GDPR Subject Access Request: How to Answer a DSAR Lawfully

DSARs (Data Subject Access Requests under Art. 15 GDPR) have become a regulatory baseline for every data-processing organisation in 2026. Missing the 30-day deadline or answering incompletely doesn't just trigger complaints, it triggers real fines. The Berlin Data Protection Commissioner has issued seven-figure fines repeatedly in recent years, often triggered by unanswered or incomplete subject access requests.

This guide walks you through the full workflow: from intake through identity verification, data extraction and redaction, to a legally sound answer or refusal. With concrete templates, deadline math and the most relevant fine cases.

What is a DSAR? The legal basis in Art. 15 to 22 GDPR

A DSAR is a request from an individual asking an organisation to disclose how it processes their personal data. The GDPR groups seven distinct rights under the umbrella of data subject rights:

Article	Right	What the person can demand
Art. 15	Access	A copy of their processed data plus metadata (purposes, recipients, storage duration, source).
Art. 16	Rectification	Correction of inaccurate or incomplete data.
Art. 17	Erasure	Deletion of their data ("right to be forgotten").
Art. 18	Restriction	Blocking processing instead of deletion.
Art. 19	Notification	Informing all recipients about rectification, erasure or restriction.
Art. 20	Portability	Machine-readable export of the data.
Art. 21	Objection	Stop of processing under legitimate interest or direct marketing.

In common usage, "DSAR" covers all seven rights. Operationally, the access right under Art. 15 is by far the most frequent and labour-intensive case, because it requires a complete data sweep across all systems.

Who must respond and within what deadline?

The obligation falls on the controller as defined in Art. 4(7) GDPR, the entity that decides on purposes and means of processing. Processors (e.g. SaaS providers) forward DSARs to the controller and support the response.

The deadline is hard-coded:

• 1 month from receipt of the request (Art. 12(3) sentence 1).
• An extension of 2 additional months is possible if the request is complex or large in volume. The extension must be communicated within the first month, including reasoning.

The clock starts on the day of receipt. If the request arrives on March 3, the deadline ends on April 3 at midnight. If the deadline falls on a weekend or public holiday, it shifts to the next business day.

The 8-step workflow for answering a DSAR

The sequence below has proven itself in practice. It covers both inbound emails from individuals and standardized web-form requests from enterprise customers.

Step 1: Intake and acknowledgment

When a request comes in, document:

• Date and time of receipt (for deadline calculation).
• Channel of intake (email, web form, letter, phone, in person).
• Requesting person and claimed identity.
• Specific right invoked (access, deletion, portability).

Send an acknowledgment within 72 hours. While not legally required, it builds trust, documents your responsiveness and reduces the risk of follow-up complaints to the supervisory authority.

Step 2: Identity verification

Before disclosing any data, you must verify the requester is actually the data subject. Otherwise you risk an own GDPR breach through unauthorised disclosure.

The depth of verification scales with data sensitivity and must remain proportionate:

• Existing customer accounts: Login to the customer portal usually suffices.
• Email requests without account: Confirmation link to the email address on file.
• Sensitive data (health, financial, criminal record): Government ID or video-ident.

Supervisory authorities are explicit: excessive identity checks are themselves GDPR breaches. You may not demand an ID copy if identity can be established by less intrusive means.

Step 3: Scope clarification with the requester

A blanket "send me everything you have" is permissible, but the GDPR allows you to ask the requester which specific processing they mean. This significantly speeds up handling and cuts your effort.

Example: "You requested access to your data. To respond quickly and completely, please specify whether you mean your orders, your newsletter account or all processing activities in general."

The deadline still runs from the original receipt, but you gain clarity for the data sweep.

Step 4: Data extraction across all systems

This is operationally the hardest step. You must query every system that may hold personal data of the person:

• CRM (customer master data, tickets, communication history)
• ERP (orders, invoices, payments)
• Marketing automation (newsletters, tracking, segmentation)
• Support (helpdesk tickets, live chats)
• HR (for employees or applicants)
• Backups and archives (often forgotten)
• Logs and audit trails (IP addresses, access timestamps)
• Third parties and processors (cloud providers, payment processors)

Without a central record of processing activities (RoPA, Art. 30 GDPR), this step fails. The RoPA isn't just a legal obligation, it's the operational prerequisite for any DSAR response.

Step 5: Redaction (protect third-party rights)

Before disclosure, you must protect the rights of third parties (Art. 15(4) GDPR). If a customer ticket contains notes about other customers, those must be redacted. If email correspondence names employees, their names must be redacted unless they acted in their official capacity.

Typical content to redact:

• Names, email addresses and phone numbers of third parties
• Internal assessments about other people
• Trade secrets of third parties
• Criminal record or investigation data

Documenting the redaction is mandatory. Tell the requester that content was redacted and why, without disclosing the redacted content itself.

Step 6: Preparation of the response

Per Art. 12(1) GDPR, the response must be in concise, transparent, intelligible and easily accessible form. Translation: no legalese, no Excel mass dumps, but structured, readable documents.

Recommended structure:

1. Cover letter referencing the request and listing attachments.
2. Overview of processing purposes (Art. 15(1)(a)).
3. Categories of personal data (b).
4. Recipients or categories of recipients (c).
5. Planned storage duration or criteria (d).
6. Reference to rights (rectification, erasure, complaint, e and f).
7. Source of data, if not collected directly (g).
8. Automated decision-making, if applicable (h).
9. Annexes with the actual data, organized by system.

The response is free of charge (Art. 12(5) sentence 1). A reasonable fee is permissible only for manifestly unfounded or excessive requests, or for additional copies.

Step 7: Secure delivery

The response by definition contains personal data and must be transmitted accordingly:

• Encrypted email (S/MIME or PGP) if the person supports it.
• Password-protected ZIP with the password sent separately (minimum standard).
• Secure download link with expiration and authentication.
• Registered mail with delivery receipt as fallback.

Sending sensitive data via unencrypted email is a separate GDPR breach.

Step 8: Documentation and audit trail

You must be able to prove that you met the deadline and handled the request completely. That requires:

• Timestamps for receipt, identity check, response delivery.
• Reasoning for every redaction decision.
• Delivery proof (email logs, registered mail receipts, download confirmations).
• Retention of the complete case file for at least three years, ideally to the regular limitation period.

Supervisory authorities don't ask whether you responded in time. They ask whether you can prove you responded in time. Without an unbroken audit trail, you lose.

When may you refuse a DSAR?

Art. 12(5) sentence 2 GDPR allows two grounds for refusal:

1. Manifestly unfounded request. Example: The requester demands access to data demonstrably not held or processed by you.

2. Excessive request. Example: A person submits identical access requests monthly without any change in the data situation. Here you may charge a reasonable fee or refuse repeat processing.

Important: The burden of proof for "unfounded" or "excessive" lies with you. Refusing without proper documentation will typically be reversed by the supervisory authority.

Further restrictions arise from:

• Art. 15(4) (third-party rights, see Step 5)
• National exceptions under Member State law (in Germany: § 34 BDSG for research, professional secrecy, trade secrets)

In no case may you ignore without reasoning. A refusal must also be communicated within the one-month deadline, including the reasoning and a notice of the right to lodge a complaint with the supervisory authority.

Fine cases: what happens for breaches?

Three real examples illustrating the risk:

Deutsche Wohnen, Berlin (2019, confirmed 2024). The Berlin Data Protection Commissioner imposed 14.5 million euros on Deutsche Wohnen for unlawful data retention and inadequate response to access requests. The case dragged on through 2024 and was reviewed multiple times in court. It is a textbook example that DSAR breaches are not minor.

H&M, Hamburg (2020). The Hamburg Data Protection Commissioner imposed 35.3 million euros on H&M for extensive employee surveillance. Trigger: subject access requests from staff that revealed how comprehensively personal data was being collected without their awareness.

Spotify, Sweden (2023). The Swedish Data Protection Authority imposed 5 million euros on Spotify because DSAR responses were incomplete and provided in English when the requesters had used Swedish. Lesson: the response must be in the language of the request.

Fines under Art. 83 GDPR can reach 20 million euros or 4 percent of global annual group turnover, whichever is higher.

Templates and resources

Usable templates aren't found at tool vendors (including us) but at supervisory authorities:

• EDPB Guidelines 01/2022 on the right of access (very detailed)
• BfDI (German Federal Data Protection Commissioner) sample letters
• DSK Short Papers (especially No. 6 on the access right)

Beware of generic templates from marketing whitepapers. They are often outdated, miss national specifics or contain unenforceable clauses.

Where manual DSAR management fails

In practice: with Excel and email distribution lists, you'll miss the deadline. Three typical breaking points:

Data silos. The CRM admin, the ERP lead and the marketing manager work separately. Coordinating a DSAR across all three takes two weeks if no one runs a clear workflow. This is exactly why the hidden costs of manual compliance hit DSARs especially hard.

Backups forgotten. Backup systems are often hard to query. Excluding them from the DSAR sweep risks an incomplete response that later qualifies as a breach.

Redaction under time pressure. Anyone handling redactions on day 29 of the deadline misses third-party data. That in turn is a separate breach with its own fine exposure.

How Kopexa automates DSAR management

We built dedicated DSAR software for this:

• Central inbox for DSARs from all channels, with automatic 30-day timer.
• Identity verification integrated, with escalation for sensitive data.
• Data extraction through connectors to CRM, ERP, marketing and cloud providers.
• Redaction workflow with audit trail of every redaction decision.
• Delivery via secure download links with authentication.
• Unbroken audit trail for every deadline, action and reasoning.

DSAR management is only one part of your GDPR obligations. To keep your full GDPR catalog in view, you need integrated tooling. Your incident workflow for data breaches should also couple with DSARs directly, because confirmed breaches often trigger DSARs.

Bottom line: DSAR is duty, not nice-to-have

The GDPR gives you four weeks for a complete, readable and verifiable response. Recent fine practice shows that supervisory authorities take this seriously. A single unanswered DSAR is enough to trigger a complaint that can escalate into a fine.

The 8-step workflow above is the operational minimum. Anyone running it manually will eventually miss the deadline. Anyone running it on an integrated platform handles DSARs as routine and can focus on the work that makes compliance actually productive: risk management, awareness, supplier oversight.

If you want to see what the workflow looks like in practice, book a demo or take a closer look at our DSAR software.