Topic · RIGHTS
Data Subject Access Requests (DSAR)
How to receive, verify, and respond to DSARs across regimes.
A Data Subject Access Request (DSAR) is the user’s right to ask what data you hold about them, why, and to whom you’ve disclosed it. Under GDPR Art 15, this includes the right to a copy of the data. Other regimes — CCPA, LGPD, DPDPA — have similar but not identical rights.
Response timeframes
| Jurisdiction | Days | Extension |
|---|---|---|
| EU GDPR | 30 | +60 (complex requests, must inform within 30) |
| UK GDPR | 30 | +60 (same as EU) |
| CCPA (California) | 45 | +45 once |
| VCDPA / TDPSA / CO / CT | 45 | +45 once |
| LGPD (Brazil) | 15 | — |
| Argentina Law 25.326 | 10 | — |
| Colombia Law 1581 | 15 working days | — |
| Korea PIPA | 10 | — |
| Japan APPI | “without delay” | — |
| Mexico LFPDPPP | 20 working days | — |
The 8 core rights (GDPR baseline)
- Access (Art 15) — confirmation + copy of data + metadata about processing
- Rectification (Art 16) — correct inaccurate data
- Erasure (Art 17) — “right to be forgotten” — applies in defined circumstances
- Restriction (Art 18) — pause processing while a dispute is resolved
- Data portability (Art 20) — receive data in structured, machine-readable format
- Object (Art 21) — to processing based on legitimate interest, or to direct marketing
- Not be subject to automated decisions (Art 22) — including profiling with legal effects
- Withdraw consent (Art 7) — as easily as it was given
How to operationalize
Build a single intake channel — typically privacy@ or a dedicated form. Verify identity proportionally to the request’s sensitivity (don’t demand a passport scan to delete a newsletter subscription).
Map your data flows in advance: every system, sub-processor, and backup that holds personal data. When a DSAR arrives, you query each one. Without this map, the 30-day clock will burn.
Track every request in a register: receipt date, identity verified date, scope, response sent date, exemptions invoked. This is your evidence in any audit.
Refusing a request
You can refuse “manifestly unfounded or excessive” requests under GDPR Art 12(5). The threshold is high — repeated identical requests within short windows, or requests demonstrably aimed at disrupting operations. Refusal must explain why and state the right to complain to the supervisory authority.
Templates
See templates for response letters per jurisdiction.