A DSAR (Data Subject Access Request) is a request by an individual for a copy of the personal data an organisation holds about them. It is a right of access under the GDPR and UK GDPR, also called a subject access request or SAR. You must respond within one calendar month, usually free of charge.
What Is a Data Subject Access Request (DSAR)?
A DSAR is how an individual exercises their right of access. That right covers three things: confirmation of processing, a copy of the data, and supplementary information about how it is used.
The right of access is a fundamental right. It helps people check an organisation is handling their information lawfully.
This right comes from Article 15 of the GDPR, and UK organisations usually call the same request a "subject access request" or SAR. Both terms describe the identical right of access, so DSAR and SAR are interchangeable. It is one of the individual rights the GDPR grants people over their personal data.
Who Can Make a DSAR?
Anyone can make a DSAR about their own personal data, free of charge. They do not need a lawyer, a specific form, or to mention the law by name.
A DSAR can be made:
- Verbally or in writing, to any part of the organisation, including social media
- By a representative acting on the person's behalf, once the organisation confirms that authorization (written permission or a power of attorney)
- Covering only the requester's own personal data, not other people's
Employees and former employees are among the most common requesters, particularly during a workplace dispute or after leaving a job. An organisation can verify the requester's identity before responding. That check must stay reasonable and proportionate to the risk of sending someone else's data to the wrong person.
What Information Must You Provide in Response to a DSAR?
A valid DSAR entitles the person to three things. You must provide confirmation that you are processing their personal data, a copy of that data, and supplementary information about your processing.
A DSAR is a right to a copy of someone's personal data, not to entire documents or to information about other people. A request that reads "send me every email I'm mentioned in" resolves to the personal data inside those emails, not the raw files themselves.
The supplementary information covers:
- The purposes of processing their data
- The categories of personal data involved
- The recipients, or categories of recipient, the data has been or will be disclosed to
- The retention period, or the criteria used to set it
- Their right to rectification, erasure, restriction, or objection
- Their right to complain to you and to the data protection regulator
- The source of the data, if you did not collect it directly from them
- Whether automated decision-making or profiling is used, and the logic involved
- Any safeguards applied when transferring their data internationally
How Long Do You Have to Respond to a DSAR?
Under the GDPR and UK GDPR, you must respond to a DSAR without undue delay. The latest deadline is one calendar month from receiving the request.
The month runs from the day the request arrives, and a few practical rules apply:
- The deadline can extend by up to two further months (three months total) for complex or numerous requests, as long as you tell the requester within the first month and explain why
- The clock can pause while you verify the requester's identity or ask them to clarify an unclear or very broad request
- If the deadline falls on a weekend or public holiday, it moves to the end of the next working day
Ignoring a DSAR carries real risk. The requester can complain to the data protection regulator, which can investigate and enforce. GDPR fines reach up to EUR 20 million or 4 percent of global annual turnover, whichever is higher. The US deadline works differently, covered below.
Can You Charge a Fee for a DSAR?
In most cases, you must respond to a DSAR free of charge.
The exception is narrow. If a request is manifestly unfounded or excessive, you may charge a reasonable fee for your administrative cost, or refuse the request outright. The same fee-or-refuse option applies if someone asks for further copies of data you already provided them.
When Can You Refuse or Deny a DSAR?
You can refuse a DSAR, wholly or partly, only in limited circumstances, and the threshold to do so is high.
Valid grounds for refusal include:
- The request is manifestly unfounded: the person clearly has no genuine intention to exercise their right of access, for example by offering to withdraw it for a benefit, or the request is clearly malicious or used to harass
- The request is excessive: clearly unreasonable given its nature, an unjustified repeat of an earlier request, or disproportionate to the burden of responding
- An exemption applies, such as data that also identifies another person, legal professional privilege, or a live crime investigation
You must still respond within the deadline even when you refuse. Tell the person you are refusing, explain why, and inform them of their right to complain to the regulator.
Is There a US Equivalent of a DSAR? (The CCPA "Right to Know")
"DSAR" is GDPR and UK terminology, but US privacy law grants a comparable access right. Under the CCPA, as amended by the CPRA, California residents have a "right to know" the personal information a business has collected. That covers the categories, the sources, the purposes, and the third parties it shares data with. The response deadline is 45 days.
Most newer US state privacy laws grant a similar access right under their own name, even where the deadline or exact mechanics differ from California's.
How Is a DSAR Different from Broader Data Subject Rights?
A DSAR covers the access right specifically: getting a copy of your own personal data. It is one right inside the wider set of data subject rights the GDPR grants, which also includes rectification, erasure, restriction, portability, and objection.
| Right | What it lets a person do |
|---|---|
| Access (DSAR) | Get confirmation of processing, a copy of their personal data, and supplementary information |
| Rectification | Correct inaccurate personal data |
| Erasure | Request deletion of their personal data, also called the right to be forgotten |
| Restriction | Limit how their data is processed without deleting it |
| Portability | Receive their data in a portable, machine-readable format |
| Objection | Object to certain kinds of processing, including direct marketing |
Every DSAR is a data subject request, but not every data subject request is a DSAR. Someone asking to delete their data has made an erasure request, not an access request, even though both fall under the same GDPR rights framework.
How Consently Helps You Keep the Consent Records a DSAR Response Needs
Consently is a cookie-consent platform, not a DSAR tool. The records it keeps help with one part of a DSAR response: showing what a visitor consented to and when.
When a DSAR touches cookie or tracking consent, Consently's consent logs give you a timestamped, exportable record of each visitor's consent choices. You can show what was agreed and when, without digging through raw server logs.
The cookie, privacy, and terms policy generators document what data you collect and how you use it. That documentation is the same transparency the right of access is built on.
Consently does not perform the full DSAR task: locating personal data across every system, verifying identity, redacting other people's data, and sending the response. Consently covers the consent-and-disclosure layer, not DSAR intake or fulfillment. Its policy generators provide assistance, not legal advice.
Consently's GDPR cookie-consent tools log every visitor's consent choice automatically. Try Consently free for 14 days, no credit card required, to see the consent log in your own dashboard.
FAQs
What is a DSAR in simple terms?
A DSAR is a request from an individual for a copy of the personal data an organisation holds about them, plus how it is used.
What does DSAR stand for?
Data Subject Access Request. In the UK it is also called a subject access request, or SAR.
Who can submit a DSAR?
Anyone can submit a DSAR about their own personal data, free of charge, with no lawyer or special form required. A representative can also submit one on someone else's behalf once authorization is confirmed.
What should a DSAR request include?
Enough to identify the person and what they want: a name, contact details, any relevant account identifiers, and a description of the information sought. No set form is required.
How long do you have to respond to a DSAR?
One calendar month from receipt under the GDPR and UK GDPR, extendable by up to two further months for complex or numerous requests. The CCPA equivalent gives businesses 45 days.
Can you charge for a DSAR?
Usually no. You must respond free of charge unless the request is manifestly unfounded or excessive. In that case, you may charge a reasonable fee or refuse it.
What are valid reasons to deny a DSAR?
Only limited grounds apply: the request is manifestly unfounded or excessive, or an exemption applies, such as third-party data or legal privilege. The threshold for refusal is high.
What happens if you ignore a DSAR?
The person can complain to the data protection regulator, which can investigate and enforce. GDPR fines for non-compliance reach up to EUR 20 million or 4 percent of global annual turnover.
Is a DSAR the same as a subject access request (SAR)?
Yes. "Subject access request" or "SAR" is the UK term for the same right of access, used interchangeably with DSAR.

