GDPR Subject Access Requests (DSAR): How to Respond (2026)

A Data Subject Access Request (DSAR) is a formal request under Article 15 of Regulation (EU) 2016/679 (the GDPR) in which an individual asks an organisation to confirm whether it holds personal data about them and, if so, to provide a copy. Organisations covered by the GDPR must respond within one calendar month of receiving the request, at no charge, in a concise and intelligible form.

For background on the regulation as a whole, see what is GDPR. For the complete set of rights data subjects hold, including the right to erasure and the right to object, see GDPR data subject rights.

What Is a DSAR and Who Can Make One?

A DSAR is any communication, in any format, through which a natural person exercises the right of access under Article 15. The requester does not need to cite Article 15 or complete any form the organisation provides. "What information do you hold about me?" is a valid DSAR.

The right belongs exclusively to natural persons: living individuals whose personal data is being processed. Companies and other legal entities cannot make a DSAR. Deceased individuals are generally outside the GDPR's scope, though several EU Member States grant access rights to estate representatives or next of kin.

A request can be made directly or through an authorised representative such as a lawyer or parent acting for a child under 16. Where a request arrives through a representative, the controller should verify authorisation before disclosing data, but that step does not extend the one-month clock.

Requests can be made verbally or in writing, by email, post, or any other means. Article 12(1) requires responses in clear and plain language; Recital 59 encourages controllers to make submission easy, including electronically. Online portals or dedicated email addresses are best practice but not legally required.

The right applies to all personal data a controller processes about the data subject in any format (electronic or paper, structured or unstructured, current or archival) subject to the exemptions discussed below.

Jurisdictional Scope

This article addresses the right of access under EU GDPR and EDPB guidance. It applies to EU/EEA-established organisations and to non-EU organisations that target goods or services at EU/EEA individuals or monitor their behaviour (Article 3(2)). The UK UK GDPR is materially identical; differences are noted throughout. Canadian, US, and other national analogues are outside scope.

---

What Information Must an Organisation Provide?

Article 15(1) and 15(3) require two distinct things: confirmation that processing is occurring (or that no data is held), and a copy of the personal data together with supplementary information.

The Copy of Personal Data

Article 15(3) requires "a copy of the personal data undergoing processing": the actual data, not a description. If a controller holds an email thread, account record, call recording, CCTV clip, or credit application containing the requester's personal data, the requester is entitled to a copy unless an exemption applies.

EDPB Guidelines 01/2022 on the right of access (version 2.1, adopted 28 March 2023) confirm that "copy" means a faithful reproduction, not a summary or a data-portability export. The Article 15 copy right and the Article 20 data portability right are separate: portability applies only where the legal basis is consent or contract and processing is automated.

Where the controller processes large volumes of data, Recital 63 states the controller "should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates." This is a practical management tool, not a right to refuse or require narrowing as a condition of responding.

Supplementary Information Required by Article 15(1)

Item (g) (the source of third-party data) is among the most commonly cited deficiencies in enforcement actions. If the controller purchased a marketing list or obtained data from a broker, it must disclose that source.

For third-country transfers, item (c) requires disclosure of the specific safeguard: standard contractual clauses, an adequacy decision, binding corporate rules, or another Article 46 mechanism.

---

How Long Does an Organisation Have to Respond?

Article 12(3) requires a response without undue delay and in any event within one month of receiving the request. "Receiving" means the day the request reaches the organisation, not the day an employee reads it.

The Two-Month Extension

Article 12(3) permits a two-month extension where the request is complex or the controller has received numerous requests simultaneously. Complexity means requests requiring substantial effort across multiple systems or raising difficult scope or exemption questions, not simply that the controller holds a lot of data.

The extension notice must reach the data subject before the initial one-month period expires; a notice sent in month two is invalid. The notice must identify the specific reason; a boilerplate "complexity" notice without particulars does not satisfy EDPB Guidelines 01/2022.

When the Clock Starts

The clock starts on receipt, not on identity verification. Where the controller cannot identify the data subject without additional information, it may request the minimum necessary for identification; the clock is effectively paused during that period. Controllers cannot routinely demand government-issued photo ID from every requester as a delay tactic.

---

How Must the Response Be Delivered?

Article 12(3) requires information in writing or by other means, including electronic means where appropriate. Article 15(3) adds that where the request is made electronically, the response must be in a commonly used electronic format unless the data subject requests otherwise. PDF, Word, Excel, or a secure portal all qualify. A proprietary format requiring specialist software the requester is unlikely to have does not.

The response must meet Article 12(1) standards: concise, transparent, intelligible, and in clear and plain language. A data dump of raw database fields with no explanation of what each field means would likely fail the intelligibility requirement under EDPB guidance even if it contains all required data.

Where the data includes special categories under Article 9 (health records, racial or ethnic origin, biometric data) sending over unencrypted email or a portal with inadequate access controls constitutes a personal data breach as well as a deficient DSAR response. Controllers should use encrypted transmission for any response containing Article 9 data.

---

Identity Verification: What Controllers Can and Cannot Require

Recital 64 states that controllers should use "all reasonable measures to verify the identity of a data subject who requests access." Verification is permitted but must be proportionate; controllers cannot request more information than necessary.

If the controller already holds the data subject's email address and the request arrives from that address, requiring government-issued photo ID is disproportionate. If an individual contacts an organisation for the first time by post claiming to be a customer, asking for account details to confirm identity is reasonable.

Controllers should not:

• Routinely require certified passport or driving licence copies when the request comes from an existing customer's registered email address.
• Require in-person verification unless a mistake in disclosure would cause serious harm.
• Use verification as a pretext to push responses past the one-month deadline.

---

Refusing a DSAR or Charging a Fee

The "Manifestly Unfounded or Excessive" Threshold

Article 12(5) is the only ground for charging a fee or refusing to act: the request must be "manifestly unfounded or excessive, in particular because of their repetitive character." Repetition is an indicator, not a sufficient condition. A requester submitting a second DSAR six months after the first (because new processing has occurred or the first response was deficient) is not making a repetitive request under Article 12(5).

The burden is on the controller. Article 12(5) states explicitly: "the controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request." Supervisory authorities have repeatedly fined organisations that refused DSARs on vague "excessive" grounds.

Where the threshold is met, the controller has two options: charge a reasonable fee reflecting administrative costs, or refuse to act. On refusal, the Article 12(4) procedure applies: notify the data subject within one month, explain the reason, and inform them of their right to complain to a supervisory authority and seek judicial remedy.

Fees for Additional Copies

Article 15(3) separately permits a fee for "any further copies requested by the data subject," meaning additional copies of data already disclosed, not new DSARs about newly processed data. This provision is narrow and rarely applicable.

---

Exemptions: When Personal Data Can Be Withheld

Article 23 permits EU Member States to restrict the right of access in defined circumstances. National implementing rules vary significantly.

Common exemption categories:

Prevention, investigation, and prosecution of criminal offences. Most Member States allow law enforcement and regulatory bodies to withhold data where disclosure would prejudice an investigation.

National security and intelligence. Standard across Member State implementing laws.

Legal professional privilege. Communications between client and lawyer, or preparatory work for legal proceedings, may be withheld where Member State law preserves the exemption.

Confidential commercial information and trade secrets. A restriction may apply only to the extent strictly necessary to protect information that is the organisation's own, not the data subject's.

Employment and negotiations. Several Member States permit withholding where the employer's management or negotiation strategy would be disclosed.

Exemptions limit what data is disclosed, not whether the organisation must respond. Even where an exemption applies to part of the data, the organisation must respond within the deadline, acknowledge it holds data, disclose everything that is not exempt, and tell the data subject that some data was withheld and why.

UK Exemptions

The UK GDPR incorporates a broader exemption schedule through Schedules 2 to 4 and Part 4 of the Data Protection Act 2018, including a management forecasting and planning exemption where disclosure would prejudice the conduct of the business.

---

Third-Party Data: Redaction, Not Refusal

When data held about the requester also includes personal data about other individuals (common in employment disputes, consumer complaints, and healthcare records) the correct approach under Article 15 and EDPB Guidelines 01/2022 is targeted redaction, not wholesale refusal.

The controller must provide the data subject's own personal data while redacting third-party personal data where disclosure would infringe those parties' rights. Factors to weigh:

• Whether the third party has consented to disclosure.
• Whether the requester already knows the third party's identity (if the third party is the requester's line manager named in a performance review, their name is not protected from disclosure in that document).
• Whether it is reasonable in all the circumstances to provide the information without the third party's consent.
• Whether the third-party information is so intertwined with the requester's data that effective redaction is impossible.

Supervisory authorities have consistently rejected using third-party data protection as a blanket justification for withholding entire documents when targeted redaction is feasible.

---

Common Mistakes in DSAR Responses

Missing the deadline without a valid extension. Controllers that treat one month as a target rather than a legal requirement face fines and enforcement notices.

Providing incomplete responses. Ignoring archived or backup systems, offline files, or data held by processors is a recurring deficiency. The response must cover all personal data the controller holds in any format.

Asking for excessive identification. Requiring government-issued photo ID from existing customers via known channels delays responses and may itself constitute a GDPR infringement.

Failing to identify the source of third-party data. Article 15(1)(g) is systematically omitted. Where data came from a broker, referral partner, or public source, that must be disclosed.

Redacting the requester's own data. A controller cannot redact the requester's personal data from their DSAR response on the basis that it also appears alongside third-party data.

Refusing on "manifestly unfounded" grounds without evidence. Refusing because the request is inconvenient, involves litigation, or requires significant work does not meet the Article 12(5) threshold.

Sending unencrypted special-category data. Transmitting Article 9 data over unencrypted email combines a DSAR failure with a personal data breach.

Ignoring verbal requests. Article 12(1) permits verbal requests. Controllers that only accept written or online-form DSARs risk missing legitimate requests; frontline staff need training to recognise and escalate them.

---

A Step-by-Step DSAR Response Workflow

Step 1: Recognise the request. Train all staff who interact with customers, employees, or the public to recognise DSARs regardless of the words used. Log the date of receipt immediately.

Step 2: Identify the data subject. Confirm whether the person can be identified from information provided. If not, request the minimum additional information needed. Document why it is required.

Step 3: Start the clock. Record the date of receipt. Set a 28-day internal deadline to allow preparation time before the one-month hard deadline.

Step 4: Search all systems. Search all databases, email archives, paper files, and records held by processors on your behalf. The search must be comprehensive.

Step 5: Assess for exemptions and third-party data. Review located data against applicable Article 23 national exemptions. For records also containing third-party personal data, determine whether targeted redaction is feasible.

Step 6: Consider extension. If the request is genuinely complex or you have received numerous simultaneous requests, document the decision to extend and send the extension notice before the one-month deadline.

Step 7: Prepare the response. Compile the data copy plus all Article 15(1)(a)--(h) supplementary information. Use a commonly used electronic format if the request was made electronically.

Step 8: Deliver securely. Use encrypted transmission for Article 9 data. Record what was sent, when, and in what format.

Step 9: Document the process. Under the Article 5(2) accountability principle, maintain a DSAR log: date received, identity verification steps, search methodology, data disclosed, exemptions applied, extension notice (if any), and date the response was issued.

Step 10: Handle follow-up requests. Treat any follow-up inquiry about completeness, or any request about newly generated data, on its own terms.

---

The UK Equivalent: Subject Access Requests Under the UK GDPR

Following Brexit, the UK retained the GDPR as the "UK GDPR" through the European Union (Withdrawal) Act 2018, supplemented by the Data Protection Act 2018. The one-month deadline, the scope of information to be provided, the fee rules, and the refusal grounds are all preserved in the UK text.

Key differences:

• Enforcement falls to the ICO, not an EU supervisory authority. Post-Brexit transfers from the EU to the UK require an adequacy decision (adopted by the European Commission on 28 June 2021) or an appropriate safeguard.
• The Data Protection Act 2018 Schedules 2 to 4 contain additional UK-specific exemptions: management forecasting, negotiations, and expanded law enforcement exemptions.
• Organisations operating in both the EU and UK may face concurrent obligations: a DSAR from an EU resident implicates EU GDPR; a DSAR from a UK resident implicates UK GDPR.

For detailed ICO guidance, see ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/.

---

DSARs in the Employment Context

Employment generates more DSARs than almost any other relationship, particularly when employment is ending or has recently ended.

Litigation does not create an exemption. A threatened or active employment tribunal does not make a DSAR manifestly unfounded or excessive. Supervisory authorities and the ICO have consistently confirmed this. Refusing an employment DSAR because litigation is anticipated will almost certainly generate an additional enforcement complaint.

Business confidentiality is narrow. Performance management documentation, disciplinary notes, and meeting records contain the employee's own personal data and must be disclosed. The controller can redact opinions about other employees but cannot redact the requester's own data.

Legal professional privilege applies to specific documents only. Where an employment lawyer advised the organisation in anticipation of litigation, those privileged communications may be withheld. Only those specific documents are covered, not entire HR file categories.

References and interview notes are personal data. References about an employee and interview scoring sheets are the employee's personal data and must generally be disclosed, subject only to targeted redaction of other individuals' information.

---

DSARs and Automated Decision-Making

Where the controller uses automated decision-making or profiling producing legal or similarly significant effects, Article 15(1)(h) requires the DSAR response to include "meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject."

EDPB Guidelines 06/2022 on automated decision-making clarify that "meaningful information about the logic" need not be the entire algorithm or source code, but must go beyond a vague description. The data subject is entitled to understand: what inputs were used; what the algorithm does with them; what the output was in their specific case; and what consequences that output carries.

This applies in credit scoring, insurance underwriting, recruitment screening, and content moderation. A credit refusal triggered by an automated assessment without meaningful explanation of the model violates both Article 15(1)(h) and Article 22(3)'s right to human review.

---

DSAR Enforcement: What Regulators Have Done

Common enforcement themes across EDPB-member supervisory authorities:

Financial services. Banks and insurers have been fined for incomplete responses, particularly by failing to disclose data held in legacy systems or by processors.

Health sector. Hospitals and health insurers have been sanctioned for missed deadlines and for refusing to disclose records because of third-party clinical data that could have been redacted.

Technology companies. Large platforms have faced scrutiny for responses in non-machine-readable proprietary formats that prevented data subjects from understanding their data.

Employers. Employers who refuse DSARs on "litigation" or "excessive" grounds without evidence consistently face adverse findings.

The EDPB publishes a central register of enforcement actions at edpb.europa.eu/about-edpb/who-we-are/members_en and through individual national DPA websites.

---

How the Right of Access Relates to Other GDPR Rights

The right of access typically precedes the exercise of other rights. A data subject who does not yet know what data is held often submits a DSAR first, then uses the disclosed information to decide whether to request rectification under Article 16, erasure under Article 17 (see GDPR right to be forgotten), restriction under Article 18, or objection under Article 21.

The right of access is distinct from the right to data portability under Article 20. Portability applies only where the legal basis is consent or contract and processing is automated; it requires data in a structured, machine-readable format. Article 15's right to a copy applies regardless of legal basis but has a less demanding format requirement.

A DSAR is also not a freedom-of-information request. FOIA and equivalent laws give rights to information held by public authorities about their public functions. A DSAR gives rights to personal data about the specific individual making the request. Both rights may arise simultaneously when a data subject contacts a public authority, and many public sector organisations process them in parallel.

Disclaimer: This article provides general legal information about the GDPR right of access (Article 15) and data subject access requests. It does not constitute legal advice and is not a substitute for advice from a qualified lawyer licensed in your jurisdiction. GDPR law and its interpretation by supervisory authorities and courts evolves continuously; the information in this article was verified as of June 2026. If you are responsible for DSAR compliance at an organisation, or if you are seeking to exercise your data subject rights, consult a data protection professional or lawyer qualified in the relevant EU Member State or UK jurisdiction.

Sources

The sources for this article are listed below, drawn exclusively from official EU institutions, EU supervisory authorities, and national data protection authorities.