# DSAR Handling Guide | GDPR Article 15

> Step-by-step GDPR Article 15 DSAR compliance guide — covering identity verification, data mapping, response preparation, deadlines, secure delivery, and accountability documentation.

- Canonical: https://support.secureprivacy.ai/article/gdpr-article-15-dsar-compliance-process
- Product: Consent Management
- Category: Policies & User Consent
- Published: 2026-03-06T12:43:00+00:00
- Updated: 2026-03-24T00:33:21.076+00:00
- Reading time: 5 minutes

---

When your organization receives a **Data Subject Access Request (DSAR)** under **GDPR Article 15**, you must follow a defined compliance process to meet your legal obligations and avoid enforcement action. This guide covers every stage of DSAR handling — from initial acknowledgement and identity verification through to response preparation, secure delivery, and record-keeping. Secure Privacy's DSAR management tools can help automate key steps in this process, including request intake, deadline tracking, and secure document exchange.

## Who Is This For?

-   Data Protection Officers (DPOs) managing GDPR Article 15 access requests
    
-   Privacy and compliance teams handling DSAR workflows and documentation
    
-   Legal professionals advising on or responding to data subject requests
    
-   IT and security teams supporting data retrieval, mapping, and secure response delivery
    

## Step 1: Initial Response and Identity Verification

**Acknowledge receipt promptly.** Inform the data subject of their rights and confirm the request has been received. While GDPR does not specify an exact acknowledgement timeframe, responding within _72 hours_ demonstrates good faith and commitment to compliance.

**Verify the requester's identity** before disclosing any personal data — to prevent unauthorized disclosure to third parties. Verification requests must be proportionate and reasonable; requesting extensive documentation is only justified where genuine doubt exists about the requester's identity.

**Clarify the scope** of the request if it is unclear or overly broad. You may ask for clarification, but this does not pause your one-month response deadline unless the request is manifestly unfounded or excessive.

## Step 2: Processing the DSAR Under GDPR Article 15

**Conduct comprehensive data mapping** across all processing activities — including systems recorded in your Article 30 ROPA, third-party processors, and any international data transfers involving the data subject's personal data.

**Involve your Data Protection Officer (DPO)** and coordinate with relevant departments — including IT, HR, legal, marketing, and customer service — to ensure all personal data held across the organization is identified and reviewed.

**Document your search methodology** at every stage to satisfy GDPR's accountability principle under Article 5(2). A clear audit trail of how and where you searched for personal data is essential for supervisory authority reviews.

## Step 3: Preparing a GDPR-Compliant DSAR Response

**Compile all relevant personal data** as required by GDPR Article 15(1), including:

-   The purposes for which the data is being processed
    
-   The categories of personal data held
    
-   Recipients or categories of recipients to whom the data has been disclosed
    
-   Retention periods or the criteria used to determine them
    
-   Information about any automated decision-making, including profiling
    

**Inform the data subject of their remaining rights** — including the right to rectification, erasure, restriction of processing, data portability, and the right to object.

**Include source details** if personal data was not collected directly from the data subject.

**Remove third-party personal data** from the response unless disclosure is legally required or the third party has provided consent.

## Step 4: GDPR Deadlines and Legal Compliance

**Respond within one calendar month** from the date of receipt. For complex or high-volume requests, this can be extended by a further two months — but you must notify the data subject of the extension and reason within the first month.

**Provide the information free of charge** in all standard cases. A reasonable fee may only be charged for requests that are manifestly unfounded, excessive, or repetitive — and this must be documented and justifiable.

**Consider applicable GDPR exemptions** under national law — such as legal professional privilege or third-party rights — but always document the legal grounds for any partial or full refusal.

## Step 5: Secure Delivery and Record-Keeping

**Deliver the response securely** — using encryption for electronic responses or registered post for physical delivery — to ensure the personal data reaches only the verified requester.

**Provide data in a structured, commonly used, machine-readable format** where applicable, to support the data subject's right to data portability under GDPR Article 20.

**Maintain complete records** of the DSAR handling process — including correspondence, search methodology, risk assessments, and decisions made — for accountability and supervisory authority review.

**Monitor for follow-up requests** such as rectification, erasure, or restriction of processing that commonly follow a completed access request.

## GDPR Enforcement and Penalties

Failure to comply with DSAR obligations under GDPR Article 15 can result in fines of up to **€20 million or 4% of global annual turnover** under Article 83 — whichever is higher. Supervisory authorities take into account your compliance history, the nature of the infringement, and your demonstrated cooperation when determining penalties.

Establishing documented DSAR procedures, staff training programs, and clear escalation paths is essential for demonstrating proactive compliance and mitigating enforcement risk.

## Frequently Asked Questions

### What if identity verification delays the DSAR response?

Verification must be proportionate — requesting excessive documentation to confirm identity can itself constitute a GDPR violation. Maintain a clear audit trail of your verification process and communicate transparently with the requester. If verification is genuinely necessary and proportionate, document the reason for any resulting delay. The one-month response clock typically starts from the point of receipt, not the completion of verification, unless your national implementation specifies otherwise.

### How should I handle an overly broad or unclear DSAR?

Request clarification promptly — but continue working on any unambiguous parts of the request in parallel to ensure you meet the deadline. Asking for clarification does not pause the response deadline unless the request is manifestly unfounded or excessive. Document all clarification requests and responses as part of your audit trail.

### What documentation is required for GDPR accountability under Article 5(2)?

You must securely retain records of your search methodology (which systems were searched and how), all correspondence with the data subject, any risk assessments conducted, decisions made regarding exemptions or partial refusals, and the final response delivered. These records must be available for supervisory authority review and should be retained for a reasonable period after the request is closed.

## See Also

-   [Setup DSAR Forms in Secure Privacy – Step-by-Step Guide](https://support.secureprivacy.ai/article/managing-data-subject-access-requests-dsars-in-secure-privacy)
    
-   [Using DSAR Custom Controls in Secure Privacy](https://support.secureprivacy.ai/article/customizing-the-data-request-form-using-dsar-custom-controls-in-secure-privacy)
    
-   [Modifying Data Retention Periods for Legal Templates](https://support.secureprivacy.ai/article/modifying-data-retention-period-for-legal-templates)
    
-   [Where Is My Data Stored?](https://support.secureprivacy.ai/article/-where-is-my-data-stored--secureprivacy-data-location)
