DSAR Guide

Data Subject Access Requests (Articles 15-20)

What is a DSAR?

A Data Subject Access Request (DSAR) is when an individual exercises their right to access their personal data held by your organization. Guaranteed by GDPR Article 15.

Legal Requirement: You must respond within 1 month (extendable to 3 months for complex requests). Failure to comply can result in fines up to €20 million or 4% of global turnover.

30-Day Timeline (Article 12(3))

Day 1

Request Received

Platform automatically logs request, assigns ID, sends acknowledgment

Days 1-7

Identity Verification

Verify requester identity (Article 12(6)) - Platform can request additional info

Days 8-25

Data Collection

Platform auto-aggregates all personal data from databases, logs, backups

Days 26-30

Response Delivery

Export data as CSV (machine-readable) + PDF (human-readable), send to requester

Warning: Clock starts ticking immediately upon receipt. Our platform automatically tracks deadlines.

Quick Start Guide

1
Receive request
Via email, web form, or support ticket - platform creates DSAR record
2
Verify identity
Platform sends verification email or uses existing auth (if logged-in user)
3
Auto-aggregate data
One-click fulfillment: platform searches all databases and systems
4
Export and deliver
Download CSV (Article 20 portability) + PDF, send to requester

What Must You Provide? (Article 15)

1. Categories of Data

What types of personal data you're processing

2. Purposes

Why you're processing their data

3. Recipients

Who you've shared the data with

4. Storage Period

How long you'll keep the data

5. Right to Rectification/Erasure

Inform them of their other rights

6. Right to Complain

How to lodge complaint with supervisory authority

7. Source of Data

Where you obtained their data (if not from them)

8. Automated Decision-Making

Any profiling or automated decisions

Common CCO Scenarios

✅ Simple DSAR (Current Customer)

Scenario: Logged-in customer requests their data

Solution: Identity pre-verified → One-click fulfillment → Auto-email CSV+PDF → Done in 5 minutes

✅ Timeline: Same day response possible

⚠️ Complex DSAR (Multiple Systems)

Scenario: Request spans multiple databases, backups, third-party processors

Solution: Platform aggregates from all sources → Contact processors → Compile complete dataset

✅ Timeline: May extend to 2-3 months with notification (Article 12(3))

🚫 Excessive/Unfounded DSAR

Scenario: Same person submits 10 DSARs in 1 month

Solution: Article 12(5) allows "reasonable fee" or refusal if manifestly unfounded/excessive

✅ Requirement: Must demonstrate burden is excessive

Frequently Asked Questions

Can I charge a fee for DSARs?

Generally NO - Article 15(3) says information must be provided "free of charge."

Exception: If requests are "manifestly unfounded or excessive" (Article 12(5)), you may:

Charge a "reasonable fee" based on administrative costs
Refuse to act on the request

⚠️ Burden of proof is on YOU to demonstrate request is excessive

What if I can't find any data for the requester?

You still must respond within 30 days confirming you hold no data.

Platform automatically generates "No Data Held" response letter.

💡 Tip: Keep records of this response for audit trail

Do I need to provide data in a specific format?

Article 15: Provide in "concise, transparent, intelligible" form

Article 20 (portability): Must be "structured, commonly used, machine-readable" format

Our platform provides:

CSV: Machine-readable (Article 20 compliance)
PDF: Human-readable with explanations

Ready to Manage DSARs?

Automate DSAR fulfillment with one-click data aggregation and 30-day deadline tracking.

Manage DSARs Compliance Hub