Data Subject Access Requests (DSARs) — A DPO's Complete Guide

A Data Subject Access Request is a formal request from an individual to a data controller, exercising their right under Article 15 GDPR to obtain confirmation of whether their personal data is being processed and, if so, access to that data along with specific supplementary information. Any natural person whose data is processed can submit a DSAR. There are no formal requirements — the request can be made verbally, by email, through a web form, or even via social media. The identity of the requester must be verified, but the organization cannot impose unreasonable barriers to making a request. DSARs are not limited to customers. Employees, former employees, job applicants, website visitors, and even business contacts can submit them. For organizations with significant HR operations, employee DSARs are often the most complex — involving data spread across payroll systems, email archives, performance reviews, and more.

The standard deadline for responding to a DSAR is one month from receipt of the request — not one month from identity verification or acknowledgment, but from receipt. This deadline is calculated by calendar month: a request received on March 15 is due by April 15. Extensions are possible under Article 12(3) GDPR: if the request is particularly complex or if the organization receives a high number of requests, the deadline can be extended by two additional months. However, the controller must inform the data subject of the extension within the original one-month period, including the reasons for the delay. In practice, most supervisory authorities take a dim view of extensions used as standard practice. They are meant for genuinely complex cases — not as a default buffer. If you find yourself routinely needing extensions, it is a sign that your DSAR handling process needs improvement. For external DPOs managing 15 clients with an average of 3 DSARs per client per year, that is 45 individual deadlines to track. Manual tracking with calendar entries is error-prone and does not scale. A single missed deadline can result in a complaint to the supervisory authority and reputational damage for both the client and the DPO.

Article 15 requires controllers to provide the following information in response to a DSAR: the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients, the envisaged retention period or criteria for determining it, the existence of the right to rectification, erasure, or restriction, the right to lodge a complaint with a supervisory authority, the source of the data (if not collected from the data subject directly), and the existence of automated decision-making including profiling. In addition to this metadata, the controller must provide a copy of the personal data being processed. The first copy must be provided free of charge; for additional copies, a reasonable administrative fee may be charged. The response must be provided in a commonly used electronic format if the request was made electronically. It must be concise, transparent, and in clear, plain language — particularly if the data subject is a child.

Not every DSAR must be fulfilled in its entirety. Article 12(5) allows controllers to refuse requests that are "manifestly unfounded or excessive" — for example, repeated requests from the same person with no new processing having occurred. The burden of proof that a request is manifestly unfounded lies with the controller. Legal privilege and trade secrets may also limit what must be disclosed. If providing a complete copy of all data would reveal proprietary algorithms, business strategies, or information about other individuals, the controller may redact or withhold that specific information — but must still respond to the request overall. Employee DSARs are particularly complex. They often involve data held by multiple departments (HR, IT, finance, management) and may include internal communications about the employee. Supervisory authorities generally expect organizations to search all relevant systems, including email, but confidential management discussions about restructuring or disciplinary actions may be exempt under certain conditions. When in doubt, document your reasoning for any limitations or exemptions applied. Supervisory authorities are far more understanding when a controller can show a thoughtful, documented decision-making process than when they encounter blanket refusals.