Topic · RIGHTS
Data Subject Access Requests (DSAR)
How to receive, verify, and respond to DSARs across regimes.
| Regime | Response window | Extension | Statute | Notes |
|---|---|---|---|---|
| PIPA Korea | 10 days | — | PIPA Art 35(3) |
Strict 10-day clock from receipt |
| LGPD (Brazil) | 15 days | — | LGPD Art 19 |
Confirmation immediate; full data within 15 days |
| APPI (Japan) | No fixed window | — | APPI Art 28 |
"Without undue delay" — no fixed statutory window |
| PIPEDA (Canada) | 30 days | +30 days | PIPEDA Sched 1, 4.9.4 |
Extension permitted; must notify within original window |
| Quebec Law 25 | 30 days | — | Quebec L25 Art 33 |
30 days from receipt; no statutory extension |
| PDPA Singapore | 30 days | — | PDPA s.21 |
Within 30 days; refusal must be in writing |
| Swiss FADP | 30 days | — | FADP Art 25(3) |
Statute uses "as soon as possible"; OFDP guidance ~30d |
| AU Privacy Act | 30 days | — | AU APP 12.4 |
"Reasonable time" per APP 12; OAIC standard ≈30 days |
| GDPR (EU) | 30 days | +60 days | GDPR Art 12(3) |
1 month, extendable by 2 months for complex/numerous requests |
| UK GDPR | 30 days | +60 days | UK GDPR Art 12(3) |
Same clock as GDPR; ICO enforces |
| DPDPA (India) | 30 days | — | DPDPA s.11–13 |
Draft rules consultation 2025; expected reasonable time |
| CCPA / CPRA (CA) | 45 days | +45 days | Cal. Civ. Code §1798.130(a)(2) |
45-day window; extension permitted on notice |
| VCDPA (Virginia) | 45 days | +45 days | Va. Code §59.1-577 |
Same 45-day clock; extension on notice |
| TDPSA (Texas) | 45 days | +45 days | Tex. Bus. & Com. Code §541.054 |
Same 45-day clock; extension on notice |
A Data Subject Access Request (DSAR) is the user’s right to ask what data you hold about them, why, and to whom you’ve disclosed it. Under GDPR Art 15, this includes the right to a copy of the data. Other regimes — CCPA, LGPD, DPDPA — have similar but not identical rights.
Response timeframes
| Jurisdiction | Days | Extension |
|---|---|---|
| EU GDPR | 30 | +60 (complex requests, must inform within 30) |
| UK GDPR | 30 | +60 (same as EU) |
| CCPA (California) | 45 | +45 once |
| VCDPA / TDPSA / CO / CT | 45 | +45 once |
| LGPD (Brazil) | 15 | — |
| Argentina Law 25.326 | 10 | — |
| Colombia Law 1581 | 15 working days | — |
| Korea PIPA | 10 | — |
| Japan APPI | “without delay” | — |
| Mexico LFPDPPP | 20 working days | — |
The 8 core rights (GDPR baseline)
- Access (Art 15) — confirmation + copy of data + metadata about processing
- Rectification (Art 16) — correct inaccurate data
- Erasure (Art 17) — “right to be forgotten” — applies in defined circumstances
- Restriction (Art 18) — pause processing while a dispute is resolved
- Data portability (Art 20) — receive data in structured, machine-readable format
- Object (Art 21) — to processing based on legitimate interest, or to direct marketing
- Not be subject to automated decisions (Art 22) — including profiling with legal effects
- Withdraw consent (Art 7) — as easily as it was given
How to operationalize
Build a single intake channel — typically privacy@ or a dedicated form. Verify identity proportionally to the request’s sensitivity (don’t demand a passport scan to delete a newsletter subscription).
Map your data flows in advance: every system, sub-processor, and backup that holds personal data. When a DSAR arrives, you query each one. Without this map, the 30-day clock will burn.
Track every request in a register: receipt date, identity verified date, scope, response sent date, exemptions invoked. This is your evidence in any audit.
Refusing a request
You can refuse “manifestly unfounded or excessive” requests under GDPR Art 12(5). The threshold is high — repeated identical requests within short windows, or requests demonstrably aimed at disrupting operations. Refusal must explain why and state the right to complain to the supervisory authority.
Templates
See templates for response letters per jurisdiction.