-up complaint to supervisory authority. | Use a response template that includes all Article 15 supplementary information. Present data in human-readable format with category labels. |
Measuring DSAR Program Performance
Track these metrics to identify bottlenecks and demonstrate compliance maturity to supervisory authorities:
| Metric | Target | Why It Matters |
|---|---|---|
| Average response time | Under 21 days | Buffer against the 30-day deadline. Organizations averaging 28 days will inevitably miss deadlines on complex requests. |
| On-time completion rate | 100 percent | Any missed deadline is a potential compliance violation. Track separately from average response time. |
| Cost per DSAR | Under 500 euros (automated) | Benchmarking efficiency. Manual processes averaging over 4,000 euros per request indicate automation is needed. |
| Data completeness score | Over 95 percent of systems searched | Percentage of systems in the data inventory that were actually searched for each DSAR. Missing systems means missing data. |
| Escalation rate | Under 10 percent | Percentage of DSARs that require escalation to legal or senior management. High rates indicate unclear processes or training gaps. |
| Extension usage rate | Under 5 percent | Percentage of DSARs requiring the 60-day extension. High rates indicate systemic capacity or process problems. |
| Complaint rate | Under 2 percent | Percentage of DSARs resulting in complaints to the supervisory authority. This is the ultimate quality metric. |
