Skip to content

Template · DSAR / DSR REPLY

DSR reply template · GDPR Article 15 access request

Subject-request response skeleton. Substitute every user-specific value before sending; an unredacted template sent to a data subject is a notifiable error.

Scope law GDPR Variables 23 to substitute Last reviewed
Editorial research — not legal advice
Procedural flow — universal across regimes 1 Request received Day 0 clock starts 2 Verify identity reasonable proof don't over-collect 3 Search systems all sub-processors retention horizons 4 Compile response categories · sources purposes · recipients 5 Deliver secure channel commonly-used format 6 Inform of rights complaint to regulator appeal mechanisms If complex or numerous requests Most regimes permit extension only if you notify the data subject within the original window.
Response windows by jurisdiction (Day 0 = request received) Day 0 d10 d15 d30 d45 d60 d90 PIPA Korea 10 days LGPD (Brazil) 15 days APPI (Japan) no fixed window PIPEDA (Canada) 30 days +30 days Quebec Law 25 30 days PDPA Singapore 30 days Swiss FADP 30 days AU Privacy Act 30 days GDPR (EU) 30 days +60 days UK GDPR 30 days +60 days DPDPA (India) 30 days CCPA / CPRA (CA) 45 days +45 days VCDPA (Virginia) 45 days +45 days TDPSA (Texas) 45 days +45 days Statutory window Extension on notice No fixed window (statute uses "without delay")
DSAR clock by regime — Day 0 = request received. Solid bar = primary statutory window. Dashed extension = where the regime permits one (notify before original deadline). Editorial reading; not legal advice.
Regime Response window Extension Statute Notes
PIPA Korea 10 days PIPA Art 35(3) Strict 10-day clock from receipt
LGPD (Brazil) 15 days LGPD Art 19 Confirmation immediate; full data within 15 days
APPI (Japan) No fixed window APPI Art 28 "Without undue delay" — no fixed statutory window
PIPEDA (Canada) 30 days +30 days PIPEDA Sched 1, 4.9.4 Extension permitted; must notify within original window
Quebec Law 25 30 days Quebec L25 Art 33 30 days from receipt; no statutory extension
PDPA Singapore 30 days PDPA s.21 Within 30 days; refusal must be in writing
Swiss FADP 30 days FADP Art 25(3) Statute uses "as soon as possible"; OFDP guidance ~30d
AU Privacy Act 30 days AU APP 12.4 "Reasonable time" per APP 12; OAIC standard ≈30 days
GDPR (EU) 30 days +60 days GDPR Art 12(3) 1 month, extendable by 2 months for complex/numerous requests
UK GDPR 30 days +60 days UK GDPR Art 12(3) Same clock as GDPR; ICO enforces
DPDPA (India) 30 days DPDPA s.11–13 Draft rules consultation 2025; expected reasonable time
CCPA / CPRA (CA) 45 days +45 days Cal. Civ. Code §1798.130(a)(2) 45-day window; extension permitted on notice
VCDPA (Virginia) 45 days +45 days Va. Code §59.1-577 Same 45-day clock; extension on notice
TDPSA (Texas) 45 days +45 days Tex. Bus. & Com. Code §541.054 Same 45-day clock; extension on notice

Build your DSAR procedure to the strictest applicable clock for the jurisdictions you cover.

Template body

23 placeholders · 13 sections

Subject: Re: Data Subject Access Request — {{ticket_id}}

Dear {{requestor_name}},

Thank you for your request received on {{request_received_date}}. This is our response under GDPR Article 15.

Identity verification

We verified your identity via {{identity_method}} on {{identity_verified_date}}. Thank you for cooperating.

What we hold about you

Account data

Field Value
Email {{user_email}}
Account created {{account_created}}
Last login {{last_login}}
Account status {{account_status}}

Activity data

{{activity_summary}}

Communications

We have the following correspondence on file: {{correspondence_list}}

Sub-processors with access

{{sub_processors_list}}

Retention

{{retention_per_category}}

Categories of data we don't have

For completeness: we do not hold any of the following about you — payment card details (handled exclusively by {{payment_processor}}), biometric data, health data, racial/ethnic origin, political opinions.

Source of data

All data was collected directly from you via the service interface, except {{enrichment_sources_or_none}}.

Recipients of data

We have shared your data with the sub-processors listed above. We have not sold or transferred your data to third parties for their independent use.

International transfers

{{transfer_summary}}

Your other rights (Articles 16–22)

  • Rectification (Art 16) — reply to this email with corrections
  • Erasure (Art 17) — right to be forgotten in defined circumstances
  • Restriction (Art 18) — pause processing while a dispute is resolved
  • Portability (Art 20) — we can export your data in JSON format
  • Object (Art 21) — to processing based on legitimate interest

Right to complain

You may lodge a complaint with your supervisory authority. For your jurisdiction ({{user_jurisdiction}}), the contact is: {{dpa_contact}}.

If you believe any of this information is incorrect or incomplete, please reply within 14 days.

Best regards, {{dpo_name}} Data Protection Officer {{controller_name}} {{dpo_email}}

Sent in response to ticket {{ticket_id}} on {{response_date}}. Response delivered within the standard one-month GDPR Art 12(3) timeframe ({{days_taken}} days). For complex or numerous requests, Art 12(3) permits a further two-month extension; if used, the controller must notify the data subject within the first month with reasoning.

Variables to substitute

Replace each {{token}} in the body before deploying.

VariableType
{{dpo_name}} string
{{dpo_email}} string
{{ticket_id}} string
{{days_taken}} int
{{last_login}} datetime
{{user_email}} string
{{dpa_contact}} string
{{response_date}} date
{{account_status}} string
{{requestor_name}} string
{{account_created}} date
{{controller_name}} string
{{identity_method}} string
{{activity_summary}} string
{{transfer_summary}} string
{{payment_processor}} string
{{user_jurisdiction}} string
{{correspondence_list}} string
{{sub_processors_list}} string
{{request_received_date}} date
{{identity_verified_date}} date
{{retention_per_category}} string
{{enrichment_sources_or_none}} string
How to use this template · Methodology

Adapt, then deploy. Editorial reading as of 2026-05-05; not legal advice. This template is a starting point — drafted against the named statute and the relevant regulator's published guidance, not your specific facts.

Substitute every placeholder. Tokens like {{controller_name}} must be replaced with your concrete values. Leaving placeholders unsubstituted is a recurring failure mode in published compliance documents; reviewers and regulators tend to read partially-completed disclosures as a documentation problem in itself.

Verify the assumptions. The "Assumes" block above lists the prerequisites we drafted against. If your facts differ — different processor list, different audience, different sub-processors — adapt the template, don't deploy it as-is.

Counsel review before going live. Templates are scaffolding, not finished artefacts. Route the final pass through counsel admitted in the jurisdiction where you operate.

Full methodology → · All templates → · Scope law: GDPR →

Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. This template does not establish a lawyer-client relationship and is not warranted for accuracy or currency. Consult qualified counsel admitted in the relevant jurisdiction for any specific deployment. Report an inaccuracy →