top of page

Handling Data Subject Access Requests (DSARs) Under GDPR

Data Subject Access Requests (DSARs) are a fundamental aspect of the GDPR, granting individuals the right to access their personal data held by an organization. Handling these requests efficiently is not only a legal requirement but also a crucial element of customer trust and data management. This guide will provide a comprehensive overview of how to effectively manage DSARs.

Understanding DSARs

DSARs enable individuals to see what personal data an organization holds about them, why it's being processed, and who it's being shared with. This right is not limited to customers; it also applies to employees, contractors, and any other individuals whose data you may process.

Step-by-Step Process for Handling DSARs

1. Identification and Verification

Upon receiving a DSAR, the first step is to confirm the identity of the requester. This is to ensure that you're not disclosing personal data to an unauthorized person. The verification process should be reasonable; for instance, if the request is made by a current customer, confirmation via their existing account details might suffice.

2. Understanding the Request

Clearly understand what the requester is seeking. They may want all the data you hold on them, or they may be looking for specific information. Clarify this to avoid unnecessary data processing.

3. Data Collection

Collect the data requested. This involves searching your databases, emails, and other storage systems. Remember, personal data isn't just limited to digital formats; it also includes paper records.

4. Reviewing and Redacting

Review the collected data. Redact any information that relates to other individuals or is otherwise exempt from access under GDPR. This step is crucial for maintaining the privacy rights of third parties.

5. Responding to the Request

Once the data is ready, provide it to the requester in a clear and accessible format. The GDPR requires that the information be provided in a "concise, transparent, intelligible, and easily accessible form."


Under GDPR, you are required to respond to a DSAR without undue delay and in any event within one month of receipt of the request. This period can be extended by two further months where necessary, taking into account the complexity and number of the requests. If you extend the deadline, inform the individual within the first month and explain the reasons.

Dealing with Complex Requests

Some DSARs may be broad or complex, particularly if the individual has had extensive dealings with your organization. In such cases, it may be reasonable to ask the requester to specify the information or processing activities their request relates to. However, you cannot refuse to respond to a DSAR merely because it is complex or voluminous.

Excessive or Unfounded Requests

If requests are manifestly unfounded or excessive, particularly if they are repetitive, you may charge a reasonable fee for the administrative costs or refuse to act on the request. However, you must justify this decision and inform the individual of their right to complain to the supervisory authority and to seek a judicial remedy.

Best Practices

  • Train Your Staff: Ensure your team understands what a DSAR is and the importance of handling it correctly.

  • Establish a Clear Process: Have a defined process for handling DSARs to ensure efficiency and consistency.

  • Maintain Accurate Records: Keep records of all DSARs and your responses to demonstrate compliance with GDPR.


Effectively handling DSARs is a critical component of GDPR compliance. It requires a well-organized approach, attention to detail, and an understanding of the rights of individuals under the regulation. By following these guidelines, organizations can not only comply with the law but also demonstrate their commitment to data privacy and customer trust.


bottom of page