Data Subject Access Request (DSAR)

Data Subject Access Requests (DSARs) have quickly become a cornerstone of modern data privacy. Driven by regulations like the GDPR in Europe and the CCPA in California, individuals now have powerful subject access rights—the ability to ask organizations what personal data is collected, how it's used, and, in some cases, to request its correction or deletion.

Whether you’re an individual curious about your own data, or an organization aiming for seamless DSAR fulfillment, understanding the process is crucial. A data privacy request—sometimes called a PII access request—unlocks transparency and accountability, holding businesses to higher standards in handling personal information.

In this guide, we’ll walk you through everything you need to know about DSARs: from what they are, who can make them, and what information can be requested, to the nitty-gritty of verifying identities, responding within legal timeframes, and managing requests efficiently. We’ll also explore key tools, exemptions, and best practices to ensure you’re ready for any data subject rights request.

Let’s get started on making sense of GDPR DSAR, CCPA DSAR, and the practical steps for safeguarding personal data—whether you’re asking for it or responsible for delivering it.

What is a DSAR (Data Subject Access Request)?

Data Subject Access Requests (DSARs) are formal inquiries that individuals can submit to organizations to obtain details about the personal data those organizations hold about them. These requests are a direct result of global privacy laws—like the GDPR DSAR in the European Union and the CCPA DSAR in California—which grant individuals strong data subject rights. By using a DSAR, anyone can take control of their personal information, also known as Personally Identifiable Information (PII).

At its core, a DSAR is a data privacy request that empowers people to:

• Access the data an organization holds about them
• Understand how that data is being used, processed, and shared
• Request corrections to inaccurate or outdated information
• Ask for deletion or restriction of their data where applicable
• Object to certain types of processing, such as direct marketing

Submitting a DSAR is not limited to customers—anyone whose data is processed by an organization can initiate a PII access request, including employees, contractors, and even job applicants. The organization is then responsible for DSAR fulfillment, which means gathering, reviewing, and securely delivering the relevant information within a specific timeframe set by the law.

These requests are more than just a regulatory obligation—they are a vital way for people to exercise their subject access rights and for organizations to build trust through transparency. By understanding and efficiently responding to DSARs, we can help ensure that privacy is respected and that data is handled responsibly in today’s digital world.

Key Regulations Mandating DSARs

Key Regulations Mandating DSARs

Understanding the legal foundation for Data Subject Access Requests (DSARs) is essential for both individuals asserting their data subject rights and organizations striving for compliant DSAR fulfillment. The two primary regulations shaping the landscape are the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States. Each sets clear expectations around how data privacy requests—including PII access requests—must be managed and fulfilled.

• GDPR DSAR: The GDPR, effective across the European Economic Area, gives individuals the right to obtain confirmation that their data is being processed, access to their personal data, and information about how it’s used. Organizations must respond to these requests within one month and provide a copy of the personal data, along with details about its processing. The GDPR also empowers individuals to request correction or erasure of data, adding layers of accountability to DSAR fulfillment.
• CCPA DSAR: The CCPA, and its amendment the CPRA, extends similar subject access rights to California residents. Businesses must disclose, upon a verifiable consumer request, the categories and specific pieces of personal information collected, sources of that information, its business or commercial purpose, and third parties with whom it's shared. Organizations have 45 days to respond, with the possibility of a single extension. Unlike the GDPR, the CCPA also gives consumers the right to opt out of the sale of their data.

Both regulations have established DSARs as a legally enforceable process, requiring companies to create clear and accessible channels for individuals to submit a data privacy request. Notably, these laws apply not only to customers but to anyone whose data is processed—employees, contractors, and other stakeholders included.

As global awareness of data subject rights grows, more privacy laws are following the GDPR and CCPA models. Countries and states worldwide are drafting new rules, making it vital for organizations to establish robust systems for managing PII access requests and ensuring timely, accurate DSAR fulfillment.

In summary, the GDPR and CCPA have set the standard for transparent, accountable data practices. By respecting these regulations and building effective DSAR processes, we not only stay compliant but also build lasting trust with those whose data we steward.

Who Can Make a DSAR?

Who Can Make a DSAR?

When it comes to exercising data subject rights, the scope of who can make a Data Subject Access Request (DSAR) is intentionally broad. Both the GDPR DSAR and CCPA DSAR frameworks empower a wide range of individuals to take control of their personal data. Let’s break down exactly who can submit these data privacy requests and under what circumstances.

• Individuals (Data Subjects): Any person whose personal information (PII) is processed by an organization can submit a DSAR. This includes customers, users, employees, job applicants, contractors, and anyone else whose data is collected or stored.
• Authorized Representatives: Sometimes, a DSAR may be submitted on behalf of someone else. This is common for parents or legal guardians acting for children, or for individuals holding power of attorney. In these cases, organizations will typically require documentation to verify the representative’s authority before proceeding with DSAR fulfillment.
• Former and Current Customers or Employees: The right to access your data doesn’t expire when your relationship with an organization ends. Former employees, customers, or users can still submit a PII access request to learn what information is retained and how it is handled.
• Prospective or Partial Data Subjects: Even if you never became a full customer or employee—say you only applied for a job or requested a quote—you may still have subject access rights over any data an organization has collected about you during the process.

The primary goal of both the GDPR and CCPA is to give individuals transparency and control over their personal information. This means organizations must be prepared to handle DSARs from a diverse set of requesters, not just active users or customers.

For organizations, it’s important to have a reliable process in place for verifying the identity of any person making a DSAR. This helps ensure that the data privacy request is legitimate and that sensitive data isn’t disclosed inappropriately. If someone is acting on behalf of another individual, documentation such as a signed authorization, birth certificate, or legal power of attorney may be required before proceeding with DSAR fulfillment.

Ultimately, if your information is processed by an organization—even if your interaction was brief—you have the right to submit a DSAR under modern privacy laws. This is a powerful tool for anyone wishing to better understand or control how their personal data is managed.

Information Individuals Can Request

When you submit a Data Subject Access Request (DSAR)—whether under the GDPR, the CCPA, or another privacy law—you’re exercising your subject access rights to understand and control your personal information. But what exactly can you ask for? Both laws empower you to request a broad range of details related to your Personally Identifiable Information (PII) and how it’s handled.

Here’s what you can typically request in a GDPR DSAR or CCPA DSAR:

• Confirmation of Data Processing: Find out whether an organization is processing your personal data at all.
• Access to Personal Data: Receive a copy of all PII the organization holds about you, such as names, email addresses, contact details, and account activity.
• Categories of Data Collected: Understand the types or categories of personal information collected, stored, and processed.
• Sources of Data: Learn from where the organization obtained your data (for instance, directly from you, third parties, or public sources).
• Purposes of Processing: Discover why your information is being processed, such as for marketing, account management, or legal compliance.
• Third-Party Sharing: Request details on who your data is shared with, including vendors, affiliates, or partners, as well as whether it’s sold (a key CCPA disclosure).
• Retention Periods: Find out how long your data will be stored, and the criteria used for deciding retention periods.
• Your Data Subject Rights: Get clear information about your options to correct, delete, restrict, or object to the processing of your data, and how you can exercise these rights.
• Automated Decision-Making: Be informed if your data is used for automated decisions (like profiling) and, where applicable, the logic involved and potential consequences.
• Data Transfers: Learn whether your data is transferred internationally, especially outside the EU or California, and the safeguards in place for such transfers.

When making a data privacy request or PII access request, you’re entitled to a transparent, comprehensive overview—not just a data dump. Organizations must make sure their DSAR fulfillment process is clear, concise, and delivered in a way that’s easy to understand.

If you’re considering submitting a DSAR, remember: you don’t need to know exactly what data an organization holds to make a request. The burden is on the organization to search thoroughly and provide what you’re entitled to under your data subject rights.

For organizations, getting this right is more than compliance—it’s a chance to build trust by demonstrating respect for individual privacy and transparency in every step of the DSAR fulfillment process.

Timeframes for Responding to a DSAR

Timeframes for Responding to a DSAR are clearly defined under both the GDPR and CCPA, setting the pace for how swiftly organizations must address data privacy requests. Understanding and adhering to these deadlines is essential for compliant DSAR fulfillment and for building trust with individuals exercising their data subject rights.

Under the GDPR DSAR framework, organizations are required to respond to a subject access request “without undue delay,” and at the latest within one month of receiving the request. If a PII access request is complex or involves multiple requests from the same individual, an extension of up to two additional months may be granted. However, the data controller must inform the requester within the initial one-month window, explaining the reason for the delay.

• Standard response time: 1 month from receipt of request
• Extension (if necessary): Up to 2 more months (notify within first month with reasons)

For CCPA DSAR requirements, businesses must respond to a verifiable consumer request within 45 days. If necessary, a single 45-day extension can be taken, provided the individual is notified within the original 45-day period and given an explanation for the delay.

• Standard response time: 45 days from receipt of request
• Extension (if necessary): Additional 45 days (must notify within original timeframe)

It’s important to note:

• Prompt acknowledgment of receiving the request is highly recommended, even if the full response will follow later.
• Organizations must keep the requester informed throughout the process, especially if more time is needed for DSAR fulfillment.
• Delays are only justified for complex cases or high volumes, never for routine data privacy requests.

Missing these deadlines can result in regulatory scrutiny and damage to your organization’s reputation. We recommend setting up clear internal processes and leveraging automation tools where possible, so every data subject access request is handled efficiently, transparently, and in full compliance with evolving data privacy laws.

Verifying the Requester's Identity

Verifying the Requester's Identity is a critical first step in any GDPR DSAR or CCPA DSAR process. When someone submits a data privacy request or PII access request, organizations must ensure that the person seeking information truly has the right to access it. This protects everyone’s privacy and prevents unauthorized disclosure of sensitive data.

For robust DSAR fulfillment, organizations should follow a clear, secure identity verification protocol. This not only helps to comply with regulatory requirements, but also builds trust and demonstrates respect for data subject rights.

Why Identity Verification Matters

• It prevents unauthorized access to personal data.
• It protects against identity theft and fraud.
• It ensures compliance with privacy laws, reducing legal and reputational risk.

How to Verify Identity During a DSAR

• Request Relevant Information: Ask the requester to provide details that only they would know, such as account numbers, recent transactions, or contact information on file.
• Photo Identification: For sensitive or extensive data, request a copy of a government-issued ID. Be sure to store this securely and delete it once verification is complete.
• Two-Factor Authentication: Use email or SMS verification codes to confirm the requester's identity, especially if your organization already uses such methods for account access.
• Power of Attorney or Guardianship Proof: When someone makes a request on behalf of another (such as a parent for a child), require official documentation authorizing the request.

Best Practices for Identity Verification

• Minimize Data Collection: Only collect the minimum necessary information to verify identity, aligning with data minimization principles under GDPR and CCPA.
• Communicate Clearly: Let requesters know what information is required and why, making the process user-friendly and transparent.
• Secure Handling: Ensure all verification documents are handled with strict confidentiality, and securely deleted or anonymized after use.
• Document the Process: Keep a record of verification steps for audit purposes, but avoid storing sensitive documents longer than needed.

By implementing a thorough yet respectful identity verification process, we help protect everyone’s privacy and ensure that subject access rights are honored safely. This is a fundamental part of reliable DSAR fulfillment under both GDPR and CCPA, and an essential best practice for any organization handling data privacy requests.

Process for Locating and Retrieving Data

Process for Locating and Retrieving Data

Fulfilling a GDPR DSAR or CCPA DSAR hinges on your ability to efficiently locate and retrieve all relevant personal data. This step is essential for honoring subject access rights and ensuring your organization is compliant with data subject rights regulations. Let’s walk through the practical steps to handle a data privacy request or PII access request confidently and accurately.

• Identify All Data Sources: Start by mapping out everywhere personal data may reside. This includes databases, cloud storage, email servers, CRM systems, HR platforms, archived backups, and third-party SaaS tools. Don’t overlook paper files or legacy systems—completeness is key for DSAR fulfillment.
• Use Data Discovery Tools: Leverage automated tools (such as data mapping or discovery software) that can scan your systems for personally identifiable information (PII). These tools accelerate the search and reduce human error, making your response to a data privacy request more reliable.
• Search by Identifiers: Use clear identifiers provided in the request—such as name, email address, employee ID, or account number—to find all records that relate to the requester. This step ensures that you retrieve all relevant data and nothing is missed.
• Cross-Reference Records: Sometimes, personal data is fragmented across multiple systems. Cross-reference between platforms using consistent identifiers to assemble a complete view of the individual’s data.
• Document the Process: Keep a detailed log of where and how you searched for the data. This audit trail is crucial for demonstrating compliance with GDPR DSAR and CCPA DSAR requirements, especially if your fulfillment process is ever questioned.
• Secure Handling: As you collect the information, ensure it’s handled securely at all stages—transit, storage, and eventual transfer to the requesting individual. This prevents accidental data leaks and maintains trust.

By following these steps, you make DSAR fulfillment more manageable, reduce risk, and demonstrate respect for data subject rights. Staying organized and proactive in your approach not only supports compliance, but also builds a reputation for transparency and trust with everyone whose data you hold.

Formatting and Delivering the Information

Formatting and Delivering the Information

When a GDPR DSAR or CCPA DSAR is received, the way you format and deliver the requested information is just as important as collecting it. Proper formatting not only ensures compliance, but also builds trust with individuals exercising their data subject rights. Let’s walk through the essential steps for effective DSAR fulfillment:

• Clarity and Accessibility: Present the data in a clear, straightforward manner. Avoid jargon and use plain language so the individual can easily understand what data is held and how it’s used. For a PII access request, group information logically (by data type or processing purpose, for example).
• Comprehensive Coverage: Include all personal data (PII) that falls under the scope of the data privacy request. This covers any data collected, processed, or shared, as required by the relevant regulation. Make sure nothing is omitted that could impact the individual’s rights.
• Redaction and Anonymization: To protect others’ privacy, carefully redact any information that pertains to third parties. Only the requesting individual’s data should be disclosed. This step is crucial to avoid accidental data breaches during DSAR fulfillment.
• Format Choice: Deliver the information in a commonly used electronic format, such as PDF, CSV, or Word. The GDPR specifically requires that the response is provided in a “structured, commonly used, and machine-readable format.” This helps the individual access and review their data without technical barriers.
• Secure Delivery: Transmit the response securely—ideally through encrypted email or a secure online portal. Never send sensitive data via unprotected channels. Confirm the recipient’s identity before sending, to comply with both GDPR DSAR and CCPA DSAR requirements.
• Explanation and Guidance: Accompany the data with a brief explanation of its contents and how it’s used. If applicable, outline the rights available to the individual under current laws, and provide contact details for further questions or concerns about the data privacy request.

By following these steps, we can ensure that every subject access request is handled with care, transparency, and compliance. This not only meets legal obligations, but also helps foster a culture of trust and respect for data subject rights within your organization.

Permissible Exemptions or Refusals

Permissible Exemptions or Refusals

When responding to a GDPR DSAR or CCPA DSAR, organizations are generally obliged to honor the subject access rights of individuals. However, there are specific cases where a data privacy request may be lawfully refused or limited. Understanding these exemptions is crucial for both requesters and organizations to ensure fair and compliant DSAR fulfillment.

Common Grounds for Refusal or Limitation:

• Manifestly Unfounded Requests: If a data subject’s request is clearly intended to cause disruption, is malicious, or lacks any real purpose, organizations can refuse to act on it. For example, repeated requests with no substantive difference or requests made to harass may be considered manifestly unfounded.
• Excessive Requests: When a requester submits multiple repetitive requests in a short period, or the scope is unreasonably wide, the organization may decline the request or charge a reasonable fee for the administrative costs.
• Impact on Others' Rights: If fulfilling a PII access request would infringe on the rights or freedoms of another person (such as exposing another individual’s personal data), organizations must redact or withhold that information to protect third-party privacy.
• Legal Obligations and Privileges: Certain data may be exempt from disclosure if releasing it would breach confidentiality, legal privilege, or regulatory requirements. For example, information related to ongoing legal proceedings or protected trade secrets may justifiably be withheld.

How to Apply Exemptions Responsibly:

• Assess Each Request Individually: Blanket refusals are not permitted. Every data privacy request must be reviewed on its merits, with clear documentation of the reasons for refusal or redaction.
• Communicate Clearly: If a request is denied or limited, organizations are required to inform the requester of the reasons, the relevant exemption, and their right to challenge the decision or complain to a supervisory authority.
• Transparency and Record-Keeping: Always maintain an audit trail of decisions made regarding DSAR fulfillment, as this demonstrates accountability and compliance in the event of regulatory review.

While data subject rights are robust, these targeted exemptions ensure that organizations can protect sensitive information, manage resources efficiently, and uphold the privacy of all individuals involved. If you’re unsure how to handle a specific exemption, consult your Data Protection Officer or seek legal guidance to ensure your DSAR process remains fully compliant.

Documenting Your DSAR Process

Documenting Your DSAR Process is essential for both compliance and operational efficiency. Whether you're handling a GDPR DSAR or a CCPA DSAR, a well-documented approach ensures that every data privacy request is managed consistently, securely, and in accordance with regulatory requirements. Proper documentation not only safeguards your organization during audits or disputes but also builds trust with individuals exercising their data subject rights.

Here's how we can create and maintain a robust DSAR documentation process:

• Map Your Data Flows: Start by identifying where personal data (PII) is stored, processed, and transferred within your organization. This step is crucial for efficient PII access request handling and accurate DSAR fulfillment.
• Designate Roles & Responsibilities: Clearly outline who manages each stage of a DSAR—from initial intake to identity verification and final response. Assigning responsibilities avoids confusion and ensures accountability.
• Standardize Procedures: Develop step-by-step procedures for receiving, verifying, processing, and responding to each data privacy request. Include templates for communications, checklists for required actions, and escalation paths for complex requests.
• Record Keeping: Maintain detailed logs of every DSAR received, including dates, requestor details, nature of the request, actions taken, and the outcome. This documentation is key for demonstrating compliance under GDPR DSAR and CCPA DSAR requirements.
• Security & Confidentiality: Ensure that all records related to DSARs are stored securely and access is restricted to authorized personnel. Document your methods for safeguarding both the request process and any data disclosed.
• Regular Review & Updates: Schedule periodic reviews of your DSAR process documentation. Update procedures in response to changes in regulations, new technologies, or internal process improvements.
• Employee Training: Document your training protocols so staff understand their role in DSAR fulfillment and the importance of protecting subject access rights.

By keeping your DSAR process documented and up to date, you not only support regulatory compliance but also empower your team to deliver transparent, timely, and respectful responses to every data subject rights request. This proactive approach helps minimize risk and enhances the reputation of your organization as a trustworthy steward of personal data.

Tools for Managing DSARs

Managing DSARs efficiently is essential for compliance with evolving privacy laws such as GDPR and CCPA, and for building trust with your customers. As requests for personal data—often referred to as a data privacy request or PII access request—continue to rise, dedicated tools and platforms have become vital for organizations of all sizes.

Specialized DSAR management tools offer a streamlined approach to fulfilling subject access rights by automating and organizing each step of the process. These solutions not only help meet legal requirements, but also reduce manual effort, minimize errors, and protect sensitive information throughout the DSAR fulfillment lifecycle.

• Centralized Request Intake: Most DSAR tools provide a secure portal where individuals can submit data privacy requests. This ensures all GDPR DSAR and CCPA DSAR submissions are tracked and documented in one place.
• Identity Verification: To prevent unauthorized access, robust platforms integrate multi-factor authentication or document upload steps to verify the identity of the requester before sharing personal data.
• Automated Data Discovery: These tools often connect with internal systems and databases to quickly locate and gather all relevant PII for the individual, reducing the risk of missing or incomplete responses.
• Data Review and Redaction: Built-in review features allow organizations to easily redact sensitive information related to other individuals, ensuring only the appropriate data is disclosed in response to each request.
• Workflow Management: Assign tasks, set deadlines, and send reminders to ensure the DSAR fulfillment process stays on track and meets regulatory timelines.
• Audit Trails and Reporting: Comprehensive logs track every action taken during the DSAR process, supporting regulatory audits and demonstrating compliance with data subject rights requirements.

Choosing the right DSAR solution depends on your organization’s size, the volume of requests, and your existing IT infrastructure. Many platforms are designed to be user-friendly and integrate with common data sources, reducing onboarding time and helping your team focus on fast, secure, and accurate responses.

By adopting a dedicated DSAR management tool, we can ensure that every data privacy request—whether a GDPR DSAR, CCPA DSAR, or other PII access request—is handled with care, efficiency, and full respect for data subject rights. Investing in these solutions not only keeps us compliant but also strengthens our reputation as a privacy-conscious organization.

Data Subject Access Requests (DSARs) have quickly become a cornerstone of modern data privacy. Driven by regulations like the GDPR in Europe and the CCPA in California, individuals now have powerful subject access rights—the ability to ask organizations what personal data is collected, how it's used, and, in some cases, to request its correction or deletion.

Whether you’re an individual curious about your own data, or an organization aiming for seamless DSAR fulfillment, understanding the process is essential. Embracing data privacy requests and respecting data subject rights isn’t just about compliance; it’s about building trust and transparency with everyone whose data you handle.

As requests for PII access become more common, having a clear and efficient process for managing GDPR DSAR and CCPA DSAR obligations will set your organization apart. Not only does this reduce risk, but it also demonstrates a genuine commitment to user privacy at every step.

By putting people first and responding to each data privacy request with care, we help create a safer, more transparent digital world—one where data subject rights are respected and protected. Now is the perfect time to review, refine, or even automate your DSAR process, so you’re ready to meet the expectations of today’s privacy-conscious world.

FAQs

What does DSAR stand for?

DSAR stands for Data Subject Access Request. This term refers to a formal request made by an individual (the "data subject") to access the personal data that an organization holds about them. Under major privacy laws like the GDPR (General Data Protection Regulation) in the EU and the CCPA (California Consumer Privacy Act), individuals have specific subject access rights that allow them to make these requests.

When someone submits a DSAR—often called a data privacy request or PII access request—the organization is required to locate, compile, and share the relevant personal data in a timely manner. This process is crucial for DSAR fulfillment and ensures that individuals can exercise their data subject rights to transparency and control over their information.

Whether it's a GDPR DSAR or a CCPA DSAR, the main goal remains the same: empower people to understand and manage the data organizations store about them. This practice builds trust and helps companies stay compliant with evolving data privacy regulations.

Under which laws can someone make a DSAR?

Individuals can make a Data Subject Access Request (DSAR) under several major data privacy laws, most notably the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California. Both laws are designed to give people enhanced subject access rights, allowing them to request information about the personal data organizations hold and how it’s used.

Under the GDPR, any individual in the EU or EEA can submit a GDPR DSAR to organizations that process their personal data. This includes requests for access, correction, deletion, or even restriction of processing. The GDPR sets a strong global standard for DSAR fulfillment and is the model many other countries look to when drafting privacy laws.

In the U.S., the CCPA allows California residents to make a CCPA DSAR, also known as a data privacy request or PII access request. This law empowers residents to know what personal information (PII) is being collected, request its deletion, and opt out of its sale. Similar rights are emerging in other U.S. states and countries, making data subject rights a growing global trend.

While GDPR and CCPA are the most well-known, more data privacy laws around the world are beginning to include DSAR provisions. If you interact with organizations that are subject to these laws, you have the right to submit a DSAR and receive a transparent response about your data.

How long do I have to respond to a DSAR?

When it comes to responding to a Data Subject Access Request (DSAR), timing is crucial for both compliance and customer trust. Under the GDPR DSAR rules, organizations are required to respond to a data privacy request within one month (30 days) from receipt. If a request is particularly complex or involves a large volume of information, you may extend this period by an additional two months—but you must inform the requester within the initial 30 days and explain why more time is needed.

For CCPA DSAR requests, the requirement is slightly different. Businesses must respond to a verifiable request within 45 days. If reasonably necessary, you can take one 45-day extension, but only if you notify the individual within the first 45 days and explain the reason for the delay.

Prompt DSAR fulfillment is not just about ticking a compliance box—it’s about respecting data subject rights and building trust. Always make sure your team is ready to handle a PII access request quickly and transparently. Document your response times and keep the requester informed throughout the process to ensure a positive experience and full compliance with data privacy regulations.

Can a DSAR be refused?

In most cases, a DSAR (Data Subject Access Request) cannot be refused. Both the GDPR and CCPA are designed to uphold subject access rights, meaning organizations are generally required to fulfill any valid data privacy request that allows individuals to access their personal data (PII). This process is at the core of GDPR DSAR and CCPA DSAR compliance, ensuring transparency and trust.

However, there are limited exceptions where an organization can refuse a DSAR. If a request is deemed “manifestly unfounded” (for example, if it is intended to harass or has no real purpose) or “excessive” (such as repeated requests for the same information), an organization may lawfully decline the request. Even then, the refusal must be justified, documented, and communicated clearly to the individual, with information about their right to challenge the decision.

Organizations should assess each PII access request on a case-by-case basis, rather than using blanket policies. If you’re managing DSAR fulfillment, always ensure your reasons for refusal are solid and well-documented, as regulators may review your decision. Ultimately, these exceptions are narrowly interpreted to protect data subject rights while preventing misuse of the process.

What information must be provided in a DSAR response?

When responding to a DSAR (Data Subject Access Request), organizations must provide all personal information they hold about the individual making the request. This includes any data that can identify the person—such as names, contact details, account information, transaction records, or correspondence. Both the GDPR DSAR and CCPA DSAR require organizations to be thorough and transparent, ensuring the individual’s subject access rights are respected.

You are also required to explain how and why this data is being processed, who it is shared with, and how long it will be retained. If the data was obtained from a third party, this must also be disclosed. For a PII access request, organizations should include any information used to make decisions about the individual or that forms part of a filing system.

However, you should not include information that would reveal another person’s identity or breach their privacy. Internal notes, confidential business information, or data unrelated to the requester can be redacted. The key to DSAR fulfillment is balancing transparency with the protection of others’ data and your organization’s sensitive information.

Overall, the response should be comprehensive, accurate, and easy to understand. This builds trust and demonstrates your commitment to data subject rights and compliance with global privacy laws.