Data Subject Access Request (DSAR)

A request from an individual to access their personal data held by an organization, often accompanied by requests for additional information about processing or exercise of other rights. DSARs are a fundamental privacy right under GDPR Article 15 and similar laws. Upon receiving a DSAR, organizations must verify the requester's identity, search for all personal data about the requester across systems, compile the information, provide details about processing purposes, recipients, retention periods, data sources, and rights, and deliver the information in accessible format within the required timeframe (typically 30 days under GDPR, 45 days under CCPA). DSARs require careful handling to avoid inadvertently disclosing others' personal data, ensure completeness, protect privileged information, and meet deadlines. Organizations should implement DSAR procedures, train staff, use technology to facilitate requests, and document response processes. High-volume organizations may receive hundreds or thousands of DSARs annually.