Data Subject Access Request (DSAR) Handling

A data subject access request (DSAR) is a mechanism under GDPR Article 15 that allows individuals to ask an organization whether it is processing their personal data. If the organization is processing their data, the individual has the right to receive a copy of that data and supplementary information about the processing activities.

Organizations must provide a complete copy of the personal data undergoing processing. Additionally, the GDPR data subject access request requirements mandate the disclosure of processing purposes, categories of data, recipients, retention periods, and a reminder of the user's other data protection rights.

The standard DSAR response timeline GDPR one month rule dictates that organizations must respond to a request without undue delay and at the latest within one month of receipt. The clock starts ticking as soon as the request is received and the identity of the requester is verified.

Yes, the deadline can be extended by a further two months if the request is particularly complex or if the organization has received numerous requests from the individual. To use this extension, the organization must inform the data subject of the delay and the reasons for it within the initial one-month period.

You must use all reasonable measures to confirm the identity of the data subject making the request, especially when fulfilling online requests. Learning how to verify identity for a DSAR request often involves asking the user to securely log into their account portal or requesting additional, proportionate identification documents.

Organizations must search all structured and unstructured data repositories where the individual's personal data is stored or processed. This typically includes production databases, CRM systems, email archives, customer support ticketing platforms, and relevant third-party vendor environments.

Yes, DSAR exemptions and refusals under GDPR apply if a request is demonstrably manifestly unfounded or excessive, particularly if it is highly repetitive. Organizations can also refuse to provide specific data points if fulfilling the request would adversely affect the rights and freedoms of others, such as compromising trade secrets.

GDPR grants the right of access to the personal data itself, not inherently to the original source documents containing the data. However, providing a secure copy of the document or a relevant extract is often the most practical way to fulfill the request, provided that other people's personal information is redacted.

When a source document contains personal data belonging to both the requester and other individuals, you must carefully redact the third-party information before delivery. This ensures that fulfilling the DSAR does not compromise the privacy, rights, or freedoms of other natural persons.

To understand how to log and track DSAR requests for audit, organizations should maintain a comprehensive data subject request log. This log must record the initial request date, identity verification steps taken, search scope, any applied exemptions, and the final response delivery date to explicitly prove compliance with the one-month deadline. Tools like WatchDog Security's Compliance Center can help maintain auditable records and attach supporting evidence to each request entry.

DSAR handling often fails when requests are scattered across inboxes and timelines are tracked inconsistently. Tools like WatchDog Security's Compliance Center can help centralize evidence of the DSAR process (intake, status, timestamps, and completion) and highlight gaps against GDPR Article 15 expectations so teams can demonstrate timely handling during audits.

DSAR responses can include sensitive personal data, so delivery channels must reduce interception and provide proof of access. Tools like WatchDog Security's Secure File Sharing can help by using encrypted sharing, TOTP verification, and audit logs to document when the response package was accessed without relying on email attachments.