Beginner’s Guide to Data Subject Access Requests (DSARs): What They Are and How to Submit One

This beginner’s guide explains what a Data Subject Access Request (DSAR) is, how it works under the GDPR’s Right of Access, and the practical steps to submit one effectively. You will also learn what organizations must do when they receive a DSAR and how fees, timelines, identity verification, and data redaction fit in.

Definition of Data Subject Access Requests

A Data Subject Access Request is a request you make to a data controller asking for access to your personal data and related information they hold about you. It exercises your Right of Access under the GDPR and can cover both current and historical records across relevant systems.

“Personal data” includes any information that identifies you directly or indirectly. You may ask for a copy of your data and details such as processing purposes, Personal Data Categories involved, recipients, storage periods, and safeguards for transfers.

DSARs apply to data controllers. Processors assist controllers but typically do not respond directly unless instructed. You can send a DSAR through any valid channel the organization accepts, including email, web forms, or postal mail.

Rights Under GDPR for Data Access

Under the the GDPR’s Right of Access, you can request confirmation of whether your data is processed, obtain a copy, and receive meaningful information about the processing. This includes purposes, Personal Data Categories, recipients (including international transfers), retention periods, data sources, and the Lawful Basis for Processing.

You also have the right to understand automated decision-making that significantly affects you, including profiling logic and consequences. While fulfilling a DSAR, organizations must respect Data Minimization by providing what is necessary and proportionate, and may apply Data Redaction to protect the rights and freedoms of others (for example, removing third-party personal data).

The Right of Access does not override all other rights or legal obligations. Limited exemptions may apply (such as legal privilege or trade secrets), but controllers must explain these and provide non-exempt information where possible.

How to Make a Data Subject Access Request

Step-by-step approach

• Identify the controller and, if applicable, the Data Protection Officer (DPO) or privacy contact point.
• Define scope: specify products, interactions, time ranges, systems, or Personal Data Categories to speed up the search.
• State that you are exercising your GDPR Right of Access and request a copy of your personal data and required supplementary information.
• Provide Identity Verification details the controller reasonably needs (for example, name, contact information, and limited documentation). Do not send more than necessary.
• Choose the format you prefer (commonly used electronic format is typical for digital requests).
• Keep a copy of your request and note the submission date for timeline tracking.

Sample wording you can adapt

Subject: Data Subject Access Request (Right of Access — GDPR)

Hello, I am exercising my Right of Access and request: (1) a copy of my personal data; and (2) the required information about processing, including purposes, Personal Data Categories, recipients, retention, source, transfers, Lawful Basis for Processing, and any automated decision-making. I prefer an electronic response. If you need Identity Verification or scope clarification, please let me know. Thank you.

You may submit a DSAR verbally or in writing. Written requests help create a clear record and reduce delays from clarification.

Response Timeframes for DSARs

Controllers must respond without undue delay and within one month of receiving your request. If a request is complex or numerous, they may extend by up to two additional months, but must inform you within the first month and explain why.

If the controller reasonably requires Identity Verification or clarification to locate data, the timeline may effectively pause until you provide it. When you submit electronically, the response should generally be provided in a commonly used electronic format unless you request otherwise.

Fee Policies for DSARs

Submitting a DSAR is free of charge. A reasonable fee may be charged only when a request is manifestly unfounded or excessive, or for additional copies of the same data. Any fee should be limited to administrative costs and explained to you in advance.

Organizations should offer alternatives to reduce fees, such as narrowing the scope or selecting fewer copies, consistent with Data Minimization principles.

Information to Include in a DSAR

• Your full name and contact details, plus any identifiers the organization uses for you (customer ID, account email, or phone number).
• Proof for Identity Verification if requested (for example, a redacted ID showing name and photo). Avoid sending unnecessary data.
• Scope details: relevant dates or time ranges, channels used (apps, websites, stores), and Personal Data Categories you want prioritized.
• Specific questions you want answered (for example, Lawful Basis for Processing, recipients, retention periods, source of data, and international transfers).
• Preferred delivery format (electronic or paper) and any accessibility needs.
• Reference numbers for related requests (rectification, erasure, or restriction) to streamline handling.

Organizational Procedures for Handling DSARs

Core workflow

• Intake and logging: record the DSAR, assign ownership, and start the timeline.
• Identity Verification and scoping: confirm identity proportionately; clarify scope to focus searches and apply Data Minimization.
• Discovery and collection: search all relevant systems, archives, and vendors; instruct processors to assist.
• Review and Data Redaction: remove third-party data, secrets, or privileged content while providing the remainder.
• Assemble supplementary information: purposes, recipients, retention, source, transfers, automated decisions, and the Lawful Basis for Processing.
• Respond securely in the requested format, with clear explanations of any exemptions and how to escalate concerns.
• Post-response actions: update the DSAR register, retain evidence of decisions, and feed insights into training and process improvements.

Governance essentials

• Appoint a Data Protection Officer or privacy lead to oversee compliance and complex decisions.
• Maintain playbooks, response templates, and redaction guidelines to ensure consistency.
• Set service-level targets, build cross-functional search lists, and implement secure channels for delivering files.

Conclusion

A well-scoped DSAR, supported by proportionate Identity Verification, helps you obtain a complete and timely response. For organizations, disciplined intake, Data Minimization, and careful Data Redaction enable compliant, secure, and repeatable handling.

FAQs.

What is a data subject access request?

A DSAR is a request you make to a data controller to access your personal data and key details about how it is processed, exercising your GDPR Right of Access.

How long do organizations have to respond to a DSAR?

They must respond within one month of receiving the request, with a possible extension of up to two additional months for complex or numerous requests, provided they notify you within the first month.

Can I submit a DSAR verbally or digitally?

Yes. You can submit verbally or in writing (email or web form). Written requests create a clear record and often speed up processing.

Is there a fee to make a DSAR?

Generally no. A reasonable fee may apply only if the request is manifestly unfounded or excessive, or if you ask for additional copies of the same data.