DSAR: What is a data subject access request? [2026 guide]

A data subject access request (DSAR) is a formal request made by an individual to an organization to disclose what personal data it holds about them, why it is being processed, who it has been shared with, how long it will be retained, and whether it is subject to automated decision-making.

DSARs are a legal right established by GDPR Article 15 and recognized in various forms by US state privacy laws including CCPA, VCDPA, CPA, UCPA, and CTDPA.

A DSAR gives individuals the legal right to know what personal data an organization holds about them and how it's being used. Organizations typically have 30–45 days to respond, depending on the applicable law. DSARs are a subset of data subject requests (DSRs), which also cover deletion, correction, and portability rights.

Key terms

• Data subject access request (DSAR): A formal request from an individual asking an organization to disclose what personal data it holds, how it's used, who it's shared with, and how long it's retained.
• Data subject request (DSR): A broader term covering all privacy rights requests an individual can make, including access, deletion, correction, and portability.
• Data controller: Under GDPR, the entity that determines the purposes and means of processing personal data — typically the organization receiving the DSAR.
• Right to access: The legal right that gives individuals the ability to request a copy of their personal data and information about how it is being used.
• Supervisory authority: A national regulatory body responsible for enforcing data protection law — for example, the ICO in the UK or the CNIL in France.
• DSAR automation: The use of software to automatically receive, verify, route, and fulfill data subject access requests across an organization's systems, eliminating manual steps and reducing compliance risk.

Table of Contents

1. What is a data subject access request (DSAR)?
2. What is the difference between a DSAR and a DSR?
3. How does GDPR define data subject access requests?
4. Which US state privacy laws give consumers the right to submit a DSAR?
5. What are DSAR best practices organizations should follow?
6. How do you fulfill a data subject access request step by step?

What is a data subject access request (DSAR)?

A data subject access request (DSAR) is a formal request from an individual, protected by an applicable privacy law, asking an organization to disclose the personal data it holds about them.

Though the term DSAR originated with the General Data Protection Regulation (GDPR), the underlying right, the right to access, is now recognized by privacy laws across the US, UK, and beyond. US state privacy laws don't always use the term "data subject" (that language is specific to GDPR), but the practical application is the same.

Under most privacy laws, a DSAR can require an organization to disclose:

• What personal data they hold about the individual
• Why that data is being processed
• What categories of personal data are involved
• Whether the data has been shared with third parties, and if so, who
• How long the data will be stored and how that decision was made
• How the organization obtained the data, if not directly from the individual
• Whether the data is subject to automated decision-making or profiling, and how that affects the individual

What is the difference between a DSAR and a DSR?

A data subject access request (DSAR) specifically refers to the right to access i.e. the right to see what personal data an organization holds. A data subject request (DSR) is a broader term covering the full range of privacy rights an individual can exercise.

Most modern privacy laws grant consumers some combination of the following rights, all of which fall under the DSR umbrella:

• Right to access (DSAR) The right to request a copy of personal data an organization holds, along with information about how it's being used. This is what a DSAR specifically refers to.
• Right to deletion The right to request that an organization delete the personal data it holds. Also referred to as the right to erasure under GDPR.
• Right to correction The right to request that an organization correct inaccurate or incomplete personal data it holds about the individual.
• Right to portability The right to receive personal data in a format that is easy to read and transmit, allowing individuals to move their data between services. Not all US state privacy laws include this right (Utah's UCPA, for example, does not).
• Right to opt out The right to opt out of certain types of data processing, such as the sale of personal data or its use in targeted advertising.

How does GDPR define data subject access requests?

GDPR Article 15 is the foundational legal basis for data subject access requests. It establishes that individuals have the right to obtain confirmation from an organization as to whether their personal data is being processed—and if so, to access that data along with specific information about how it's being used.

Under Article 15, an individual can request:

• Confirmation of whether their data is being processed
• Access to a copy of the personal data being processed
• The purposes for which the data is being processed
• The categories of personal data involved
• Whether their data has been shared with third parties, and the identity of those parties
• The intended retention period, or the criteria used to determine it
• How the organization obtained the data, if not directly from the individual
• Whether their data is subject to automated decision-making or profiling, and the logic involved

Once a valid request is received, organizations, referred to as "data controllers" under GDPR, must provide a copy of the personal data being processed, along with any requested information from the list above.

Individuals who are unsatisfied with an organization's response have the right to lodge a complaint with their country's data protection authority (DPA) or other supervisory authority.

Which US state privacy laws give consumers the right to submit a DSAR?

Each US comprehensive state privacy law establishes various consumer rights, including the ability to access, correct, and delete personal data held by companies. While US state laws don't use the term "data subject," that language is specific to GDPR. the practical effect is the same: consumers can request a copy of the personal data an organization holds about them, and the organization must respond within a defined timeframe.

State privacy legislation has grown rapidly. California passed the first comprehensive US state privacy law in 2018. Virginia and Colorado followed in 2021, then Utah and Connecticut in 2022. In 2023, seven more states passed laws: Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas. In 2024, seven more followed: New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, and Rhode Island.

Twenty states had comprehensive privacy laws in effect by the end of 2025, with more than a dozen additional states actively considering legislation for 2026 and beyond.

Most states grant consumers a core set of rights including the ability to access, delete, and correct personal data; request copies of their data (data portability); and opt out of targeted advertising, the sale of personal data, and certain types of profiling. There are notable exceptions: Iowa's law does not provide consumers with the right to correct inaccurate data or to opt out of processing for targeted advertising.

What are DSAR best practices organizations should follow?

Regardless of which regulations apply to your organization, three principles should guide every DSAR program.

Send data in a format that's easy to read and understand

This requirement is consistent across all major privacy regulations. Data must be returned in a format the average person can read without specialized software or technical knowledge. If your team would struggle to interpret the output, it's unlikely to meet the standard.

Verify identity before sending data

Organizations are required to respond promptly, but they're also responsible for maintaining data security. Sending personal data to the wrong person, or to a bad actor impersonating a legitimate requestor, creates significant liability.

Effective identity verification practices include:

• Secure intake forms rather than email, with fixed fields and CAPTCHA to filter fraudulent requests
• Two-factor authentication (2FA) before processing, particularly for deletion requests
• Account login requirements where appropriate, adding an additional layer of verification before data is released

Automate your DSAR process

Manual DSAR fulfillment is feasible at very low volumes. As request volumes grow, manual processes introduce compounding risk: slower response times, higher error rates, increased security exposure, and significant resource drain on legal, engineering, and customer experience teams.

DSAR automation addresses all of these by:

• Minimizing manual steps and human error
• Enforcing consistent identity verification across every request
• Automatically locating and collating data across connected systems
• Reducing the risk of missed deadlines and non-compliance

How do you fulfill a data subject access request step-by-step?

Fulfilling a DSAR typically requires coordination across customer experience, engineering, data, and legal teams. The exact steps depend on your data ecosystem and the privacy infrastructure you have in place — but three foundational steps apply to every DSAR process.

A note before you start: Successful DSAR fulfillment assumes the existence of a complete, up-to-date data map. Without knowing where personal data lives across your systems, Step 2 becomes significantly more complex. If your data map is incomplete, address that first.

Step 1: Verify user identity and confirm request validity

Before processing any request, confirm the requestor is who they claim to be. Failure to do so risks sending sensitive personal data to the wrong person — a data breach in its own right.

Best practice is to use a secure intake form with two-factor authentication rather than accepting requests by email. For high-sensitivity requests like deletion, requiring account login adds an additional verification layer.

Step 2: Locate and collate data across all systems

This is where DSAR fulfillment becomes operationally complex. You need to identify every system — every database, SaaS application, data warehouse, and third-party tool — where the individual's personal data may exist, then locate and extract that data from each one.

For organizations with automated DSAR tooling, each connected system is queried automatically. For organizations relying on manual processes, this means querying each system individually — and for third-party SaaS tools, it may mean reaching out to vendors directly and waiting for responses.

This is why automated tooling becomes essential as request volumes grow. A manual process that's manageable at ten requests a month becomes untenable at a hundred.

Step 3: Package and deliver data in a readable, transmittable format

Once all data is collected, package it in a format the individual can easily read and use. Regulatory guidance is consistent: the format cannot require specialized software or technical knowledge to interpret.

Plain formats like CSV, PDF, or structured JSON with a human-readable summary are generally appropriate. Whatever format you choose, test it against a non-technical standard — if someone without a data background can read and understand it, you're in good shape.

Automate DSAR fulfillment with Transcend

Transcend DSR Automation is the easiest and most comprehensive way to delete, return, or modify a person's data or preferences across your entire tech stack.

Get started with Transcend DSR Automation in minutes and cut privacy request processing costs by up to 80%. Access prebuilt workflows and zero-code customization to fully automate data requests, no humans required.

Explore our Docs Library to learn how DSAR fulfillment works with Transcend.