What is Data Subject Access Request (DSAR)?

A Data Subject Access Request (DSAR) is a request by which an individual exercises their GDPR Article 15 right to obtain confirmation of whether their personal data is processed, a copy of that data, and supporting details such as purposes, recipients, and retention. Controllers must respond within one month of receipt, usually free of charge.

The right of access lets people see what an organisation holds about them and check it is being handled lawfully. A request can arrive informally — by email, web form, or even verbally — and the one-month clock under Article 12(3) starts on receipt. That period can be extended by up to two further months for complex or numerous requests, provided you tell the person why within the first month.

For example, a former employee may ask for all the personal data in their HR file; you must locate it across systems, redact third parties' information, and provide a copy. Requests are normally free, though a reasonable fee or refusal is possible only where a request is manifestly unfounded or excessive.

A documented DSAR procedure and response templates make the difference between a calm, on-time response and a missed deadline that draws a complaint. The procedure speeds and standardises your handling — but you still have to actually find, review, and disclose the data within the legal timeframe.

Related terms: Personal Data · Lawful Basis for Processing · Incident Response · Data Classification

Frequently asked questions

How long do I have to respond to a DSAR?
One month from receipt under Article 12(3). You may extend it by up to two further months for complex or multiple requests, but you must inform the requester of the extension and the reasons within the first month.
Can I charge a fee for a DSAR?
Generally no — access must be free. You may charge a reasonable, cost-based fee or refuse only where a request is manifestly unfounded or excessive, and you must be able to justify that decision.
Does a DSAR have to be in writing?
No. A valid request can be made by any means, including verbally, and does not need to mention the GDPR. This is why staff awareness and a clear intake procedure matter.

Toolkits that cover Data Subject Access Request (DSAR)

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

Learn more in our GDPR guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.