Sign up
  1. Blog
  2. Compliance
  3. What Is a DSAR? How to Handle Data Subject Access Requests

What Is a DSAR? How to Handle Data Subject Access Requests

DSAR illustration showing a magnifying glass inspecting a stylized data profile with personal data elements like name, email, cookie ID and IP address becoming visible, with bold DSAR text, on a purple to blue gradient background with geometric data patterns

A data subject access request (DSAR) is one of the most important rights granted by the General Data Protection Regulation (GDPR). It allows any individual to ask an organization what personal data it holds about them – and to receive a copy of that data.

For publishers, DSARs are a practical reality of operating under GDPR. Whether you collect data through newsletter signups, comment systems, analytics, or cookies, your users have the right to ask what you hold and how you use it. This guide explains what DSARs are, what the law requires, and how to set up a process that handles them efficiently.

What Is a DSAR?

DSAR stands for data subject access request. It is the formal name for the right of individuals – known as “data subjects” under GDPR – to request access to the personal data that an organization holds about them.

This right is established in Article 15 of the GDPR, which states that data subjects have the right to obtain confirmation of whether their personal data is being processed, and if so, to receive a copy of that data along with specific supplementary information.

A DSAR is not just about getting a data dump. The individual also has the right to know:

  • The purposes of the processing – why their data is being used
  • The categories of data being processed – what types of information are held
  • The recipients – who the data has been or will be shared with, including third-party advertisers and analytics providers
  • The retention period – how long the data will be stored
  • The source – where the data was collected from, if not directly from the individual
  • The existence of automated decision-making – including profiling and the logic involved
  • International transfers – whether data is transferred to third countries or international organizations, and the safeguards in place
  • Their other rights – the existence of the right to request rectification, erasure, or restriction of processing, the right to object, and the right to lodge a complaint with a supervisory authority

In short, a DSAR gives individuals a window into exactly how their data is being handled.

What Is a Data Subject?

A data subject is any identified or identifiable living individual whose personal data is being processed. Under GDPR, this means any person who can be directly or indirectly identified by reference to an identifier such as a name, email address, IP address, cookie ID, or other factors specific to their identity.

For publishers, data subjects include anyone who interacts with your website – registered users, newsletter subscribers, commenters, and even anonymous visitors whose data you collect through cookies or analytics tools. If you can link a piece of data back to an individual, that person is a data subject.

Data Subject Rights Under GDPR

The right of access (DSAR) is one of several rights that GDPR grants to data subjects. Understanding how it fits alongside the other rights helps publishers build a comprehensive compliance process.

GDPR establishes the following data subject rights:

  1. Right of access (Article 15) – The right to obtain a copy of personal data and information about how it is processed. This is the DSAR.
  2. Right to rectification (Article 16) – The right to have inaccurate personal data corrected.
  3. Right to erasure (Article 17) – Also known as the “right to be forgotten.” The right to have personal data deleted under certain circumstances.
  4. Right to restriction of processing (Article 18) – The right to limit how an organization uses personal data.
  5. Right to data portability (Article 20) – The right to receive personal data in a structured, commonly used format and transmit it to another organization.
  6. Right to object (Article 21) – The right to object to certain types of processing, including direct marketing.
  7. Rights related to automated decision-making (Article 22) – The right not to be subject to decisions based solely on automated processing, including profiling.

A DSAR often serves as the gateway to the other rights. Once someone sees what data you hold, they may follow up with a request to delete it, correct it, or object to how it is being used.

Who Can Make a DSAR?

Any data subject whose personal data your organization processes can make a DSAR. There is no requirement for the person to be a customer, subscriber, or registered user. If you hold any personal data about someone – even just an IP address logged by your web server – they can submit a request.

DSARs can also be made by:

  • Authorized representatives – Someone acting on behalf of the data subject, such as a solicitor or parent acting for a child
  • Children – Minors can make DSARs, though in practice a parent or guardian often acts on their behalf
  • Employees – Staff members can submit DSARs about their own employment data

There are no formal requirements for how a DSAR must be submitted. It can arrive as an email, a letter, a message through a web form, a social media message, or even a verbal request. It does not need to mention “DSAR” or “Article 15” specifically – any request for personal data counts.

Legal Requirements for Handling DSARs

GDPR sets clear rules for how organizations must respond to DSARs. Failing to comply can lead to complaints to supervisory authorities and, ultimately, enforcement action.

Response Deadline

You must respond to a DSAR within one calendar month of receiving it. The deadline is calculated from the date of receipt – for example, a request received on March 5 must be answered by April 5. If the final day falls on a weekend or public holiday, you have until the next working day.

For complex or numerous requests, you can extend the deadline by a further two months (giving a total of three months). However, you must inform the data subject of the extension and the reasons for it within the original one-month period.

Cost

DSARs are free of charge in the vast majority of cases. You can only charge a “reasonable fee” if the request is manifestly unfounded or excessive – for example, if the same person submits repeated identical requests. Even then, you must be able to justify the charge.

Format of Response

If the request was made electronically (e.g., by email), you should provide the response in a commonly used electronic format such as PDF or CSV. The data must be provided in a way that is concise, transparent, and easy to understand.

Verifying Identity

Before disclosing personal data, you must verify that the person making the request is who they claim to be. Sending someone else’s data in response to a fraudulent request would itself be a data breach.

For registered users, you might verify identity by asking them to log in. For other individuals, you may request additional identifying information – though you should not ask for more data than necessary to confirm their identity.

Third-Party Data

If the data you hold includes information about other people, you must be careful not to disclose it. GDPR requires you to balance the data subject’s right of access against the privacy rights of third parties. In practice, this means redacting other individuals’ personal data from the response.

Can You Refuse a DSAR?

You can refuse a DSAR only in limited circumstances:

  • Manifestly unfounded requests – Where the individual clearly has no real intention of exercising their rights (e.g., they explicitly state they are trying to cause disruption)
  • Manifestly excessive requests – Repeated requests from the same person with no reasonable interval, or requests that are disproportionate in scope

The bar for refusal is high. You must be able to demonstrate why a request is manifestly unfounded or excessive. If you choose to refuse, you must inform the data subject of the reasons and tell them they have the right to complain to a supervisory authority.

You cannot refuse a DSAR simply because it would be inconvenient, time-consuming, or expensive to fulfill.

What Data Do Publishers Need to Provide?

For publishers, responding to a DSAR means gathering personal data from across your systems. The types of data you may need to provide include:

  • Account information – Username, email address, display name, registration date
  • Comments and content – Any comments posted, forum contributions, or user-generated content
  • Newsletter data – Subscription status, email preferences, send history
  • Analytics data – Browsing history, page views, session data linked to the individual
  • Consent records – Records of what the user consented to and when, including consent management platform (CMP) logs and which advertising partners the user gave consent to
  • Technical logs – IP addresses, browser information, server access logs
  • Communication records – Support emails, contact form submissions

You are only responsible for providing data that you yourself hold as a data controller. Most publishers do not directly collect advertising tracking data – instead, when a user gives consent through a CMP, they consent to a list of disclosed advertising partners (such as ad exchanges, SSPs, and DSPs) who typically act as independent data controllers for their own processing. If a user wants to access the data those partners hold, they need to submit separate requests to each one. Your role as a publisher is to inform the requester which partners you work with and provide links to their privacy policies, so the user knows where to direct additional DSARs.

That said, the precise legal relationship between a publisher and its ad tech partners is not always straightforward. In some cases – particularly where a publisher embeds third-party tags or plugins that trigger data collection – courts have found that the website operator and the third party may be joint controllers for the initial data collection. If you have a joint controller arrangement with any partner, you may need to coordinate on DSAR responses as part of your Article 26 arrangement.

You are also not required to provide data that you genuinely do not hold or cannot reasonably identify as belonging to the requester. For example, if your analytics data is fully anonymized and cannot be linked to an individual, it falls outside the scope of a DSAR.

How to Handle a DSAR: Step-by-Step

Setting up a clear process before you receive your first DSAR makes handling them far easier. Here is a practical step-by-step approach:

Step 1: Recognize the Request

A DSAR does not need to use any specific language. Train your team to recognize requests that are essentially asking “what data do you have on me?” These might come through your support email, contact form, social media, or any other channel.

Log the request immediately and note the date received – this starts your one-month clock.

Step 2: Verify the Requester’s Identity

Confirm that the person is who they say they are. Methods include:

  • Asking them to submit the request from their registered email address
  • Asking them to log into their account and submit through a dedicated form
  • Requesting a piece of identifying information you already hold (e.g., confirming their account username)

Do not ask for excessive identification. You should not request a passport or government ID unless you already collect that kind of data.

Step 3: Locate the Data

Search all systems where personal data might be stored. For a typical publisher, this includes:

  • Content management system (WordPress, Drupal, etc.)
  • Email marketing platform (Mailchimp, SendGrid, etc.)
  • Analytics platform (Google Analytics, etc.)
  • Advertising platforms and consent management tools
  • Customer support systems
  • Server logs
  • Payment processors (for subscription-based sites)

Maintaining a data mapping document – a record of what personal data you collect, where it is stored, and who has access – makes this step significantly faster.

Step 4: Compile and Review

Gather all relevant data and review it before sending. Check for:

  • Third-party personal data that needs to be redacted
  • Commercially sensitive or legally privileged information
  • Completeness – have you checked all systems?

Step 5: Respond Within the Deadline

Send the data to the requester in a clear, accessible format. Include the supplementary information required by Article 15 – processing purposes, data categories, recipients, retention periods, and information about their other rights.

If you need more time, notify the data subject of the extension within the initial one-month period.

Step 6: Document Everything

Keep a record of the request, your verification process, the data provided, and the date of your response. This documentation demonstrates compliance if the request is ever reviewed by a supervisory authority.

How Many DSARs Should Publishers Expect?

For most small and mid-sized publishers, DSARs are still relatively uncommon. Many may only receive a handful per year, or none at all. However, the trend is clearly upward – consumer awareness of data rights is growing, and industry surveys show DSAR volumes increasing significantly year on year. This means it is important to have a process in place even if you have not received a request yet.

The good news is that there is no need to invest in a dedicated automated DSAR management platform right away. What matters is being prepared: knowing what data you hold, having a documented process, and being able to respond within the legal deadline when a request arrives. A simple spreadsheet to track requests, a set of template responses, and a clear data map are enough for most publishers to handle DSARs efficiently. If request volumes grow significantly, you can consider more sophisticated tooling at that point.

DSARs Under Other Privacy Laws

While DSARs are most commonly associated with GDPR, similar rights of access exist under other privacy regulations:

  • UK GDPR – The UK retained the DSAR framework after Brexit. The rules are essentially identical to EU GDPR, enforced by the Information Commissioner’s Office (ICO).
  • CCPA/CPRA – California consumers have the “right to know” what personal information a business has collected. The response deadline is 45 days (extendable by a further 45 days).
  • LGPD (Brazil) – Data subjects can request confirmation of processing and access to their data. The controller must respond within 15 days.
  • Other US state laws – Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with privacy laws include similar access rights with varying response deadlines.

If your website serves a global audience, you may receive access requests under multiple regulatory frameworks. Building a single robust process that meets GDPR’s requirements will generally satisfy the access rights under other laws as well, since GDPR tends to be the most demanding.

DSAR Best Practices for Publishers

Based on guidance from the ICO and other supervisory authorities, here are best practices for publishers handling DSARs:

Create a Dedicated Request Channel

Publish a clear method for submitting DSARs on your website – a dedicated email address (e.g., privacy@yourdomain.com) or a web form linked from your privacy policy. This reduces the chance of requests being missed or delayed in a general inbox.

Maintain a Data Map

Document what personal data you collect, where it is stored, what it is used for, and who has access. A current data map turns a multi-day search into a straightforward checklist.

Keep Consent Records

Using a consent management platform (CMP) helps you maintain clear records of what each user consented to and when. These records are often part of what you need to provide in a DSAR response, and they also demonstrate your GDPR compliance more broadly.

Clickio Consent, a Google-certified CMP, automatically maintains detailed consent records for every user interaction – including timestamps, consent choices, and which advertising partners the user gave consent to. It also records detailed information about each partner: their privacy policy, the types of data they process, the cookies they use, and the purposes they process data for. This makes it straightforward to retrieve consent data when responding to DSARs, and provides an auditable trail that demonstrates compliance to supervisory authorities.

Try Clickio Consent Free

Train Your Team

Ensure that anyone who might receive a DSAR – editorial staff, customer support, marketing – knows how to recognize one and who to forward it to. A missed request can easily become a compliance failure.

Prepare Template Responses

Create template letters for acknowledging receipt, requesting identity verification, providing data, and explaining any extensions. Templates speed up response times and ensure consistency.

Review Your Data Retention

The less personal data you retain, the less you need to search through when a DSAR arrives. A good data retention policy – deleting data you no longer need – simplifies DSAR compliance and reduces your overall risk.

Common DSAR Mistakes to Avoid

Supervisory authorities have highlighted several common errors that organizations make when handling DSARs:

  • Missing the deadline – The one-month clock starts from the date you receive the request, not the day after. If you need more time, you must notify the requester within that first month.
  • Asking for excessive ID – Requesting a passport copy when a simple email confirmation would suffice is disproportionate and may itself breach GDPR’s data minimization principle.
  • Incomplete searches – Checking your CMS but forgetting email marketing, analytics, or backup systems. Every system that holds personal data needs to be searched.
  • Disclosing third-party data – Failing to redact other people’s personal information from the response.
  • Charging a fee – Unless the request is manifestly unfounded or excessive, you cannot charge for a DSAR. This is a change from the pre-GDPR rules and catches some organizations off guard.
  • Ignoring verbal requests – A DSAR made over the phone is just as valid as one in writing. If you receive one verbally, document it and start the process.

What Happens If You Fail to Comply?

Failing to handle a DSAR properly can have real consequences. Data subjects who are dissatisfied with your response – or who receive no response at all – can complain to a supervisory authority such as the ICO (UK) or their national data protection authority (EU).

Supervisory authorities can:

  • Order you to comply with the request within a specific timeframe
  • Issue a reprimand
  • Impose administrative fines – GDPR allows fines of up to 20 million euros or 4% of annual global turnover, whichever is higher, for serious infringements
  • Order you to suspend data processing activities

In practice, most DSAR complaints result in the authority instructing the organization to respond properly rather than jumping straight to fines. However, a pattern of ignoring requests or a particularly egregious failure can lead to enforcement action.

Data subjects also have the right to seek compensation through the courts for material or non-material damage caused by GDPR violations, including failures to comply with DSARs.

DSAR Checklist for Publishers

Use this checklist to ensure your DSAR process is complete:

StepAction
1Publish a clear DSAR request channel (privacy email or web form) in your privacy policy
2Train all staff who may receive requests to recognize and escalate DSARs
3Create and maintain a data map of all personal data you collect and where it is stored
4Prepare template responses for acknowledgment, identity verification, and data disclosure
5Implement identity verification procedures proportionate to your data
6Set up a tracking system to monitor DSAR deadlines
7Use a CMP to maintain auditable consent records
8Review and minimize data retention to reduce DSAR scope
9Document your DSAR handling process and keep records of all requests and responses

Simplify Compliance with the Right Tools

Handling DSARs effectively is much easier when your underlying data collection and consent management are well organized. A consent management platform centralizes consent records, making it faster to retrieve the consent-related data that frequently forms part of a DSAR response.

Clickio Consent is a Google-certified CMP trusted by over 2,000 publishers worldwide. It handles consent collection across GDPR, CCPA/CPRA, other US state privacy laws, and other global privacy regulations, while maintaining detailed records of every consent interaction. This not only helps with DSAR responses but supports your broader GDPR compliance strategy – including the accountability principle that requires you to demonstrate compliance on demand.

Get Started with Clickio Consent
(Visited 5 times, 1 visits today)
See more articles on this topic: Compliance
Sign up