GDPR Article 15 Data Subject Access Request (DSAR) Compliance Process
When your organization receives a Data Subject Access Request (DSAR) under GDPR Article 15, here is the compliance process you must follow to meet legal obligations and ensure proper handling.
Initial Response and Verification (GDPR Requirements)
Acknowledge receipt promptly and inform the data subject of their rights. While GDPR doesn't specify an exact timeframe, acknowledge within 72 hours to demonstrate commitment.
Verify the identity of the requester to avoid unauthorized disclosure, requesting additional ID if needed but keeping verification proportional and reasonable.
Clarify the scope of the request if unclear or overly broad. You can request clarification, but this does not pause your response deadline unless the request is manifestly unfounded or excessive.
Processing Under GDPR Framework
Conduct comprehensive data mapping across all processing activities, including systems in Article 30 records, third-party processors, and international data transfers.
Involve your Data Protection Officer (DPO) and coordinate with departments such as IT, HR, legal, marketing, and customer service to ensure thorough compliance.
Document your search methods to comply with GDPR's accountability principle.
Preparing the GDPR-Compliant Response
Compile all relevant personal data per Article 15(1), including processing purposes, data categories, recipients, retention periods, and automated processing info.
Inform the data subject about their rights (rectification, erasure, restriction, portability, objection).
Include source details if data was not collected from the data subject directly.
Remove third-party personal data unless legally required or with consent.
GDPR Legal Compliance and Deadlines
Respond within one month from receipt, extendable by two months for complex requests, with notification during the first month.
Provide information free of charge unless the request is manifestly unfounded, excessive, or repetitive.
Consider GDPR exemptions as per national law (e.g., legal privilege) but document legal grounds.
GDPR-Compliant Final Steps
Deliver responses securely with encryption or registered post.
Provide data in structured, machine-readable format supporting data portability.
Maintain records of DSAR handling for accountability and supervisory reviews.
Monitor for follow-ups such as rectification or erasure requests.
GDPR Enforcement Considerations
Failure to comply with DSAR obligations can lead to fines up to €20 million or 4% of global turnover under Article 83. Supervisory authorities consider compliance history and cooperation.
Establish documented DSAR procedures, staff training, and escalation paths to demonstrate proactive compliance.
Who Is This For?
- Data Protection Officers (DPOs)
- Privacy and compliance teams
- Legal professionals managing GDPR requests
- IT and security teams supporting data access and handling
Common Issues & Fixes
- What if the identity verification delays response?
- Keep a clear audit trail and communicate with the requester. Verification should be proportionate and not cause unnecessary delays.
- How to handle overly broad or unclear DSARs?
- Request clarification promptly but continue to work on the information you have to meet deadlines.
- What documentation is needed for GDPR accountability?
- Records of search methodology, correspondence, risk assessments, and decisions must be maintained securely.