GDPR › Personal data

Data Subject Access Request (DSAR): How to Handle Access Requests Under GDPR

GDPR gives all data subjects the right to access the personal data you hold about them. Learn what the law requires, who can submit a request, and how to handle it step by step.

The General Data Protection Regulation (GDPR) gives data subjects the right to obtain access to the personal data that the data controller processes about them.

But how does this right of access work in practice, and what must the data controller do to comply with such requests? That is the subject of this article.

The rules on the right of access

The right of access is one of data subjects' rights and is set out in Article 15 of the GDPR.

When handling access requests, it is also important to comply with the requirements on transparency. Let us look more closely at the requirements under the right of access.

Communication

The right of access means that you are obliged to provide data subjects with the following information if they exercise this right:

Confirmation of whether you process their personal data.
The purpose of the processing of personal data.
The categories of personal data being processed about the data subject.
Who the data is shared with, and if you transfer data to a country outside the EU/EEA, you must also inform them of the safeguards in place.
How long the data will be stored, or alternatively the criteria used to determine when processing ceases and personal data is deleted.
Information about the data subject's right to have their data rectified or erased, to restrict processing, or to object to the processing of their personal data.
The right to lodge a complaint with the supervisory authority.
Information about how their personal data was collected, if it was not collected directly from the data subject.
Whether automated decision-making takes place (e.g. profiling) and what this means for the data subject.

In addition, you must comply with the following when handling the request:

The data subject has the right to a free copy of the personal data being processed. A reasonable fee may be charged if the data subject requests additional copies.
The data must be provided in electronic form if the request was submitted electronically, unless the data subject requests otherwise.
You must not share data if doing so would infringe the rights or freedoms of others.

Who can submit an access request?

Anyone whose personal data you process can submit an access request – including customers, users, employees, former employees, consultants, partners, suppliers, and prospective customers.

A flat vector illustration featuring a white request form in the centre, surrounded by five stylised figures in different brand colours, representing customers, employees, parents, lawyers and partners as potential senders of a request for information.

A request can also be submitted on behalf of someone else, provided the person has authorisation to do so – for example, a parent acting on behalf of a child, a solicitor acting on behalf of a client, or a guardian.

You must always ensure that the person submitting the request on someone else's behalf has documentation to prove this.

Handling an access request in practice

Below, we walk through how to handle an access request step by step.

Deadline

A request must be fulfilled no later than one month after receipt, but can be extended by up to two months if the request is particularly complex or if you have received a large number of requests at the same time.

It is therefore important to have a clear and efficient process in place so you can meet the request within the deadline.

Preparation

It is an advantage to be prepared before the first access request arrives. Start by getting an overview of where personal data is stored, which you can do by reviewing your record of processing activities, which will show where data is held – for example in CRM systems, emails, and so on.

You should also designate a person responsible for handling access requests, so that a single employee owns this process and ensures compliance with GDPR requirements.

Acknowledging the request

Promptly confirm receipt with a standard email. This should state that the request has been received and outline the next steps in the process.

Verifying identity

As quickly as possible, you should verify the identity of the requester to ensure that you are sending the data subject's personal data to the right person. Sending personal data to the wrong recipient would constitute a personal data breach.

Assessing the request

Before you begin the work of locating personal data for the request, ensure that the access request is reasonable. If you hold a large amount of information about the person requesting access, you may ask them to clarify what they are looking for. They may only be interested in specific data.

This clarification will make the process both easier and faster for you to complete.

Locating personal data

Retrieve the data subject's data by searching systems, databases, archives, and so on.

You should provide the data subject with a copy of the data – for example documents or video clips – or compile the information into a new consolidated document. The important thing is that the person receives a genuine copy so they can check whether the information is accurate and lawfully processed.

If you frequently receive access requests, you should consider building a standardised workflow. If you have direct access to databases containing the data subject's information, you can develop functions to quickly retrieve the data needed to fulfil requests. Manual retrieval may also be necessary depending on the systems used for processing.

In group companies, personal data may have been processed across multiple entities within the group, so it may be necessary to handle the request across the group. A GDPR compliance software with group company functionality can assist with this.

Quality assurance

You should review all data and files intended for the data subject and ensure that you do not inadvertently share other individuals' personal data with them. You can combine automated and manual processes to identify personal data and, where necessary, redact it – failing to do so could result in a personal data breach if you share someone else's data.

Sending personal data to the data subject

You can give a person access to their data in several ways – for example by sending a secure copy by email or other digital means. You can also provide access to an online system where they can log in and view their information directly.

Communication

When sending the data, you must also include information about the processing itself, which must comply with the requirements set out earlier in this article. This can be included in the body of the email, via a covering letter, or similar.

Documentation

Keep all work and communication relating to the access request so you can demonstrate that you have fulfilled it within the requirements of the GDPR. Use your GDPR compliance software to store and structure this documentation in one place.

Template for access requests

It is a good idea to create a procedure for how you handle access requests, so you can respond quickly and correctly and comply with all requirements. You can use the section "Handling an access request in practice" above as the basis for your procedure.

The Danish Data Protection Agency's template for access requests can be used to comply with the information requirements when providing data to the data subject.

A flat vector illustration featuring a large white clipboard in the centre, with navy text lines and three teal-coloured checkboxes — two ticked and one empty — illustrating a structured procedure for handling requests for information. A circular navy stamp emblem is visible in the corner.

Rulings from the Danish Data Protection Agency on access requests

There is a great deal of knowledge to draw on from the Danish Data Protection Agency's rulings on access requests, including a case highlighting the importance of having procedures and templates in place for handling access requests.

Summary

Data subjects' rights are set out in Chapter 3 of the GDPR, and in this article we have looked closely at the practical compliance with Article 15 on the right of access.

Want to see how .legal can help you manage access requests and other GDPR obligations? Book a demo and let us show you the platform.

Frequently Asked Questions about Data Subject Access Requests

What is a Data Subject Access Request (DSAR)?

A Data Subject Access Request (DSAR) is a request from an individual to obtain access to the personal data an organisation holds about them. The right is established in Article 15 of the GDPR and applies to anyone whose data is processed by the organisation.

What must a data controller provide in response to an access request?

The data controller must provide confirmation of processing, the purposes of processing, the categories of data, who the data is shared with, the retention period, the data subject's other rights, the right to complain to the supervisory authority, how the data was collected, and whether automated decision-making takes place.

What is the deadline for responding to an access request?

An access request must be fulfilled no later than one month after receipt. The deadline can be extended by up to two months if the request is particularly complex or if a large number of requests have been received at the same time. The data subject must be informed of any extension.

Who can submit an access request?

Anyone whose personal data an organisation processes can submit an access request – including customers, employees, former employees, suppliers, and prospective customers. A request can also be submitted on behalf of someone else, such as a parent for a child or a solicitor for a client, provided documentation is supplied.

Can you charge a fee for handling an access request?

The first copy of personal data must be provided free of charge. If the data subject requests additional copies, a reasonable fee may be charged. Requests that are manifestly unfounded or excessive can be refused or charged a fee.

What should you do before receiving your first access request?

You should have an overview of where personal data is stored in your organisation, for example by reviewing your Article 30 record of processing activities. Designate a responsible member of staff and consider creating a procedure and standard templates for the process.

What happens if personal data is sent to the wrong person?

Sending a data subject's personal data to the wrong recipient constitutes a personal data breach, which must be reported to the supervisory authority within 72 hours of discovery. It is therefore essential to verify the requester's identity before releasing any data.

Can you refuse an access request?

Yes, in certain circumstances. A request can be refused if it is manifestly unfounded or excessive, or if providing the data would infringe the rights or freedoms of others. The refusal must be communicated to the data subject with reasons.

How do you handle access requests in a group of companies?

In a group of companies, personal data may have been processed across multiple entities, making it necessary to coordinate the response across the group. GDPR compliance software with group company functionality can help consolidate and manage these processes efficiently.

Why is it important to document the handling of access requests?

Documentation is essential for demonstrating to the supervisory authority that the request was handled correctly and within the required timeframe. The Danish Data Protection Agency has emphasised in specific rulings – including the Basisbank case – the importance of having clear procedures and templates in place.

Still unsure?

Ask Johannes directly, he runs most demos personally

Book him here

.legal compliance platform Handle access requests efficiently and compliantly

Use .legal to manage Data Subject Access Requests, document your processes, and ensure compliance with Article 15 across your organisation – including group companies.