When your organization receives a Data Subject Access Request (DSAR) under GDPR Article 15, you must follow a defined compliance process to meet your legal obligations and avoid enforcement action. This guide covers every stage of DSAR handling — from initial acknowledgement and identity verification through to response preparation, secure delivery, and record-keeping. Secure Privacy's DSAR management tools can help automate key steps in this process, including request intake, deadline tracking, and secure document exchange.
Who Is This For?
Data Protection Officers (DPOs) managing GDPR Article 15 access requests
Privacy and compliance teams handling DSAR workflows and documentation
Legal professionals advising on or responding to data subject requests
IT and security teams supporting data retrieval, mapping, and secure response delivery
Step 1: Initial Response and Identity Verification
Acknowledge receipt promptly. Inform the data subject of their rights and confirm the request has been received. While GDPR does not specify an exact acknowledgement timeframe, responding within 72 hours demonstrates good faith and commitment to compliance.
Verify the requester's identity before disclosing any personal data — to prevent unauthorized disclosure to third parties. Verification requests must be proportionate and reasonable; requesting extensive documentation is only justified where genuine doubt exists about the requester's identity.
Clarify the scope of the request if it is unclear or overly broad. You may ask for clarification, but this does not pause your one-month response deadline unless the request is manifestly unfounded or excessive.
Step 2: Processing the DSAR Under GDPR Article 15
Conduct comprehensive data mapping across all processing activities — including systems recorded in your Article 30 ROPA, third-party processors, and any international data transfers involving the data subject's personal data.
Involve your Data Protection Officer (DPO) and coordinate with relevant departments — including IT, HR, legal, marketing, and customer service — to ensure all personal data held across the organization is identified and reviewed.
Document your search methodology at every stage to satisfy GDPR's accountability principle under Article 5(2). A clear audit trail of how and where you searched for personal data is essential for supervisory authority reviews.
Step 3: Preparing a GDPR-Compliant DSAR Response
Compile all relevant personal data as required by GDPR Article 15(1), including:
The purposes for which the data is being processed
The categories of personal data held
Recipients or categories of recipients to whom the data has been disclosed
Retention periods or the criteria used to determine them
Information about any automated decision-making, including profiling
Inform the data subject of their remaining rights — including the right to rectification, erasure, restriction of processing, data portability, and the right to object.
Include source details if personal data was not collected directly from the data subject.
Remove third-party personal data from the response unless disclosure is legally required or the third party has provided consent.
Step 4: GDPR Deadlines and Legal Compliance
Respond within one calendar month from the date of receipt. For complex or high-volume requests, this can be extended by a further two months — but you must notify the data subject of the extension and reason within the first month.
Provide the information free of charge in all standard cases. A reasonable fee may only be charged for requests that are manifestly unfounded, excessive, or repetitive — and this must be documented and justifiable.
Consider applicable GDPR exemptions under national law — such as legal professional privilege or third-party rights — but always document the legal grounds for any partial or full refusal.
Step 5: Secure Delivery and Record-Keeping
Deliver the response securely — using encryption for electronic responses or registered post for physical delivery — to ensure the personal data reaches only the verified requester.
Provide data in a structured, commonly used, machine-readable format where applicable, to support the data subject's right to data portability under GDPR Article 20.
Maintain complete records of the DSAR handling process — including correspondence, search methodology, risk assessments, and decisions made — for accountability and supervisory authority review.
Monitor for follow-up requests such as rectification, erasure, or restriction of processing that commonly follow a completed access request.
GDPR Enforcement and Penalties
Failure to comply with DSAR obligations under GDPR Article 15 can result in fines of up to €20 million or 4% of global annual turnover under Article 83 — whichever is higher. Supervisory authorities take into account your compliance history, the nature of the infringement, and your demonstrated cooperation when determining penalties.
Establishing documented DSAR procedures, staff training programs, and clear escalation paths is essential for demonstrating proactive compliance and mitigating enforcement risk.
Frequently Asked Questions
What if identity verification delays the DSAR response?
Verification must be proportionate — requesting excessive documentation to confirm identity can itself constitute a GDPR violation. Maintain a clear audit trail of your verification process and communicate transparently with the requester. If verification is genuinely necessary and proportionate, document the reason for any resulting delay. The one-month response clock typically starts from the point of receipt, not the completion of verification, unless your national implementation specifies otherwise.
How should I handle an overly broad or unclear DSAR?
Request clarification promptly — but continue working on any unambiguous parts of the request in parallel to ensure you meet the deadline. Asking for clarification does not pause the response deadline unless the request is manifestly unfounded or excessive. Document all clarification requests and responses as part of your audit trail.
What documentation is required for GDPR accountability under Article 5(2)?
You must securely retain records of your search methodology (which systems were searched and how), all correspondence with the data subject, any risk assessments conducted, decisions made regarding exemptions or partial refusals, and the final response delivered. These records must be available for supervisory authority review and should be retained for a reasonable period after the request is closed.