Data Subject Access Request (DSAR) Template: Complete Guide for 2026
Under GDPR Article 15, every individual has the right to request access to the personal data an organization holds about them. This is called a Data Subject Access Request (DSAR) or Subject Access Request (SAR). Organizations must respond within one calendar month — failure to comply can result in fines of up to €20,000,000 or 4% of global annual revenue. This guide covers everything you need to know about handling DSARs, including free templates, checklists, and practical advice.
Your Privacy Policy Is the Foundation of DSAR Compliance
A clear, comprehensive privacy policy documents exactly what data you collect and why — making it significantly easier to locate and compile data when a DSAR arrives. PolicyForge generates GDPR-compliant privacy policies tailored to your specific data practices in under 2 minutes.
What Is a Data Subject Access Request (DSAR)?
A Data Subject Access Request (DSAR) — also known as a Subject Access Request (SAR) — is a legal mechanism under the General Data Protection Regulation (GDPR) that allows any individual (“data subject”) to ask an organization for a copy of the personal data it holds about them. The right of access is codified in GDPR Article 15 and is one of the most frequently exercised data subject rights.
DSARs can come from anyone whose personal data you process: customers, employees, job applicants, website visitors, newsletter subscribers, or any other individual. The request does not need to reference GDPR or Article 15 specifically — any communication that clearly expresses a desire to access personal data should be treated as a DSAR.
Since GDPR came into force in May 2018, DSARs have increased dramatically. The UK Information Commissioner's Office (ICO) reported a 159% increase in subject access complaints between 2018 and 2023. Organizations that are not prepared to handle DSARs efficiently face both regulatory risk and significant operational burden.
Key Point: A DSAR is not just an administrative task — it is a legal obligation. Failing to respond within 30 days, providing incomplete data, or refusing without valid justification are all enforceable violations under GDPR.
GDPR Article 15: What the Law Actually Requires
Article 15 of the GDPR is the legal basis for data subject access requests. Understanding its exact requirements is essential for compliance. The article grants data subjects the right to obtain from the data controller:
Whether or not their personal data is being processed. If you hold no data about the individual, you must confirm this — a “nil return” is still a valid and required response.
A complete copy of all personal data you hold about the individual, in a commonly used electronic format if the request was made electronically. This includes data in databases, email threads, CRM records, support tickets, logs, and any other system.
A clear explanation of why you are processing their data — marketing, contract performance, legal obligations, analytics, etc. Each processing purpose must be disclosed.
The types of personal data being processed: identity data, contact details, financial data, usage data, location data, health data, biometric data, etc.
Who has received or will receive the data: third-party processors, partners, government agencies, etc. Where possible, name specific recipients rather than just categories.
How long you intend to store the data, or the criteria used to determine that period. “Indefinitely” or “as long as necessary” is not acceptable.
Inform them of their right to rectification, erasure, restriction of processing, and the right to object. Also inform them of their right to lodge a complaint with a supervisory authority.
If the data was not collected directly from the individual, provide information about the source — e.g., a third-party data broker, a referral, public records, or another controller.
If automated decision-making (including profiling) is involved, provide meaningful information about the logic, significance, and envisaged consequences for the data subject.
If data is transferred to a third country or international organization, inform the data subject of the appropriate safeguards in place under Article 46 (SCCs, BCRs, adequacy decisions, etc.).
PolicyForge makes this easier: When your privacy policy clearly documents processing purposes, recipients, retention periods, and lawful bases, you already have the supplementary information DSAR responses require. Generate your privacy policy →
How to Handle a Data Subject Access Request: Step-by-Step
Handling DSARs correctly requires a systematic process. The following steps cover the complete lifecycle from receiving a request to delivering the response. Having a documented process before you receive your first DSAR is essential — you cannot build the process during the 30-day deadline.
1Recognize the Request
A DSAR does not have to use specific legal language. Any request such as “I want to know what data you have about me” or “Send me my personal information” qualifies. Train all staff who interact with customers, users, or the public to recognize DSARs — they can arrive via email, social media, phone calls, live chat, postal mail, or even in person.
Common mistake: Routing DSARs through general customer support where they sit in a queue. DSARs have a legal deadline and must be escalated to your data protection team (or designated handler) immediately.
2Log and Acknowledge
Record the date the request was received — this starts the 30-day clock. Log the request in a DSAR tracker that records: the date received, the requestor's identity, the channel used, the assigned handler, and the deadline. Send an acknowledgment to the requestor within 2-3 business days confirming receipt and the expected response date.
Tip: Use a dedicated email address (e.g., privacy@yourcompany.com or dsar@yourcompany.com) and mention it in your privacy policy. This centralizes requests and prevents them from getting lost.
3Verify Identity
Before disclosing any personal data, verify the requestor is who they claim to be. The level of verification should be proportionate to the sensitivity of the data — do not over-verify to the point of discouraging requests, but do not under-verify and risk disclosing data to the wrong person.
Appropriate verification methods:
- • If the request comes from a verified email on file, this is often sufficient for non-sensitive data
- • Ask the individual to confirm details only they would know (account number, recent transaction, date of birth)
- • For sensitive data (health, financial), request a copy of government-issued ID
- • For employee DSARs, verify through existing HR authentication channels
- • Never request more personal data than necessary for verification
4Locate and Compile Data
Search all systems where personal data may be stored. This is often the most time-consuming step. Systems to check typically include:
Digital Systems
- • CRM (Salesforce, HubSpot, etc.)
- • Email servers and threads
- • Databases and application data
- • Analytics platforms
- • Marketing automation tools
- • Cloud storage (Google Drive, Dropbox)
- • Support ticket systems
- • Payment processors (Stripe, PayPal)
Additional Sources
- • CCTV/surveillance footage
- • HR and payroll systems
- • Backup and archived data
- • Physical files and records
- • Third-party processors
- • Server logs and access logs
- • Chat/messaging platforms
- • Social media interactions
5Review and Redact
Before sending data to the requestor, review it carefully. You must not disclose personal data about other identifiable individuals unless they have consented or it is reasonable to disclose without consent. Redact third-party personal data from documents, emails, and records. Also review for any applicable exemptions (see the Exemptions section below).
Important: Redaction must be thorough. A poorly redacted PDF where hidden text can be copied is a data breach in itself. Use proper redaction tools, not just black highlight.
6Prepare and Send the Response
Compile the personal data into a clear, organized format. If the request was made electronically, provide the data in a commonly used electronic format (PDF, CSV, or JSON). Include the supplementary information required by Article 15 — processing purposes, categories, recipients, retention periods, rights information, data sources, and automated decision-making details. Send via a secure channel (encrypted email, secure download link, or the platform the request came through).
7Document and Close
Record the response in your DSAR log: what was provided, the date of response, any exemptions applied, and any third-party data redacted. Retain this record for accountability purposes. If you applied any exemptions or extensions, document your reasoning in detail — this is what a supervisory authority will review if the individual complains.
The 30-Day DSAR Response Timeline
The GDPR mandates a strict timeline for DSAR responses. Here is how to manage it effectively:
The clock starts on the day you receive the request (not the day you recognize it as a DSAR). This is why training staff to recognize DSARs immediately is critical. If identity verification is needed, the clock pauses until you receive verification — but you must request verification promptly.
Send an acknowledgment confirming receipt. If identity verification is needed, request it immediately. Do not delay verification requests — this eats into your response window unnecessarily.
Search all systems, contact third-party processors if needed, and begin compiling the response. If the request is complex (multiple systems, large volumes, exemptions to evaluate), assess whether a 2-month extension is needed and notify the requestor before day 30.
Review all compiled data for third-party personal data that must be redacted. Apply any exemptions. Prepare the supplementary information. Format the response package. Have it reviewed by your DPO or data protection lead.
The response must be sent to the data subject by this date. If the deadline falls on a weekend or public holiday, the deadline is the next business day. If you have notified the requestor of an extension, the extended deadline is a maximum of 3 months from the original request date.
Warning: The 2-month extension is not automatic. You must: (a) have a genuinely complex reason, (b) notify the individual within the first 30 days, and (c) explain why the extension is necessary. Routinely extending all DSARs will attract regulatory scrutiny.
Identity Verification for DSARs
Identity verification is a balancing act. You need to confirm the requestor's identity to prevent unauthorized disclosure (which would itself be a data breach), but you cannot use verification as a barrier to discourage or delay requests. Recital 64 of GDPR states that controllers should use “all reasonable means” to verify identity.
| Scenario | Appropriate Verification | Too Much / Too Little |
|---|---|---|
| Request from registered email | Email match to account is sufficient for basic account data | Appropriate |
| Request from unknown email | Ask for account identifiers + one additional proof | Appropriate |
| Request for sensitive data (health, financial) | Government-issued photo ID + additional verification | Appropriate |
| Requesting notarized affidavit for newsletter data | Disproportionate for low-sensitivity data | Too much |
| No verification at all for sensitive data | Risk of unauthorized disclosure (a data breach) | Too little |
What Data Must You Include in a DSAR Response?
A DSAR response must include all personal data you hold about the individual, plus the supplementary information required by Article 15. “Personal data” is broadly defined under GDPR and includes any information relating to an identified or identifiable natural person.
Name, email address, phone number, postal address, username, account ID, customer reference number
Purchase history, payment records, invoices, subscription details, billing information (redact full card numbers)
IP addresses, device identifiers, browser fingerprints, cookies, login timestamps, page visit history, click data, search queries
Emails sent/received, support tickets, chat transcripts, call recordings, notes made about the individual by staff
Consent records, marketing opt-in/out history, preference settings, segmentation data, profiling information
Performance reviews, disciplinary records, salary information, attendance records, training records, internal emails about the employee
Don't forget: Personal data includes opinions and assessments about the individual (e.g., staff notes saying “this customer is difficult”), CCTV footage, recorded phone calls, and metadata like login times. If it relates to an identifiable person, it is personal data.
DSAR Exemptions: When You Can Withhold Data
While the right of access is broad, it is not absolute. GDPR and national laws provide several exemptions where you may withhold some or all data. However, exemptions are narrowly interpreted and you must apply them on a case-by-case basis — you cannot apply blanket exemptions to all DSARs.
You must not disclose personal data about other identifiable individuals unless they have consented or it is reasonable in the circumstances. Redact third-party names, contact details, and identifiers from documents.
Communications between a client and their lawyer for the purpose of giving or receiving legal advice are exempt. This includes internal legal assessments of the individual's case.
If a request is clearly made with no real intent to access data (e.g., to harass or cause disruption) or is repetitive with no change in circumstances, you may refuse or charge a reasonable fee. The burden of proof is on you to demonstrate the request is manifestly unfounded or excessive.
Under national law exemptions (e.g., UK DPA 2018 Schedule 2), data may be withheld if disclosure would prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.
While not a blanket exemption, you may redact information that would reveal trade secrets or proprietary algorithms. However, you must still provide the personal data itself — you can redact the method by which it was derived, not the data about the individual.
Under certain national exemptions, data relating to management forecasting or planning may be exempt if disclosure would prejudice the conduct of the business (e.g., planned redundancies before they are announced).
Free DSAR Response Template
Use this template as a starting point for your DSAR response letter. Customize it to match your organization's specific data processing activities and the scope of the individual request.
// DSAR Response Letter Template
[Your Company Name]
[Company Address]
[Date]
Dear [Data Subject Name],
Thank you for your data subject access request received on [Date Received]. In accordance with Article 15 of the General Data Protection Regulation (GDPR), we are writing to provide you with the personal data we hold about you and the required supplementary information.
1. Personal Data We Hold About You
Please find attached a complete copy of the personal data we hold about you in [format: PDF/CSV/JSON] format. This includes data from the following systems: [list systems: CRM, email, database, etc.]
2. Purposes of Processing
We process your personal data for the following purposes: [e.g., providing our service, processing payments, sending marketing communications, etc.]
3. Categories of Data
The categories of personal data we process include: [identity data, contact data, transaction data, usage data, etc.]
4. Recipients
Your data has been shared with the following recipients: [list: payment processor, hosting provider, analytics, etc.]
5. Retention Period
We retain your personal data for [retention period] from [starting point: last activity, account closure, etc.]
6. Your Rights
You have the right to: request rectification of inaccurate data, request erasure of your data, restrict processing, object to processing, data portability, and lodge a complaint with [relevant supervisory authority].
7. Data Source
Your data was collected [directly from you / from the following sources: ...]
If you have any questions about this response, please contact us at [privacy email address].
Sincerely,
[DPO / Privacy Team Name]
[Your Company Name]
DSAR Response Checklist
Use this checklist to ensure your DSAR response is complete and compliant. Missing even one element can result in a regulatory complaint.
Record the exact date the request was received. This is day zero for your 30-day deadline.
Confirm receipt within 2-3 business days and provide the expected response date.
Verify identity using methods proportionate to data sensitivity. Document the verification method used.
Check every system where personal data may be stored: databases, CRM, email, analytics, backups, physical files, third-party processors.
Remove or redact personal data of other identifiable individuals from the response documents.
If withholding any data, document which exemption applies and why. Be prepared to justify this to a supervisory authority.
Processing purposes, data categories, recipients, retention periods, rights information, data sources, and automated decision-making details are all required.
If the request was electronic, provide data in a commonly used electronic format (PDF, CSV, JSON). Ensure it is readable and well-organized.
Use encrypted email, a secure download portal, or the same authenticated channel the request was received through. Do not send personal data via unencrypted email.
Verify the response was delivered before the deadline expires. If an extension is needed, it must be communicated before the original 30-day deadline.
Record the response date, what was provided, any exemptions applied, and any issues encountered. Retain for accountability.
Why a Proper Privacy Policy Makes DSARs Easier
A well-structured privacy policy is not just a compliance checkbox — it is the operational foundation of your DSAR response process. Here is why:
A comprehensive privacy policy forces you to inventory all the personal data you collect, which systems store it, who receives it, and how long you keep it. This mapping is exactly what you need to locate data when a DSAR arrives.
Article 15 requires you to include processing purposes, data categories, recipients, retention periods, and rights information in every DSAR response. If your privacy policy already contains this, you can reference or include it directly.
When your privacy policy clearly explains what data you collect and why, data subjects have realistic expectations about what a DSAR response will contain. This reduces disputes and follow-up requests.
If a data subject complains to a supervisory authority, the regulator will look at your privacy policy first. A comprehensive, up-to-date privacy policy generated by a tool like PolicyForge shows you take data protection seriously.
DSAR Compliance: What It Costs
Proper DSAR handling starts with a comprehensive privacy policy that documents your data processing activities. Here is how the costs compare:
| Option | Cost | Includes | Time |
|---|---|---|---|
| PolicyForge Starter | $4.99 | GDPR-compliant privacy policy, compliance checker, DSAR documentation foundation | 2 minutes |
| PolicyForge Pro | $12.99 | Unlimited policies, ToS generator, cookie policy, compliance scanner, email reports | 2 minutes |
| Termly / Iubenda | $120-240/year | Privacy policy generator, cookie consent, ongoing subscription | 15-30 minutes |
| Privacy lawyer consultation | $500-5,000+ | Custom privacy policy, legal advice, DSAR process design | 1-4 weeks |
| DSAR management software | $200-2,000/month | Automated DSAR workflow, data discovery, redaction tools | Weeks to implement |
| GDPR non-compliance fine | Up to €20M / 4% revenue | Regulatory investigation, reputational damage, legal costs | Months-years of disruption |
Start with the foundation: Even if you need dedicated DSAR software later, a GDPR-compliant privacy policy is step one. It documents the processing activities that define the scope of every DSAR response. Generate yours for $4.99 →
Free DSAR Request Template (For Individuals)
If you are an individual wanting to submit a DSAR to an organization, here is a free template you can use. Simply fill in the bracketed fields and send it to the organization's privacy contact (usually found in their privacy policy).
// Data Subject Access Request — Individual Template
To: [Organization Name]
From: [Your Full Name]
Email: [Your Email Address]
Date: [Today's Date]
Account/Customer Reference: [If applicable]
Subject: Data Subject Access Request under GDPR Article 15
Dear Data Protection Officer / Privacy Team,
I am writing to exercise my right of access under Article 15 of the General Data Protection Regulation (GDPR). I request that you provide me with a copy of all personal data you hold about me, along with the following supplementary information:
- • The purposes of the processing
- • The categories of personal data concerned
- • The recipients to whom my data has been or will be disclosed
- • The envisaged period for which my data will be stored
- • The source of the data, if not collected directly from me
- • Whether any automated decision-making or profiling is applied to my data
Please respond within one calendar month as required by Article 12(3) of the GDPR. If you need to verify my identity, please let me know promptly and I will provide the necessary information.
If you do not respond within the statutory timeframe, I reserve the right to lodge a complaint with [relevant supervisory authority, e.g., the ICO, CNIL, BfDI].
Yours sincerely,
[Your Full Name]
Common DSAR Mistakes That Lead to Fines
Supervisory authorities across the EU have issued fines and reprimands for DSAR handling failures. Here are the most common mistakes organizations make:
1. Missing the 30-day deadline
The most common violation. Organizations that lack a documented DSAR process often discover the request too late, or underestimate the time needed to locate and compile data. Set calendar reminders and track every DSAR from day one.
2. Providing incomplete data
Searching only your main database and missing email threads, support tickets, CRM notes, analytics data, or backup systems. A DSAR requires all personal data, not just the data in your primary system.
3. Failing to provide supplementary information
Sending a data export without the supplementary information required by Article 15: processing purposes, categories, recipients, retention periods, rights, sources, and automated decision-making details. The data alone is not sufficient.
4. Disclosing third-party data
Including other people's personal data in the response without proper redaction. This is itself a data breach and can result in additional enforcement action.
5. Using verification as a barrier
Requesting excessive identification documents for low-risk data, or using verification delays to run down the clock. Supervisory authorities view this as obstruction of data subject rights.
6. Not recognizing verbal or informal requests
A customer saying “I want to see what data you have on me” in a phone call or chat is a valid DSAR, even if they do not use legal terminology. Staff must be trained to recognize and escalate these.
DSAR Statistics and Trends (2024-2026)
Understanding the scale and trajectory of DSAR volumes helps organizations plan their response capacity:
159%
Increase in UK subject access complaints (2018-2023, ICO data)
€4.5B+
Total GDPR fines issued since 2018 (including DSAR-related violations)
30 days
Maximum response time (extendable to 90 days for complex requests)
48%
Of organizations report increased DSAR volume year-over-year (IAPP survey)
Frequently Asked Questions: Data Subject Access Requests
What is a Data Subject Access Request (DSAR)?
A Data Subject Access Request (DSAR), also called a Subject Access Request (SAR), is a formal request from an individual to an organization asking for a copy of all the personal data the organization holds about them. Under GDPR Article 15, individuals have the right to obtain confirmation of whether their data is being processed and, if so, access to that data along with supplementary information about how it is used.
How long do I have to respond to a DSAR?
Under GDPR, you must respond to a DSAR within one calendar month (approximately 30 days) of receiving the request. This can be extended by a further two months if the request is complex or you have received a large number of requests from the same individual. If you extend the deadline, you must inform the individual within the first month, explaining why the extension is necessary.
Can I charge a fee for responding to a DSAR?
Generally, no. Under GDPR, the first copy of the data must be provided free of charge. However, you may charge a reasonable fee based on administrative costs if the individual requests further copies of the same data, or if the request is manifestly unfounded or excessive (particularly if it is repetitive). You must be able to demonstrate why you consider the request excessive.
Can I refuse a data subject access request?
You can only refuse a DSAR if the request is manifestly unfounded or manifestly excessive. You must be able to demonstrate this and must inform the individual of the refusal within one month, providing the reasons and informing them of their right to lodge a complaint with a supervisory authority. The bar for refusal is very high and regulators scrutinize refusals closely.
Do I need to verify the identity of the person making the DSAR?
Yes, you should take reasonable steps to verify the identity of the person making the request before disclosing any personal data. This is to prevent unauthorized disclosure. However, you should not use identity verification as a barrier to delay or obstruct the request. The level of verification should be proportionate to the sensitivity of the data.
Does a DSAR have to be in writing?
No. Under GDPR, a DSAR can be made verbally (e.g., over the phone or in person), by email, through social media, or via any other channel. There is no requirement for a specific format. If you receive a verbal request, it is good practice to document it immediately. You cannot require individuals to use a specific form, although you can provide one for convenience.
What happens if I fail to respond to a DSAR within the deadline?
Failure to respond to a DSAR within the required timeframe is a breach of GDPR. The individual can lodge a complaint with their supervisory authority, which can investigate and impose fines. Supervisory authorities have issued significant fines for failure to respond to DSARs. Under GDPR, fines for infringement of data subject rights can reach up to €20 million or 4% of annual global turnover, whichever is higher.
How does having a privacy policy help with DSARs?
A comprehensive privacy policy is essential for DSAR compliance because it documents your data processing activities, making it easier to locate and compile the data you hold about an individual. It also sets clear expectations about what data you collect and why, reducing the scope of DSAR responses. A well-structured privacy policy generated by a tool like PolicyForge ensures you have a clear record of processing activities that directly supports your DSAR response process.
Related GDPR Resources
Data subject access requests are just one part of GDPR compliance. Explore our other free guides and tools:
Get Your DSAR Compliance Foundation in 2 Minutes
Every DSAR response requires you to document your processing activities, data categories, recipients, and retention periods. A GDPR-compliant privacy policy from PolicyForge gives you this foundation instantly — no lawyer required, no ongoing subscription.
Free tier: 2 generations/day. Starter: $4.99 one-time. Pro: $12.99 one-time for unlimited access.