The GDPR: How to respond to data subject access requests

Under the GDPR (General Data Protection Regulation), individuals are afforded several rights related to the way organisations use their personal data. Among those rights is the ability to submit a DSAR (data subject access request), which requires organisations to send them the following information:

  • Confirmation that their personal information is being processed
  • Copies of the personal data they store
  • The organisation’s lawful basis for processing
  • The names or categories of any third parties that the information has been shared with
  • The estimated period for which the personal data will be stored (or, if this hasn’t yet been decided, the criteria used to determine that period)
  • Any relevant information about how the personal data was obtained
  • Information about automated decision-making, including profiling, and the reasoning for and potential consequences of the automation.

When responding to the DSAR, organisations must also remind the data subject that they have the right to object to the processing, request the rectification of the data or lodge a complaint with a supervisory authority.

These rights are broadly consistent with data protection laws prior to the introduction of the GDPR, although there are a few changes.

In this blog, we explain what you need to know about the GDPR’s DSAR requirements and how you can lawfully complete an access request.

1. You cannot charge a fee for providing information

In most circumstances, organisations must give the subjects a copy of the information they request free of charge. However, organisations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive.

A request is manifestly unfounded if the individual has no intent to exercise their right of access, such as when the request is an excuse to make unsubstantiated accusations against the organisation.

Meanwhile, a request is manifestly excessive if the data subject has sent multiple, similar requests within a short time period.

If the organisation does charge a fee to complete the request, the fee must be based on the administrative costs of gathering the necessary information. In other words, the organisation cannot profit from completing a DSAR.

Organisations may also choose to reject a DSAR if they believe that it is manifestly unfounded or excessive and they don’t want to charge a fee.


Become a GDPR expert in one day

You can discover everything you need to know about your organisation’s data protection requirements with IT Governance’s Certified GDPR Foundation Training Course.

This one-day training course provides the essentials of GDPR compliance. Among the things you’ll learn are how to respond to a DSAR, how to secure sensitive data and what to do if your organisation suffers a data breach.

Delivered by experienced data protection experts and available online, this course provides the expertise you need from the comfort of your own home.


2. You have one month to respond

The GDPR requires organisations to provide the requested information within a month.

Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month and explain why the extension is necessary.

It’s a good idea for organisations to assign a team of employees to oversee the response process. This ensures that requests don’t fall between the gaps and get left forgotten.

Smaller organisations may be tempted to hand the GDPR request responsibilities to a single point of contact – typically whoever is handling the duties of the DPO (data protection officer) – but you should avoid doing this wherever possible.

Should that employer take an extended holiday or have an unexpected absence, requests could pile up with no one keeping track of them.

3. You must allow electronic and in-person requests

There are no specific rules for how such a DSAR must be made. Individuals can say, for instance, “I’d like to see what personal data you have on me” or make the request by email.

Where a request is made electronically, the information must be provided in a commonly used file format.

Similarly, Recital 63 of the Regulation states that data controllers should, where possible, provide “remote access to a secure system which would provide the data subject with direct access to her or her personal data”.

Download our GDPR compliance guide

You can learn more about data subject access requests, along with the GDPR’s other requirements, by downloading our free green paper: EU General Data Protection Regulation – A Compliance Guide.

This free download provides a comprehensive overview of the GDPR’s compliance, and includes tips on how you can protect personal information and prevent data breaches.


A version of this blog was originally published on 31 July 2017. 

One Response

  1. Jack Conroy 30th April 2022

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.