Sign In Sign Up

DSAR Templates

Ready-to-use templates to request your personal data

Ready to find out what data companies hold about you? Use these free templates to submit a Data Subject Access Request (DSAR) and exercise your legal right to access your personal information.

Before You Start: What You Need

Gather this information before submitting your request:

Required Information

  • Your full legal name — As it appears on your account or records
  • Email address(es) — All emails you've used with the company
  • Account username or ID — If you have an account with them
  • Your address — Especially for CCPA requests (to prove California residency)

Helpful to Have

  • Customer or member ID numbers
  • Phone numbers associated with the account
  • Date you first used the service
  • Any previous names or aliases used
  • Order numbers or transaction IDs

Where to Send Your Request

Check the company's privacy policy for:

  • A dedicated privacy email (often privacy@company.com or dpo@company.com)
  • An online privacy request form or portal
  • Data Protection Officer contact details
  • A mailing address for privacy inquiries

Tip: Many large companies (Google, Facebook, Apple, Amazon, Microsoft) have self-service data download tools. Search for "[company name] download my data" before submitting a formal request—you may get faster results.

How to Submit Your Request

Option 1: Email

The most common method. Copy the appropriate template below, fill in your details, and send it to the company's privacy contact.

  • Use the email address associated with your account if possible
  • Use a clear subject line: "Data Subject Access Request" or "CCPA Request to Know"
  • Request a delivery/read receipt if your email client supports it

Option 2: Online Form

Many companies have dedicated privacy portals. These often streamline verification and may provide faster responses. Look for links like:

  • "Privacy Center" or "Privacy Settings"
  • "Your Privacy Choices"
  • "Data Rights Request"
  • "Download Your Data"

Option 3: Physical Mail

Use certified mail with return receipt for documentation. This is slower but creates a clear paper trail. Include:

  • Your printed and signed request
  • A copy of ID if specifically required (redact sensitive numbers)
  • Your return address

After Sending

  1. Save a copy of your request with the date sent
  2. Note the deadline (30 days for GDPR, 45 days for CCPA)
  3. Set a calendar reminder to follow up if needed
  4. Watch for verification requests — respond promptly to avoid delays

GDPR Template (European Union & United Kingdom)

Use this template if you're an EU/UK resident or if the company is based in or does business in the EU/UK. Response deadline: 30 days.

Subject: Data Subject Access Request under GDPR

To the Data Protection Officer or Privacy Team,

I am writing to make a formal Data Subject Access Request under Article 15 of the General Data Protection Regulation (GDPR).

Please provide me with the following information:

  1. Confirmation of whether you are processing my personal data
  2. A copy of all personal data you hold about me, including:
    • Account information and profile data
    • Transaction and purchase history
    • Communications and correspondence
    • Activity logs and usage data
    • Any data obtained from third parties
    • Any inferred or derived data about me
  3. The purposes of the processing
  4. The categories of personal data concerned
  5. The recipients or categories of recipients to whom my data has been or will be disclosed
  6. The retention period for my data, or the criteria used to determine that period
  7. Information about the source of any data not collected directly from me
  8. Whether my data has been transferred outside the EU/EEA, and if so, the safeguards in place
  9. Information about any automated decision-making or profiling applied to my data, including the logic involved and the significance of such processing

My details for identification purposes:

  • Full name: [YOUR FULL NAME]
  • Email address(es): [YOUR EMAIL ADDRESS(ES)]
  • Account username: [YOUR USERNAME, IF APPLICABLE]
  • Customer/Member ID: [YOUR ID, IF KNOWN]
  • Address: [YOUR ADDRESS]
  • Phone number: [YOUR PHONE, IF USED WITH THIS SERVICE]

Please provide this information in a commonly used electronic format. I would prefer to receive the data via secure email or download link.

Under Article 12 of the GDPR, you are required to respond to this request within one month. If you need to extend this period, please inform me of the reasons for the delay.

If you require any additional information to verify my identity, please contact me as soon as possible. I am happy to provide reasonable verification, though I would note that any identity verification measures should be proportionate to the nature of the data held.

If you do not normally handle such requests, please forward this to your Data Protection Officer or the appropriate department immediately.

Thank you for your prompt attention to this matter.

Yours faithfully,

[YOUR FULL NAME]
[DATE]

CCPA/CPRA Template (California)

Use this template if you're a California resident. This exercises your "Right to Know" under the California Consumer Privacy Act. Response deadline: 45 days.

Subject: California Consumer Privacy Act - Request to Know

To whom it may concern,

I am a California resident exercising my Right to Know under the California Consumer Privacy Act (CCPA), California Civil Code Section 1798.100 et seq., as amended by the California Privacy Rights Act (CPRA).

I request that you provide me with the following information covering the 12-month period preceding this request:

  1. Categories of personal information collected: The categories of personal information you have collected about me
  2. Specific pieces of personal information: The specific pieces of personal information you have collected about me
  3. Sources: The categories of sources from which my personal information was collected
  4. Business purpose: The business or commercial purpose for collecting, selling, or sharing my personal information
  5. Third parties: The categories of third parties to whom you disclose my personal information
  6. Sales and sharing: If you have sold or shared my personal information:
    • The categories of personal information sold or shared
    • The categories of third parties to whom it was sold or shared
  7. Disclosures for business purposes: If you have disclosed my personal information for a business purpose:
    • The categories of personal information disclosed
    • The categories of recipients
  8. Sensitive personal information: If you collect sensitive personal information, the categories collected and purposes of use

My details for verification purposes:

  • Full name: [YOUR FULL NAME]
  • California address: [YOUR CALIFORNIA ADDRESS]
  • Email address(es): [YOUR EMAIL ADDRESS(ES)]
  • Account username: [YOUR USERNAME, IF APPLICABLE]
  • Phone number: [YOUR PHONE NUMBER]
  • Customer ID: [IF KNOWN]

Please provide my data in a portable and readily usable format.

Under the CCPA, you must acknowledge receipt of this request within 10 business days and provide a full response within 45 calendar days. If you require an extension, please notify me of the reasons.

Please note that the CCPA prohibits discrimination against consumers who exercise their privacy rights. I expect this request to have no impact on the price or quality of services I receive.

If you need additional information to verify my identity or residency, please contact me promptly.

Sincerely,

[YOUR FULL NAME]
[DATE]

General Template (Other Regions)

Use this template if you're outside the EU/UK/California, or if you're unsure which law applies. Many companies will honor reasonable data access requests regardless of your location.

Subject: Request for Access to My Personal Data

To whom it may concern,

I am writing to request access to all personal data your organization holds about me.

Specifically, I request:

  1. A complete copy of all personal data you have collected, stored, or processed about me
  2. Information about how my data has been used
  3. Details of any third parties with whom my data has been shared
  4. How long you retain my data
  5. The source of any data not collected directly from me
  6. Whether any automated decisions are made using my data

My identifying information:

  • Full name: [YOUR FULL NAME]
  • Email address(es): [YOUR EMAIL ADDRESS(ES)]
  • Account username: [YOUR USERNAME, IF APPLICABLE]
  • Address: [YOUR ADDRESS]
  • Phone number: [YOUR PHONE NUMBER]
  • Customer/Account ID: [IF KNOWN]

Please provide the information in electronic format via email or secure download.

I would appreciate a response within 30 days. If you require any additional information to locate my records or verify my identity, please contact me as soon as possible.

Thank you for your assistance.

Sincerely,

[YOUR FULL NAME]
[DATE]

Employer/HR Template

Use this template to request personal data from a current or former employer. This includes personnel files, performance reviews, internal communications about you, and more.

Subject: Data Subject Access Request - Employee Records

To the Human Resources Department / Data Protection Officer,

I am writing to make a formal request for access to my personal data held by [COMPANY NAME] in my capacity as a [current/former] employee.

Under [applicable law, e.g., "Article 15 of the GDPR" or "the California Consumer Privacy Act"], I request access to all personal data you hold about me, including but not limited to:

  1. Employment records:
    • My personnel file
    • Employment contract and any amendments
    • Job descriptions and role changes
  2. Performance data:
    • Performance reviews and appraisals
    • Goal-setting documents
    • Feedback received from managers, peers, or reports
    • Any performance improvement plans
  3. Communications:
    • Internal communications about me (emails, messages, notes)
    • HR notes and meeting records
    • Any complaints made by or against me
    • Investigation records involving me
  4. Compensation and benefits:
    • Salary history and pay records
    • Bonus and commission records
    • Benefits enrollment information
  5. Time and attendance:
    • Timekeeping records
    • Leave and absence records
    • Remote work or location data
  6. Training and development:
    • Training records
    • Certifications
    • Career development discussions
  7. Monitoring data:
    • Any data from workplace monitoring (email, internet, device usage)
    • Access logs (building entry, system access)
    • CCTV footage featuring me, if retained
  8. Exit data (if applicable):
    • Resignation or termination documentation
    • Exit interview notes
    • Reference information provided to third parties

My identifying information:

  • Full name: [YOUR FULL NAME]
  • Employee ID: [YOUR EMPLOYEE ID]
  • Department: [YOUR DEPARTMENT]
  • Dates of employment: [START DATE] to [END DATE or "present"]
  • Work email: [YOUR WORK EMAIL]
  • Personal email (for response): [YOUR PERSONAL EMAIL]
  • Manager name: [YOUR MANAGER'S NAME]

Please provide this information in electronic format. I understand that some information may need to be redacted to protect the privacy of other individuals, but I expect any such redactions to be minimal and clearly indicated.

Please respond within the legally required timeframe [30 days under GDPR / 45 days under CCPA]. If you require additional verification of my identity, please contact me.

Yours faithfully,

[YOUR FULL NAME]
[DATE]

Note: Employers may redact information about other employees or claim certain exemptions (legal privilege, ongoing investigations). However, they cannot refuse your request entirely or withhold data simply because it's inconvenient.

Data Broker Template

Use this template for data brokers—companies that collect and sell personal information without direct relationships with consumers. Common data brokers include Acxiom, Experian, Oracle Data Cloud, LexisNexis, and Spokeo.

Subject: Data Subject Access Request - Data Broker Records

To the Privacy Team,

I am writing to request access to all personal data you hold about me in your databases and data products.

I understand that your business involves collecting, aggregating, and licensing consumer data. Under [applicable law], I have the right to know what information you have compiled about me.

Please provide:

  1. All personal data you hold about me, including:
    • Identifying information (names, aliases, addresses, phone numbers, email addresses)
    • Demographic data (age, gender, household composition, income estimates)
    • Contact and location history
    • Consumer profiles and segments I've been placed in
    • Inferred interests, preferences, or characteristics
    • Purchase history or transaction data
    • Online activity or device data
    • Public records information
    • Any scores, ratings, or classifications applied to me
  2. The sources from which you obtained my data
  3. The categories of third parties to whom you have sold, licensed, or disclosed my data
  4. The purposes for which my data is used or sold
  5. How long you retain my data

Information to help locate my records:

  • Full name: [YOUR FULL NAME]
  • Previous names: [ANY PREVIOUS NAMES]
  • Current address: [YOUR CURRENT ADDRESS]
  • Previous addresses: [LIST PREVIOUS ADDRESSES FROM PAST 10 YEARS]
  • Date of birth: [YOUR DATE OF BIRTH]
  • Email addresses: [ALL EMAIL ADDRESSES YOU'VE USED]
  • Phone numbers: [CURRENT AND PREVIOUS PHONE NUMBERS]

I understand you may require identity verification. Please let me know what documentation you need, though I would ask that any verification requirements be proportionate and not themselves create additional privacy risks.

Please respond within the timeframe required by law. Following receipt of my data, I may submit additional requests regarding correction or deletion.

Sincerely,

[YOUR FULL NAME]
[DATE]

Major Data Brokers to Consider

You may want to submit requests to these companies:

  • Acxiom — aboutthedata.com
  • Oracle Data Cloud (BlueKai) — datacloudoptout.oracle.com
  • Experian — experian.com/privacy
  • Equifax — equifax.com/personal/privacy
  • TransUnion — transunion.com/privacy
  • LexisNexis — consumer.risk.lexisnexis.com
  • Spokeo — spokeo.com/optout
  • Whitepages/BeenVerified — Check their opt-out pages
  • Epsilon — epsilon.com/privacy

Follow-Up Template

Use this template if a company hasn't responded within the legal deadline, or if you've received an incomplete response.

Overdue Response

Subject: Overdue DSAR - Urgent Response Required [Reference: Original Request Date]

To whom it may concern,

I am following up on my Data Subject Access Request submitted on [ORIGINAL DATE].

Under [GDPR Article 12 / CCPA Section 1798.130], you were required to respond within [30/45] days. That deadline passed on [DEADLINE DATE], and I have not received a complete response.

Please note:

  • My original request was sent to [EMAIL/ADDRESS] on [DATE]
  • I received acknowledgment on [DATE, if applicable]
  • The response deadline was [DATE]
  • As of today, [CURRENT DATE], I have [not received any response / received only partial response]

I request that you:

  1. Immediately process my original request
  2. Provide all requested information within 7 days
  3. Explain the reason for the delay

If I do not receive a satisfactory response by [DATE - 7 DAYS FROM NOW], I will file a formal complaint with [the relevant supervisory authority, e.g., "the Information Commissioner's Office" / "the California Attorney General"].

For reference, my identifying information:

  • Full name: [YOUR FULL NAME]
  • Email: [YOUR EMAIL]
  • Original request reference: [IF ANY TICKET NUMBER WAS PROVIDED]

I expect your immediate attention to this matter.

Yours faithfully,

[YOUR FULL NAME]
[DATE]

Incomplete Response

Subject: Incomplete DSAR Response - Additional Information Required

To whom it may concern,

Thank you for your response dated [DATE] to my Data Subject Access Request.

However, after reviewing the materials provided, I believe the response is incomplete. Specifically:

Missing information:

  • [DESCRIBE WHAT'S MISSING - e.g., "I requested all communications about me, but only account data was provided"]
  • [ADDITIONAL MISSING ITEMS]
  • [ADDITIONAL MISSING ITEMS]

Questions about the response:

  • [ANY QUESTIONS - e.g., "The data provided only goes back to 2022, but I have been a customer since 2018. Where is the earlier data?"]
  • [ADDITIONAL QUESTIONS]

Under [applicable law], I am entitled to receive all personal data you hold about me. Please provide the missing information within 14 days.

If you believe you have provided all available data, please confirm this in writing and explain:

  • What systems were searched
  • Whether any data was withheld and the legal basis for doing so
  • The retention policy that explains any data that may have been deleted

Thank you for your attention to this matter.

Sincerely,

[YOUR FULL NAME]
[DATE]
Reference: [ORIGINAL REQUEST REFERENCE NUMBER]

Complaint Template

If a company refuses to comply or continues to ignore your request, you can file a complaint with the relevant data protection authority. This template helps you document the violation.

Subject: Formal Complaint - DSAR Non-Compliance by [COMPANY NAME]

To the [Data Protection Authority Name],

I wish to file a formal complaint against [COMPANY NAME] for failure to comply with my Data Subject Access Request under [applicable law].

Complainant Information:

  • Full name: [YOUR FULL NAME]
  • Address: [YOUR ADDRESS]
  • Email: [YOUR EMAIL]
  • Phone: [YOUR PHONE]

Company Information:

  • Company name: [COMPANY NAME]
  • Company address: [COMPANY ADDRESS, IF KNOWN]
  • Company website: [WEBSITE]
  • Privacy contact used: [EMAIL/ADDRESS YOU CONTACTED]

Timeline of Events:

  1. [DATE]: I submitted a DSAR to [COMPANY] via [email/form/mail]
  2. [DATE]: [What happened - e.g., "I received an acknowledgment with reference number XXX" or "I received no acknowledgment"]
  3. [DATE]: The legal response deadline passed
  4. [DATE]: I sent a follow-up request
  5. [DATE]: [Current status - e.g., "I still have not received a response" or "I received an incomplete response"]

Nature of the Violation:

[Describe what went wrong - e.g., "The company failed to respond within the 30-day deadline required by GDPR Article 12" or "The company provided only partial data and refused to explain what was withheld"]

Supporting Documentation:

I have attached the following documents:

  • Copy of my original DSAR dated [DATE]
  • Any acknowledgment received
  • Copy of my follow-up communications
  • Any response received from the company
  • [Any other relevant documentation]

Requested Action:

I request that you:

  1. Investigate this complaint
  2. Require [COMPANY NAME] to comply with my DSAR
  3. Take appropriate enforcement action

Thank you for your attention to this matter. Please contact me if you require any additional information.

Sincerely,

[YOUR FULL NAME]
[DATE]

Where to File Complaints

Region Authority Website
United Kingdom Information Commissioner's Office (ICO) ico.org.uk
Ireland Data Protection Commission dataprotection.ie
France CNIL cnil.fr
Germany BfDI (Federal) + State authorities bfdi.bund.de
Netherlands Autoriteit Persoonsgegevens autoriteitpersoonsgegevens.nl
California California Attorney General / CPPA oag.ca.gov/privacy
Canada Office of the Privacy Commissioner priv.gc.ca
Australia Office of the Australian Information Commissioner oaic.gov.au

Tips for Successful Requests

  • Use the right email: Send from the email address associated with your account. This speeds up verification significantly.
  • Be specific about what you want: While "all personal data" is valid, listing specific categories helps ensure nothing is overlooked.
  • Keep it professional: You're exercising a legal right, not making a complaint (yet). A neutral tone gets better results.
  • Don't over-explain: You don't need to justify why you want your data. It's your right.
  • Request electronic delivery: Specify that you want data via email or download, not physical mail.
  • Track everything: Keep copies of all communications with dates. You'll need this if you escalate.
  • Respond promptly to verification: Delays in your response can delay the company's deadline.
  • Don't accept unreasonable verification: If a company asks for excessive documentation, push back. Verification should be proportionate.
  • Review the response carefully: Companies sometimes provide incomplete data. Check that what you received matches what you know they should have.
  • Follow up: If the response seems incomplete, ask questions. If they miss the deadline, escalate.

Response Timeline Reference

Law Initial Deadline Maximum Extension Extension Conditions
GDPR (EU/UK) 30 days +60 days (90 total) Complex requests; must notify you within initial 30 days
CCPA/CPRA (California) 45 days +45 days (90 total) Reasonably necessary; must notify you
LGPD (Brazil) 15 days Varies Simplified response for simple requests
PIPEDA (Canada) 30 days +30 days (60 total) Must notify you if extension needed
VCDPA (Virginia) 45 days +45 days (90 total) Reasonably necessary; must notify you

What Happens Next

After you receive your data, you may want to:

  • Request corrections: If any data is inaccurate, submit a rectification request
  • Request deletion: If you want the company to delete your data, submit a separate erasure request
  • Opt out of sales: Under CCPA, you can request that your data not be sold
  • Withdraw consent: If processing is based on consent, you can withdraw it
  • Close your account: Armed with knowledge of what they have, you can make an informed decision
  • Monitor for changes: Track changes to the company's privacy policy to see if their practices evolve

Your DSAR is just the first step in taking control of your personal data.

Learn more about DSARs →

Track Privacy Policy Changes

After requesting your data, monitor how companies update their privacy practices. Get notified when policies change.

Start Tracking Free