DSAR Guide
Data Subject Access Requests (Articles 15-20)
What is a DSAR?
A Data Subject Access Request (DSAR) is when an individual exercises their right to access their personal data held by your organization. Guaranteed by GDPR Article 15.
Legal Requirement: You must respond within 1 month (extendable to 3 months for complex requests). Failure to comply can result in fines up to $20 million or 4% of global turnover.
30-Day Timeline (Article 12(3))
Log the request, assign an internal case ID, and acknowledge receipt
Verify requester identity (Article 12(6)) and collect any missing context
Use guided workflows to gather records from systems, processors, and evidence logs
Prepare machine-readable and human-readable response packages for controlled delivery
Warning: Clock starts ticking immediately upon receipt. Use the DSAR workspace to track the case and document every handoff.
Quick Start Guide
- 1Receive request
Via email, web form, or support ticket, then create a DSAR case record - 2Verify identity
Document verification steps or request additional information where needed - 3Gather evidence
Use guided workflows to collect data from approved systems and processors - 4Export and deliver
Prepare CSV (Article 20 portability) plus narrative response materials for delivery
What Must You Provide? (Article 15)
1. Categories of Data
What types of personal data you're processing
2. Purposes
Why you're processing their data
3. Recipients
Who you've shared the data with
4. Storage Period
How long you'll keep the data
5. Right to Rectification/Erasure
Inform them of their other rights
6. Right to Complain
How to lodge complaint with supervisory authority
7. Source of Data
Where you obtained their data (if not from them)
8. Automated Decision-Making
Any profiling or automated decisions
Common CCO Scenarios
Simple DSAR (Current Customer)
Scenario: Logged-in customer requests their data
Solution: Identity is already established, evidence is collected in one workspace, and response materials are exported for controlled delivery.
Timeline: Same day response possible
Complex DSAR (Multiple Systems)
Scenario: Request spans multiple databases, backups, third-party processors
Solution: Use guided collection steps across systems, contact processors, and compile the complete dataset with documented review.
Timeline: May extend to 2-3 months with notification (Article 12(3))
Excessive/Unfounded DSAR
Scenario: Same person submits 10 DSARs in 1 month
Solution: Article 12(5) allows "reasonable fee" or refusal if manifestly unfounded/excessive
Requirement: Must demonstrate burden is excessive
Frequently Asked Questions
Can I charge a fee for DSARs?
Generally NO - Article 15(3) says information must be provided "free of charge."
Exception: If requests are "manifestly unfounded or excessive" (Article 12(5)), you may charge a "reasonable fee" or refuse to act.
Burden of proof is on YOU to demonstrate request is excessive
What if I can't find any data for the requester?
You still must respond within 30 days confirming you hold no data. Use the DSAR workspace to document the search and export the response package.
Do I need to provide data in a specific format?
Article 15: Provide in "concise, transparent, intelligible" form
Article 20 (portability): Must be "structured, commonly used, machine-readable" format
Use the platform exports to assemble machine-readable and human-readable response materials.
Ready to Manage DSARs?
Run DSAR intake, deadline tracking, and evidence assembly from one workspace without overstating downstream automation.