GDPR

Understanding GDPR Data Subject Access Requests: A Practical Guide for Organisations

Published:

Last updated:

a woman working on security job
Home » Articles » Understanding GDPR Data Subject Access Requests: A Practical Guide for Organisations

One important mechanism that empowers individuals (data subjects) under GDPR is the Data Subject Access Request (DSAR). This article explains what DSARs are, why they matter, and how your organisation can efficiently handle them. We also focus on the application of UK GDPR and EU GDPR but the concepts explained are generally transferable to other privacy regulations – although you should always consult professional legal advice before making any changes to your compliance programs.

What Is a Data Subject Access Request?

A Data Subject Access Request is a formal request made by an individual (the “data subject”) to access their personal information that your organization may be processing. This right is enshrined in major privacy regulations like the General Data Protection Regulation (GDPR) in the UK and European Union.

When someone submits a DSAR, they are essentially asking three key questions:

  • Are you processing my personal data?
  • If so, what data do you have about me?
  • How are you using this information?

The right of access is fundamental to privacy protection because it allows individuals to be aware of and verify the lawfulness of how their personal information is being used.

Key Components of the Right of Access

When responding to a DSAR, your organisation must provide:

  1. Confirmation about whether you’re processing the individual’s personal data
  2. Access to the personal data itself, typically by providing a copy
  3. Information about the processing, including:
    • Why you’re processing their data (purposes)
    • What categories of data you maintain
    • Who you share the data with (recipients)
    • How long you’ll keep the data
    • Information about their other rights (rectification, erasure, etc.)
    • Details about any international data transfers

It’s important to note that individuals don’t need to provide a reason for their request. The right of access exists independently and should not be analysed based on the requester’s motivations.

Creating an Effective DSAR Process

Setting Up User-Friendly Channels

Make it easy for individuals to submit DSARs by:

  • Creating dedicated communication channels (web forms, email addresses)
  • Ensuring these channels are clearly visible and accessible
  • Accepting requests through any official contact point, even if not your preferred channel.
    • While this may be inefficient, you need to be ready to accept them from any channel as the GDPR legal text does not specify where or how a request must be issued in order to be accepted. For this reason staff need to be trained to recognise, accept and initiate requests.

For digital services and platforms, minimize the number of steps required to submit a request. Ideally, the ability to exercise privacy rights should be accessible directly from your platform’s main menu, not buried deep within privacy notices. If you can automate the process – you’ll free up your team to focus on more commercially valuable tasks. Although in practice this is often easier said than done.

Building Your DSAR Team

While privacy regulations don’t specify mandatory roles for handling DSARs, it’s practical to assign clear responsibilities. You’ll need to involve:

  • Data Protection Officers (if appointed)
  • IT teams who can locate and retrieve data
  • Department representatives who understand specific data processing activities
  • Administrative staff who can coordinate the collection process

Implementing Verification Procedures

When you receive a DSAR, you must verify the requester’s identity to prevent unauthorised access to personal data. Your verification process should be:

  • Proportionate to the sensitivity of the data and risks involved
  • Limited to collecting only what’s necessary for verification
  • Based on existing authentication methods where possible

Conduct a proportionality assessment to determine appropriate verification steps based on the nature of the data being requested.

For instance, a case study from Employment Law Worldview illustrates the challenges of handling extensive DSARs, such as requests for all personal data over a decade. This can involve reviewing a vast number of documents, highlighting the need for proportionality in managing such requests.

Managing the Request Workflow

Once a valid request is received:

  1. Interpret and assess whether it falls under data access rights
  2. Search systematically through all relevant systems (both digital and paper-based)
  3. Compile the information in a clear, transparent, and accessible format
  4. Review for exceptions or limitations that might apply
  5. Respond to the individual within the required timeframe

Maintaining comprehensive records of your processing activities will significantly streamline your ability to respond to access requests.

Timeframes for Response

Organizations must respond to DSARs “without undue delay” and within one month of receipt. It’s good practice to:

  • Acknowledge receipt of the request immediately
  • Inform the individual of the expected response timeframe
  • Keep them updated if you need additional information
  • Set your response target to within 28 days. Due to the fact that the length of a “month” varies throughout the year.

In complex cases or when dealing with numerous requests, you may extend the response period by up to two additional months. However, you must notify the individual of this extension and explain the reasons within the original one-month timeframe.

Common Challenges and Solutions

Finding All Relevant Data

One of the biggest challenges is locating all personal data related to an individual, especially in organizations with multiple systems and departments.

Solution: Maintain data inventories and mapping documents that track what personal data you collect, where it’s stored, and how it flows through your organization.

Managing Resource Constraints

DSARs can be resource-intensive, particularly for smaller organizations or those receiving high volumes of requests.

Solution: Consider implementing self-service tools that allow individuals to access their own data directly. For routine requests, automation can significantly reduce the administrative burden.

Handling Broad Requests

Some requests may be very general, making it difficult to identify precisely what information the individual is seeking.

Solution: When faced with broad requests involving large amounts of data, you may ask the individual to specify what information they’re looking for. To facilitate this, provide meaningful information about your processing activities.

Legal Implications and Penalties

Non-compliance with DSAR requirements carries significant legal risks that organizations must understand and mitigate:

Regulatory Consequences

Unjustified rejections or improper handling of DSARs are considered infringements of data subject rights under the GDPR and can lead to:

  • Substantial fines
    • In the EEA (European Economic Area) up to €20 million or 4% of annual global turnover (whichever is higher).
    • In the UK up to £17.5 million or 4% of annual global turnover (whichever is higher) for the most serious violations.
  • Corrective measures imposed by supervisory authorities, including processing restrictions
  • Mandatory compliance orders requiring immediate action

Individual Redress

Data subjects have multiple avenues to address violations of their access rights:

  • The right to lodge formal complaints with supervisory authorities
  • The ability to pursue judicial remedies through courts
  • Claims for compensation for material or non-material damage suffered

Business Impact

Beyond formal penalties, DSAR non-compliance creates broader business risks:

  • Regulatory investigations that disrupt normal operations
  • Legal costs for defending against complaints and enforcement actions
  • Reputational damage affecting customer trust and business relationships

Supervisory authorities across Europe have consistently demonstrated their willingness to enforce DSAR compliance through fines and enforcement notices, making proper handling of these requests a critical compliance priority.

Recent DSAR GDPR Penalties

Looking at some recent cases can help us further our understanding and highlight potential risks.

1. APD/GBA (Belgium) – 01/2024

Key Information:

  • Authority: Belgian Data Protection Authority (APD/GBA)
  • Date: January 5, 2024
  • Sector: Employee data management
  • Entities Involved: Unnamed company (controller) and former employee
  • Penalty: Warning + Order to comply with the access request within 30 days

What Happened: A former employee who worked at a company for about ten months discovered his professional email account was still active several months after leaving. He filed an access request with the company to learn what personal data was still being processed but received no response. He then filed a complaint with the Belgian DPA when he confirmed his email was still active in November 2023, despite having left in June 2023.

Why This Was a Problem: The company violated multiple GDPR principles by keeping the former employee’s email active well beyond a reasonable timeframe, creating privacy and data minimization issues. Additionally, the company completely ignored the data subject’s access request, failing in its obligation to respond to DSAR requests within the one-month timeframe.

What We Can Learn:

  • Professional mailboxes must be deactivated on an employee’s last working day
  • Auto-replies should be set up for 1-3 months maximum after departure
  • Companies must respond to DSARs even from former employees
  • Proactively establish procedures for handling email accounts after employment ends
  • Document email account termination policies clearly in IT or data protection policies

Official Document:

2. APD/GBA (Belgium) – 93/2024

Key Information:

  • Authority: Belgian Data Protection Authority (APD/GBA)
  • Date: June 17, 2024
  • Sector: Business services
  • Entities Involved: Service provider and former contractor
  • Penalty: Case closed on grounds of expediency (no penalty imposed)

What Happened: Following termination of a service contract, a data subject requested access, restriction of processing, and deletion of their data, particularly regarding their business email account. The controller provided access to the data but made third-party information unreadable, and refused the deletion request, claiming it might need the data for potential legal proceedings. The broader context involved contract payment disputes, copyright issues, and termination terms.

Why This Was a Problem: While the DPA didn’t issue a formal ruling on the merits, they noted that the case involved a broader contractual dispute beyond GDPR compliance. The core dispute related to data protection issues embedded within a larger contractual conflict that would be better addressed by courts with broader jurisdiction.

What We Can Learn:

  • Making third-party data unreadable (rather than completely omitting it) is an acceptable approach when responding to access requests
  • When data protection issues are part of a larger dispute, DPAs may defer to courts with broader jurisdiction
  • Controllers should document data retention justifications related to potential legal proceedings
  • Data protection processes should be maintained even during contract termination disputes

Official Document:

3. AEPD (Spain) – RR/00075/2024

Key Information:

  • Authority: Spanish Data Protection Authority (AEPD)
  • Date: February 23, 2024
  • Sector: Telecommunications
  • Entities Involved: Euskaltel (telecom provider) and customer
  • Penalty: Order to comply with the access request

What Happened: A telecom customer requested access to geolocation data that the provider was processing regarding his phone number. Euskaltel refused, arguing that Spanish Law 25/2007 on data retention for electronic communications exempted them from providing such access. After various appeals and counter-appeals, the AEPD ultimately confirmed that the telecom provider must provide access to the location data.

Why This Was a Problem: The telecom provider incorrectly interpreted national data retention legislation as a complete exemption from GDPR access rights. They also inconsistently claimed both that they didn’t process geolocation data while simultaneously stating they couldn’t provide it due to legal restrictions.

What We Can Learn:

  • Sector-specific legislation (like telecom data retention laws) complements rather than overrides GDPR rights
  • Controllers must always provide an express response to rights requests, even when refusing them
  • Companies should ensure consistent positions when responding to DSARs
  • National laws may limit how data can be processed but generally don’t exempt controllers from transparency obligations
  • When refusing a DSAR, provide specific legal reasoning rather than general references to legislation

Official Document:

The Benefits of Getting DSARs Right

Beyond legal compliance, there are compelling business reasons to handle DSARs effectively:

  1. Building trust with customers and employees by demonstrating transparency
  2. Improving data quality as individuals help identify inaccuracies
  3. Enhancing security by regularly reviewing what data you maintain
  4. Reducing risks of regulatory penalties and reputational damage

Organisations that view DSARs as an opportunity rather than a burden often discover valuable insights about their data practices in the process.

Conclusion

Data Subject Access Requests represent a fundamental privacy right that empowers individuals to understand how their personal information is being used. By establishing clear processes, training your team, and embracing transparency, your organization can turn DSAR compliance from a regulatory challenge into a competitive advantage in an increasingly privacy-conscious marketplace.

Remember that facilitating the right of access is not just about avoiding penalties—it’s about respecting individuals’ rights and building trust-based relationships in a digital economy where personal data has become a valuable currency.

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance. With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development. Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Can an individual get a GDPR fine?
  2. GDPR & Google Workspace: How to stay compliant with GDPR
  3. GDPR legitimate interests assessment guide & worked example
  4. Is Google Forms GDPR compliant?
  5. Mailchimp & GDPR: What you need to know to improve GDPR & PECR compliance

Now Available to Start Immediately:

GDPR Online Training Course

There's no time like now, to give your team the training they need.

Article: Do I need ongoing GDPR training?

New to the site

Measured Collective Logo in White on Transparent