Subject Access Request

A request from an individual to access their personal data held by an organization, commonly called a data subject access request (DSAR) or simply access request. Under GDPR Article 15, individuals can request: confirmation of whether their data is processed, access to their personal data, supplementary information about processing (purposes, recipients, retention, rights, data sources, automated decision-making details). Organizations must provide the first copy free of charge and respond within one month (extendable by two additional months for complex requests with notification). Similar rights exist under CCPA/CPRA as 'right to know' requests. Organizations should establish processes for: verifying requestor identity, searching all relevant systems, compiling responsive information, redacting third-party data if necessary, providing information in accessible formats, and documenting responses. Access requests often expose compliance gaps—organizations discover they're processing data they didn't know about, can't locate specific information, or have inadequate retention practices. Robust data mapping and governance make SAR responses significantly easier.