TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Subject Access Request GDPR: Complete Guide for Businesses
Legal Compliance

Subject Access Request GDPR: Complete Guide for Businesses

Learn how to handle a subject access request under GDPR. Covers timelines, exemptions, DSAR requirements, and step-by-step compliance for businesses.

TermsBox Team|April 4, 202615 min read

A subject access request under GDPR is a formal exercise of the right of access, one of the most fundamental data protection rights in European law. Under Article 15 of the General Data Protection Regulation, any individual has the right to obtain confirmation of whether a business processes their personal data, and if so, to receive a copy of that data along with specific supplementary information.

For businesses, handling subject access requests correctly is not optional. Getting it wrong exposes your organization to enforcement action, fines of up to 20 million EUR or 4% of annual global turnover, and reputational damage. This guide explains exactly what a DSAR requires, how to respond within the legal deadlines, and how to build a process that keeps your business compliant. The content here is educational and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your situation.

What Is a Subject Access Request Under GDPR?

A subject access request (SAR), also called a data subject access request (DSAR), is a request from an individual asking an organization to provide access to the personal data it holds about them. The legal basis is Article 15 of the GDPR, which grants every data subject the right of access.

When someone submits a subject access request, they are entitled to receive:

  • Confirmation of whether you process their personal data
  • A copy of their personal data in an accessible format
  • The purposes of the processing
  • The categories of personal data involved
  • The recipients or categories of recipients who have received the data
  • The retention period, or the criteria used to determine it
  • Information about the source of the data if it was not collected directly from the individual
  • Whether automated decision-making or profiling is involved, and if so, meaningful information about the logic and consequences

This is not a discretionary request. It is a legal right, and organizations must have processes in place to fulfill it.

Who Can Make a DSAR and How?

Any living individual whose personal data you process can submit a DSAR under GDPR. This includes current and former customers, employees, job applicants, website visitors, and anyone else whose data you hold. The requester does not need to be an EU citizen. The GDPR applies based on where the processing takes place and who is being targeted, not nationality.

No Format Requirements

The GDPR does not require subject access requests to be submitted in a specific form. A request can arrive by email, letter, phone call, social media message, or in person. You cannot require people to use a dedicated form or portal, though you may offer one to streamline the process.

In practice, most DSARs arrive by email. Train your staff to recognize when a communication constitutes a subject access request, even when the sender does not use the exact words. A message that says "I want to know what data you have about me" is a valid SAR.

Third-Party Requests

Individuals can authorize someone else to make a request on their behalf. This includes solicitors, advocacy organizations, or family members with appropriate authorization. When a third party submits a DSAR, verify that they have valid authority to act for the data subject before releasing any information.

Requests on Behalf of Children

For children under 16 (or under 13 in some member states), a parent or guardian can make a subject access request on the child's behalf. However, if the child is mature enough to understand their rights, they can make the request themselves. Assess this on a case-by-case basis.

The One-Month Response Deadline

Article 12(3) of the GDPR sets a clear deadline: you must respond to a subject access request without undue delay, and in any event within one calendar month of receipt. This is not one month from when you start working on it. The clock starts the day after you receive the request.

Calculating the Deadline

The one-month period follows calendar months, not a fixed 30-day count. If you receive a request on March 15, your deadline is April 15. If the deadline falls on a weekend or public holiday, it extends to the next working day.

Extensions for Complex Requests

For complex or numerous requests, you can extend the deadline by up to two additional months, giving you a maximum of three months total. To use this extension, you must:

  1. Inform the data subject of the extension within the initial one-month period
  2. Explain why the extension is necessary
  3. Document your reasoning

Complexity might include requests that involve searching multiple systems, large volumes of data, or consultations with third parties about releasing their data. A routine request from a single individual with a straightforward data footprint does not qualify for an extension.

What "Respond" Means

Responding does not just mean acknowledging the request. Within the deadline, you must either provide the requested information, explain why you are refusing the request (with justification), or inform the data subject of an extension. Silence is not an option and constitutes a violation.

Step-by-Step Process for Handling a Subject Access Request

Building a repeatable process ensures consistency and helps you meet deadlines. Here is a practical framework for handling every subject access request GDPR compliance requires.

Step 1: Log and Acknowledge

As soon as you receive a DSAR, log it in a tracking system with the date received, the requester's identity, and the contact details provided. Send an acknowledgment within two to three business days. This is not legally required, but it demonstrates good faith and gives you an opportunity to ask clarifying questions.

Step 2: Verify Identity

Before releasing any personal data, you must verify that the requester is who they claim to be. Article 12(6) permits you to request additional information to confirm identity when you have reasonable doubts. Common verification methods include:

  • Matching the request to an existing account or customer record
  • Asking for specific identifiers (account number, order reference)
  • Requesting a copy of government-issued ID (only when necessary and proportionate)

Do not use identity verification as a delay tactic. Keep it proportionate to the sensitivity of the data involved.

Step 3: Locate All Relevant Data

Search every system where you might hold personal data about the requester. This goes beyond your main database and includes:

  • Email accounts and correspondence
  • CRM and customer support systems
  • HR systems (for employee requests)
  • Backup systems and archives
  • Third-party processors who handle data on your behalf
  • Paper records and physical files
  • Analytics and tracking systems
  • Cookie consent records

A comprehensive data inventory, which your privacy policy generator should reflect, makes this step significantly easier. If you maintain a Record of Processing Activities (ROPA) as required by Article 30 of the GDPR, use it as your search map.

Step 4: Review and Redact

Before providing the data, review it for information about other individuals. Article 15(4) states that the right of access must not adversely affect the rights and freedoms of others. If the requested data contains another person's personal data, you must redact it unless that person has consented to the disclosure or it is reasonable to disclose it without consent.

Also check for legally privileged information, trade secrets, and information covered by other exemptions (see the exemptions section below).

Step 5: Compile and Deliver

Provide the data in a commonly used electronic format. Article 15(3) specifies that when the request is made electronically, the information should be provided in a commonly used electronic format, unless the data subject requests otherwise. PDF, CSV, and structured JSON are all acceptable.

Include the supplementary information required by Article 15(1): purposes, categories, recipients, retention periods, source of data, and information about automated decision-making.

Step 6: Document Everything

Record what you provided, when you provided it, and the reasoning behind any redactions or refusals. This documentation protects you if the data subject complains to a supervisory authority.

Exemptions: When You Can Limit or Refuse Access

The right of access is broad but not absolute. The GDPR includes several grounds for limiting or refusing a subject access request.

Manifestly unfounded or excessive requests. Under Article 12(5), you may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive. The burden of proof is on you to demonstrate this. A request is not "excessive" simply because it requires effort to fulfill.

Rights of others. Article 15(4) allows you to withhold data that would reveal personal information about another identifiable individual, unless that person consents or it is reasonable to disclose.

Legal privilege. Information subject to legal professional privilege is generally exempt from disclosure.

National security and law enforcement. Member states may restrict the right of access for reasons of national security, defense, public security, and criminal investigations under Article 23.

Ongoing investigations. Some member states exempt data from disclosure when it would prejudice ongoing regulatory or disciplinary investigations.

When refusing a request, you must inform the data subject of the reasons, their right to complain to a supervisory authority, and their right to seek a judicial remedy.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Common Mistakes Businesses Make With DSARs

After years of GDPR enforcement, supervisory authorities have published guidance highlighting recurring failures. Avoid these common errors.

Missing the deadline. The one-month deadline is strict. The UK Information Commissioner's Office (ICO) has issued reprimands and fines to organizations that consistently miss DSAR deadlines. Set calendar reminders and assign clear ownership for each request.

Over-relying on identity verification. Asking for excessive documentation to prove identity, especially when you can verify the person through simpler means like matching their email to an account, creates unnecessary delays and can itself be a violation of the proportionality principle.

Providing incomplete data. A partial response is not a compliant response. Search all systems, including email, backups, and third-party processors. The ICO has specifically noted that organizations frequently overlook data held in email accounts and by sub-processors.

Ignoring verbal requests. Many businesses only recognize written DSARs. The GDPR imposes no format requirement. Train all customer-facing staff to identify and escalate verbal requests.

Failing to provide supplementary information. Sending a data dump without the required context (processing purposes, recipients, retention periods) does not satisfy Article 15. The supplementary information is part of the legal requirement, not a nice-to-have.

Not redacting third-party data. Sending unredacted data that reveals another person's personal information violates their privacy rights and can result in separate enforcement action against you.

How to Prepare Your Business for Subject Access Requests

Proactive preparation is far more cost-effective than scrambling to respond to each DSAR individually. Here is how to build organizational readiness.

Maintain a Data Inventory

Know what personal data you hold, where it is stored, and who has access to it. A current data inventory and ROPA makes DSAR fulfillment dramatically faster. Without one, every request requires an ad hoc search across disparate systems.

Create Internal Procedures

Document a standard operating procedure for handling DSARs that covers:

  1. Who receives and triages incoming requests
  2. Identity verification criteria
  3. Which systems to search and in what order
  4. Redaction and review responsibilities
  5. Approval workflow before release
  6. Deadline tracking and escalation procedures
  7. Record-keeping requirements

Train Your Staff

Everyone who interacts with customers, employees, or the public should know what a subject access request looks like and how to escalate it. This includes customer support teams, HR staff, receptionists, and social media managers.

Use Technology to Streamline

For organizations that receive frequent DSARs, manual processing becomes unsustainable. Consider tools that can automate data discovery across systems and compile responses. TermsBox, for example, provides compliance monitoring that helps businesses maintain visibility over their data processing activities, which directly supports DSAR response capabilities.

Update Your Privacy Policy

Your privacy policy must inform data subjects of their right to make a subject access request, as required by Articles 13 and 14 of the GDPR. Include clear instructions for how to submit a request and provide contact details for your data protection officer (if applicable) or the responsible team. A privacy policy generator can help ensure these disclosures are properly structured.

Subject Access Requests and Website Compliance

For website operators, DSARs intersect with broader compliance obligations. The data you collect through your website, including analytics data, cookie consent records, form submissions, and account information, all falls within scope of a subject access request.

Your cookie policy should clearly describe what data cookies and tracking technologies collect. When you receive a DSAR, this data must be included in your response if it constitutes personal data linked to the requester.

Key website data that commonly falls within DSAR scope:

  • Account registration details and profile information
  • Order history and payment records (excluding full card numbers)
  • Customer support correspondence
  • Cookie consent preferences and consent records
  • Form submissions and newsletter sign-ups
  • IP addresses and browsing behavior collected through analytics
  • Any personalization or profiling data

Having a compliance platform that tracks what data your website collects makes responding to DSARs considerably easier. When your data collection is documented and organized, you can locate and compile the relevant data without guesswork.

DSAR Enforcement: Real Penalties and Case Examples

Supervisory authorities across Europe have actively enforced the right of access. Understanding real enforcement actions helps illustrate why proper DSAR handling matters.

The Austrian Data Protection Authority fined a company 18 million EUR in 2021 for systemic failures in responding to data subject access requests. The Romanian authority (ANSPDCP) has issued multiple fines for late or incomplete DSAR responses. The UK ICO regularly issues reprimands and enforcement notices to organizations with poor SAR processes.

Beyond regulatory fines, Article 82 of the GDPR grants individuals the right to compensation for material and non-material damage caused by GDPR violations. Courts have awarded damages for distress caused by late or inadequate DSAR responses. In Rolfe v. Veale Wasbrough Vizards (2021), a UK court awarded compensation for a delayed subject access request, setting a precedent that even non-financial harm from DSAR failures can result in damages.

The cumulative risk is significant:

  • Supervisory authority fines: Up to 20 million EUR or 4% of annual global turnover under Article 83(5)
  • Individual compensation claims: No statutory cap on damages under Article 82
  • Reputational harm: Enforcement decisions are published and searchable
  • Regulatory scrutiny: Repeated failures invite deeper audits of your broader data protection practices

Frequently Asked Questions

How long do I have to respond to a subject access request under GDPR?

You must respond to a subject access request within one calendar month of receiving it, as specified in Article 12(3) of the GDPR. This deadline can be extended by two additional months for complex or numerous requests, but you must inform the data subject of the extension and the reasons within the initial one-month period. The clock starts on the day after you receive the request, and if the deadline falls on a weekend or public holiday, it extends to the next working day.

Can I charge a fee for responding to a subject access request?

In most cases, no. Article 12(5) of the GDPR requires that the first copy of the data be provided free of charge. You may charge a reasonable fee based on administrative costs only if the request is manifestly unfounded or excessive, or if the data subject requests additional copies. The fee must be reasonable and you must justify it. You cannot use fees as a way to discourage people from exercising their rights.

What happens if I fail to respond to a DSAR within the GDPR deadline?

Failing to respond within the required timeframe is a violation of the GDPR. The data subject can lodge a complaint with their national supervisory authority, which can investigate and impose corrective measures. Under Article 83(5), infringements of data subject rights can result in fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. The data subject may also seek judicial remedy and compensation for material or non-material damage under Articles 79 and 82.

Can I refuse a subject access request?

You can refuse a subject access request only in limited circumstances. Under Article 12(5), you may refuse if the request is manifestly unfounded or excessive, particularly if it is repetitive. You must demonstrate why the request meets this threshold, and the burden of proof is on you. You can also refuse or restrict access under Article 15(4) if disclosure would adversely affect the rights and freedoms of others, such as revealing another person's personal data or trade secrets.

Does a subject access request have to be in writing?

No. The GDPR does not require subject access requests to be submitted in any particular format. A request can be made verbally, by email, through social media, or even in person. If a request is made verbally, it is good practice to document it in writing immediately and confirm the details with the requester. You should accept requests through any reasonable channel and cannot require people to use a specific form, though you may offer one for convenience.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is a Subject Access Request Under GDPR?
  • Who Can Make a DSAR and How?
  • No Format Requirements
  • Third-Party Requests
  • Requests on Behalf of Children
  • The One-Month Response Deadline
  • Calculating the Deadline
  • Extensions for Complex Requests
  • What "Respond" Means
  • Step-by-Step Process for Handling a Subject Access Request
  • Step 1: Log and Acknowledge
  • Step 2: Verify Identity
  • Step 3: Locate All Relevant Data
  • Step 4: Review and Redact
  • Step 5: Compile and Deliver
  • Step 6: Document Everything
  • Exemptions: When You Can Limit or Refuse Access
  • Common Mistakes Businesses Make With DSARs
  • How to Prepare Your Business for Subject Access Requests
  • Maintain a Data Inventory
  • Create Internal Procedures
  • Train Your Staff
  • Use Technology to Streamline
  • Update Your Privacy Policy
  • Subject Access Requests and Website Compliance
  • DSAR Enforcement: Real Penalties and Case Examples
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.