Responding to a GDPR Data Subject Access Request (DSAR)

Steps for responding to a Data Subject Access Request (DSAR)

Once you receive a data subject access request, you (the owner / head of the business) or your Data Protection Officer (DPO) are responsible for handling the request. You can follow the steps below to respond to the request as the GDPR expects.

1. Create a secure document to log the request proceedings, including the date and time of each contact with the data subject, the data requested, the types of data sent, and the outcome.
2. Let the requestor know that you’ve received their request, using the same method they used to make the request. We recommend using this contact method for the proceedings of the request, unless the data subject requests otherwise.
3. If you’re have reason to doubt the requester’s identity, it’s perfectly acceptable to ask for proof of identity. Just remember, you should only request the minimum information necessary.
4. Let the requestor know the outcome of the identity verification. If successful, move on to step 5; if unsuccessful, ask for additional information.
5. Assess whether the request is excessive or unfounded. You have a right to deny a request or charge a reasonable fee for the request if you believe it’s either, but you’ll need to provide proof of how you came to this decision.
6. If there will be fees or you believe the request is excessive or unfounded and cannot be fulfilled, let the data subject know.
7. Let the requestor know how long the request will take to action. By default, you’ll need to action the request within one month from receipt. If the request is going to require extra time, you can extend the response deadline by two additional months. Just make sure you let the data subject know the new deadline and why the extension is required (this is required).
8. Collect the required data for access requests. Search until you have reason to believe there is nowhere else you could look. If you have the information requested by the data subject, then proceed to step 9. If you believe that you don’t have the information the data subject has requested, that’s fine – proceed to step 11.
9. Evaluate any documents and redact personal information that doesn’t belong to the data subject making the request.
10. Fulfil the action requested (access, erasure, rectification, restriction, portability, or objection) within the deadline you agreed to.
11. Send your response to the request with the outcome, any data they’ve requested, and proof that the requested action has been completed. We recommend including a link to your privacy policy to ensure that you’ve made an effort to keep them informed about how you handle their personal data.

What information should I be sending in my DSAR response?

When you hold the information a data subject has requested, you’ll need to provide them with:

1. copies of documents containing their personal information, with any personal information of other data subject redacted.
2. A copy of your privacy policy.

We suggest sending a copy of your privacy policy because it contains all of the other information you’re required to send the data subject alongside your DSAR response:

• What you’re using their information for;
• Where you obtained their information from;
• Who you’re sharing their information with;
• How long you’ll store their information for and why;
• How you keep their data secure;
• Their data privacy rights and how they can exercise them;
• Whether you use their information for profiling or automated decision-making and how you’re doing this; and
• Whether you transfer their information to a country outside the EEA.

If you don’t have one, you can create a privacy policy with GetTerms

How quickly do you need to respond to a data subject request or complaint?

You’ll need to respond to and action each data subject request within one month of receiving the request. This can be extended by two further months for large or complex requests, but if an extension is needed, you, as the controller, are responsible for informing the data subject about this extension. You’ll need to let them know of these delays within one month of receiving their original request, with an explanation for the delay.

What type of identification is acceptable to ask for?

If you have reasonable doubts about the data subject’s identity, you can request they provide proof of identity that is proportionate to the data they are requesting. Start by requesting that they verify existing information you have on file, such as their email address, birthday, or security question answer. You should only request government-issued ID for more sensitive data requests or when genuine doubt exists.

Do I need to provide complete original documents for a DSAR?

You don’t have to give the requestor full copies of the original documents they have requested. You only need to provide their personal information that’s contained in the documents. You may provide new documents that only contain the requestor’s information or provide original documents with certain information removed or edited out (redacted).

When charging a fee is acceptable?

The expectation of the GDPR is that all Data subject access requests are free of charge. However, you can charge a reasonable fee for administrative costs in two situations: if the request is manifestly unfounded or excessive, or if an individual requests additional copies of their data after the first. Reasonable fees should only ever cover costs like staff time, photocopying, postage, and equipment, calculated proportionately without double-charging. You’ll need to justify any fee to the supervisory authority if challenged so be reasonable.

What makes a data subject request ‘unfounded’?

A request is manifestly unfounded if someone clearly has no genuine intention to exercise their rights or acts maliciously to harass and disrupt your organization. You must provide evidence demonstrating why it’s obviously unfounded, considering context – aggressive language alone doesn’t prove unfoundedness. Here’s a few examples of common unfounded requests.

Example 1: Extortion attempt

A person submits a data subject access request but then offers to withdraw it in return for payment or some other benefit from your organization. They clearly have no genuine intention to exercise their rights – they’re trying to leverage the request for personal gain.​

Example 2: Harassment campaign

An individual posts online that they plan to submit a deletion request every single day until a specific employee they dislike gets fired. After responding to their first request, it becomes clear their sole intention is to threaten and disrupt your organization rather than genuinely exercise their data rights.​

Example 3: Malicious accusations

A person submits a request that makes unsubstantiated or false accusations against your organization or specific employees, clearly prompted by malice rather than a legitimate desire to access their data. They’re targeting a particular employee due to a personal grudge, using the data request as a weapon rather than exercising a genuine right.​

What makes a data subject request ‘excessive’?

A request is manifestly excessive if it’s clearly unreasonable when balancing proportionality against your burden or costs. Consider all circumstances: nature of information, relationship context, impact of refusal on the person’s rights, your resources, repetition without reasonable intervals, and overlap with other requests.

Example 1: Rapid repeat request without changes

One month ago, you responded to a person’s subject access request that included their entire conviction history containing voluminous documents. They now submit another request asking for the exact same conviction history plus only one new complaint call. Since minimal time has passed and little new data exists, you refuse the full request as excessive due to the overlap, volume, and short interval, but provide the new information collected since their last request.​

Example 2: Overly broad employment request

A former employee requests “all communications in connection with my duties” spanning several years of employment. When asked to clarify and limit the scope, they acknowledge the material is extensive but refuse to narrow it. The municipality refuses because the request encompasses a vast amount of notes, letters, and emails primarily related to job duties rather than personal attributes, making it clearly unreasonable.​

Example 3: Impossible “implied” references request

A former staff member requests “emails and attachments sent to or from any staff member regarding me, as well as meeting notes or minutes where I am mentioned, discussed, or implied”. The inclusion of records where they are merely “implied” makes the scope unmanageable and clearly unreasonable. You should ask for clarification to narrow what specific information they genuinely need.​

Creating a procedure be for handling data subject rights requests

We recommend that you create a procedure for handling data subject rights requests to allow your staff to complete a data subject request while you or your DPO is on holiday. It should be written as clearly as an IKEA instruction manual.

It should include:

1. The essential rules all staff need to follow when handling data subject requests
2. What to do on receipt of a new data subject request (Identification request, logging of the request)
3. How to correctly verify a data subjects identity
4. How to acknowledge a data subject request and respond with the required information
5. The procedure for assessing the request and acquiring the requested data
6. The procedure for actioning the request
7. How to deliver response to the data subject confirming the necessary action has been taken
8. How to log the outcome of the request
9. How to provide feedback on the effectiveness of the data subject request procedure

What are the different types of Data Subject Requests (DSR)?

• DSAR (Data Subject Access Request) for the right to access: A request to access personal data. This is the most common type of request where individuals ask organizations to confirm whether their data is being processed and receive a copy of that data.​
• Rectification request or correction request for the right to rectification: A request to correct inaccurate or incomplete personal data held by an organization.
• Deletion request for right to erasure: this is a request to delete personal data.
• Right to restriction of processing request: A request to limit how an organization processes personal data while still allowing them to store it.​
• Portability request or data transfer request for right to data portability: A request to receive personal data in a structured, commonly used format and have it transmitted to another service provider.
• Objection request or opt-out request for right to object: A request to stop processing personal data, particularly for marketing purposes or automated decision-making.​
• Automated decision-making request or profiling objection for the right related to automated decision making: A request concerning automated decision-making and profiling that has legal or similarly significant effects.

How to handle data subject complaints under the GDPR

If one of your data subjects believes your business is handling personal data unlawfully, it’s their right to complain. As with DSARs, complaints need to be responded to within a month of receiving them, so it’s important you have a process for resolving them.

Here’s the general procedure you should follow:

1. Acknowledge you’ve received the complaint
2. Create a spreadsheet to log when you receive the complaint, when you communicate with the complainant and any other relevant milestones.
3. Investigate the complaint and gather relevant information
4. Update the complainant whenever progress has been made
5. Respond to the complaint with how you’ve resolved the issue and any actions you’ve taken as a result.
6. Let the complainant know they have the right to complain to the European Data Protection Supervisor (EDPS) if they are unhappy with the resolution.
7. Review the complaint with your team and improve your procedures to prevent the issue from occurring.