← View All Articles

  • August 15, 2025

Understanding Your Data Rights: What is a DSAR, Why It Matters, and How to File a Data Subject Access Request (DSAR)

The DSAR is a powerful tool under GDPR that allows you to gain transparency and control over your personal data

In an increasingly digital world, where your personal information is constantly collected, processed, and stored by countless organizations, understanding your privacy rights is paramount. One of the most potent rights at your disposal is the Right of Access by the Data Subject, commonly known as a DSAR (Data Subject Access Request).

This article will detail what a DSAR is, why it’s crucial for you to be aware of it, and provide a step-by-step guide on how to effectively file a DSAR.

What is a DSAR and Why Should You Exercise This Right?

A DSAR (Data Subject Access Request) is a fundamental right granted to you by Article 15 of the General Data Protection Regulation (GDPR) of the European Union. It empowers any individual to ask an organization whether it holds personal data about them and, if so, to receive comprehensive information, including:

  1. A copy of your personal data that the organization holds.
  2. Detailed information on how and why this data is being processed (e.g., the purposes of the processing).
  3. Details about the recipients or categories of recipients to whom your data has been or will be disclosed (especially in third countries or international organizations).
  4. The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
  5. The legal basis for processing your data (e.g., consent, contract, legal obligation, legitimate interest).
  6. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to such processing.
  7. The right to lodge a complaint with a supervisory authority.
  8. Information as to the source of the data, where the personal data are not collected directly from you.
  9. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Why Should You Exercise Your DSAR Right?

You do not need a lawyer or a complex justification to exercise this right. If your data is being collected or processed by an organization, you are entitled to know how. Exercising your DSAR right is crucial for several reasons:

  • Transparency and Control: It gives you direct insight into what personal data an organization holds about you, fostering transparency and allowing you to verify its accuracy.
  • Correction and Deletion: If you find inaccurate or outdated information, or data that is no longer necessary, a DSAR is the first step to exercising your rights to rectification or erasure.
  • Understanding Data Flow: It helps you understand who your data is shared with, especially important in an era of complex data ecosystems involving third-party processors.
  • Accountability: It holds organizations accountable for their data handling practices, ensuring they comply with data protection laws.
  • Legal Recourse: In case of data breaches or misuse, having a record of your DSAR and the organization’s response (or lack thereof) can be crucial for legal recourse or filing a complaint with a supervisory authority.

How to File a DSAR: A Step-by-Step Guide

Filing a DSAR is generally a straightforward process. Here’s how to do it:

  1. Identify the Data Controller:
    • Determine which company, public entity, or organization is holding your data. This is typically the entity with whom you have a direct relationship (e.g., your bank, your employer, a social media platform, an online retailer).
    • Look for their privacy policy or terms of service on their website, which often contain specific contact details for data protection inquiries or DSARs.
  2. Formulate Your Request:
    • You don’t need to use legal jargon, but clearly state that you are making a Data Subject Access Request under Article 15 of the GDPR.
    • Example Wording: “I am writing to exercise my right of access under Article 15 of the General Data Protection Regulation (GDPR). Please provide me with a copy of any and all personal data you hold about me. I would also appreciate information regarding the purposes of the processing, the categories of personal data concerned, the recipients to whom my data has been or will be disclosed, the envisaged period for which the personal data will be stored, and the source of the personal data if not collected from me directly.”
    • While you don’t need to justify your request, being specific about what data you are interested in (e.g., “all my personal data,” or “my employment records from 2020-2023,” or “my transaction history”) can help the organization process your request more efficiently.
  3. Submit the Request:
    • Method: You can typically send your DSAR via email, postal mail, or sometimes through a dedicated privacy portal on the company’s website. Check the organization’s privacy policy for their preferred method.
    • Proof: Keep a copy of your request and proof of submission (e.g., email sent confirmation, postal receipt).
    • Informal Requests: Most data protection regulators accept informal requests (e.g., a simple email or letter). You are not required to use a specific form unless the organization provides one and insists on its use.
  4. Provide Proof of Identity (If Requested):
    • Organizations have a right to verify your identity to protect against fraudulent requests and prevent unauthorized disclosure of your personal data.
    • They should only ask for information necessary to confirm your identity. This might include a copy of a utility bill, a redacted ID document, or answers to security questions.
    • Be cautious about providing excessive or highly sensitive identity documents unless absolutely necessary and secure.
  5. Wait for the Response:
    • Organizations typically have one calendar month to respond to your DSAR from the date of receipt.
    • For complex or numerous requests, they may extend this period by an additional two months. If they do this, they must inform you within the initial one-month period and explain why the extension is necessary.
    • The response should provide you with the requested data and information free of charge, although they can charge a reasonable fee for manifestly unfounded or excessive requests, or for further copies.
  6. Follow Up:
    • If you do not receive a response within the statutory timeframe (one month, or three months if an extension was notified), follow up with the company in writing. Refer to your original request and the date it was sent.

What If They Don’t Respond or Respond Unsatisfactorily?

If an organization fails to respond to your DSAR, refuses your request without proper justification, or provides an incomplete or unsatisfactory response, you have the right to escalate your complaint.

  1. Internal Complaint (Recommended First Step):

    • Before going to a regulator, consider raising a formal complaint directly with the organization’s Data Protection Officer (DPO) or privacy team. Clearly outline why you are dissatisfied with their response. This can often resolve issues more quickly.

  2. File a Complaint with Your National Data Protection Authority (Supervisory Authority):

    • If the internal complaint doesn’t resolve the issue, you can file a formal complaint with the data protection authority (DPA) in the country where the organization is based, or in the country where you reside (if you are in the EU/EEA and the organization processes your data there).
    • Each EU country has a designated supervisory authority responsible for enforcing GDPR. Similarly, the UK and Switzerland have their own data protection bodies.
    • Most complaints can be submitted via online forms or email on the DPA’s official website.

    Important Considerations:

    • Backlogs: Be aware that supervisory authorities often have backlogs of complaints, and it may take several weeks or even months (e.g., often over 16 weeks, sometimes longer) to receive a regulatory response or a decision.
    • Evidence: Provide all relevant documentation when filing your complaint, including your original DSAR, any correspondence with the organization, and their response (or lack thereof).

Key Resources (Official Data Protection Authorities)

To find the relevant Data Protection Authority for your region, please refer to these official sources:

  • European Data Protection Board (EDPB) – Members List (for all EU/EEA DPAs):
  • France (CNIL – Commission Nationale de l’Informatique et des Libertés):
  • United Kingdom (ICO – Information Commissioner’s Office):
    • ico.org.uk
    • Note: The ICO operates under the UK GDPR, which is a separate but very similar framework to the EU GDPR.
  • Switzerland (FDPIC – Federal Data Protection and Information Commissioner):
    • edoeb.admin.ch
    • Note: Switzerland has its own data protection law (nFADP) which is aligned with, but separate from, the GDPR.

By following these steps and understanding your rights, you can effectively take control of your personal data in the digital age.

  • We can help you become FADP compliant!

Expert Guidance, Affordable Solutions, and a Seamless Path to Compliance

Get in contact

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Insights

  • Related Articles
The DPO’s Central Role in DSAR Handling: A Guide to Data Access Compliance
A strong DPO is a strategic asset, safeguarding your organization from fines and building trust
The Indispensable Role of an EU Representative: Why Non-EU Companies Need This Service for GDPR Compliance
Is your non-EU company engaging with the European market? Understanding GDPR is crucial, and for
GDPR DSAR Complaints: Rising Backlogs and Extended Waiting Times
The DSAR Challenge: How Increased Demand is Creating Delays for Regulators and Requesters