Introducing Agentic Assist & MCP Server—making compliance automation even easier.

Data subject access request

A data subject access request (DSAR) is a formal request made by an individual to an organization asking what personal data the organization holds about them, how that data is being used, who it has been shared with, and how long it will be retained. DSARs are a legal right established under modern privacy regulations, including the General Data Protection Regulation (GDPR) in Europe and a growing number of US state privacy laws.

What information can a DSAR request cover?

A DSAR can require an organization to disclose:

  • What personal data they hold about the individual
  • Where and how that data was collected
  • The purpose for which it's being processed
  • How long it will be stored
  • Whether it has been shared with third parties, and if so, who
  • Whether it has been used in automated decision-making

DSAR vs. DSR: What's the difference?

A data subject access request (DSAR) specifically refers to a request for access — the right to see what data a company holds. A data subject request (DSR) is a broader term that encompasses all privacy rights requests an individual can make, including:

  • Right to access — see what data is held (DSAR)
  • Right to erasure — request deletion of personal data
  • Right to correction — update inaccurate data
  • Right to portability — receive data in a transferable format
  • Right to opt out — stop certain types of data processing

What are the response requirements for a DSAR?

Response deadlines vary by regulation:

  • GDPR: Organizations must respond within 30 calendar days, extendable by two additional months for complex requests
  • CCPA/CPRA: Organizations must respond within 45 days, extendable to 90 days with notice
  • UK GDPR: 30 calendar days, consistent with EU GDPR

In all cases, responses must be provided free of charge and delivered in a format that is easy to read and transmit.

Why do DSARs exist?

DSARs are a byproduct of modern privacy legislation built on the principle that individuals have the right to know how their personal data is being used. GDPR, enacted in 2018, established this right across the EU and set a global precedent that US state laws — including CCPA, VCDPA, and CPA — have since followed.

Related terms

  • Data subject request (DSR)
  • Right to erasure
  • Right to portability
  • Consent signal
  • Data minimization
  • Privacy rights automation
Back to glossary