Sign In Sign Up

What is a DSAR?

Understanding your right to access your personal data

A DSAR (Data Subject Access Request) is a formal request you can submit to any company asking them to reveal what personal data they hold about you. It's one of the most powerful privacy rights available to consumers—and most people don't know it exists.

DSAR in Plain English

Think of a DSAR as a legal demand that forces companies to open their files on you. When you submit one, the company must search their systems and provide you with a copy of your personal data, plus details about how they're using it.

The term comes from GDPR (the EU's privacy law), where you're called a "data subject"—the person whose data is being processed. But similar rights exist under California's CCPA (called a "Right to Know" request), Brazil's LGPD, and other privacy laws worldwide.

Regardless of what it's called in your jurisdiction, the core concept is the same: you have the right to know what information companies have collected about you.

Why Submit a DSAR?

People submit DSARs for many reasons:

  • Curiosity — Find out exactly what a company knows about you. The results are often surprising, revealing data you didn't know was being collected.
  • Verification — Check if a company is honoring its privacy policy. If they claim to collect "minimal data," a DSAR reveals the truth.
  • Preparation for deletion — Before requesting data deletion, you may want to see what exists and download anything you want to keep.
  • Dispute resolution — If you're in a disagreement with a company, knowing what data they hold can be valuable.
  • Employment matters — Access your personnel file, performance reviews, or internal communications about you.
  • Security concerns — After a data breach, verify what information may have been exposed.
  • Correcting errors — Identify inaccurate data so you can request corrections.
  • Legal proceedings — Gather evidence for potential legal action.

What You Can Request

A DSAR isn't just about getting a data dump. Under most privacy laws, you're entitled to specific information about how your data is handled:

The Data Itself

  • All personal information the company holds about you
  • Categories of data collected (identifiers, biometrics, geolocation, etc.)
  • The sources of that data (did you provide it, or did they get it elsewhere?)

How It's Being Used

  • The purposes for processing your data
  • How long they intend to keep it (retention periods)
  • Whether automated decision-making or profiling is being applied to you

Who Has Access

  • Categories of third parties your data has been shared with
  • Specific recipients, in some cases
  • Whether your data has been transferred internationally

Your Rights

  • Information about your right to request correction, deletion, or restriction
  • Your right to object to processing
  • Your right to lodge a complaint with a supervisory authority

Your Rights by Region

DSAR rights vary depending on where you live and where the company operates:

Region Law Response Deadline Cost Key Notes
European Union GDPR 30 days (extendable to 90) Free (fees allowed for excessive requests) Strongest protections; applies if company targets EU residents
United Kingdom UK GDPR 30 days (extendable to 90) Free Nearly identical to EU GDPR post-Brexit
California CCPA/CPRA 45 days (extendable to 90) Free Called "Right to Know"; covers businesses meeting revenue/data thresholds
Virginia VCDPA 45 days (extendable to 90) Free Similar to CCPA; effective 2023
Colorado CPA 45 days (extendable to 90) Free Similar to CCPA; effective 2023
Brazil LGPD 15 days Free Shorter deadline than most other laws
Canada PIPEDA 30 days Free or minimal fee Applies to private sector organizations

Even if you're not in one of these regions, you may still have rights if the company you're contacting operates there or targets customers there. A US resident can submit a GDPR request to a European company, for example.

How to Submit a DSAR

Step 1: Find the Right Contact

Check the company's privacy policy for:

  • A dedicated privacy or DSAR email address
  • A web form for privacy requests
  • The Data Protection Officer's contact information (required for many EU companies)
  • A mailing address for privacy inquiries

Many large companies now have privacy portals where you can submit requests and download your data directly (Google, Facebook, Apple, etc.). For smaller companies, email usually works.

Step 2: Prove Your Identity

Companies must verify you are who you claim to be before releasing personal data. Be prepared to provide:

  • Your full name and any aliases you may have used
  • Email addresses associated with your account
  • Account usernames or customer IDs
  • Potentially a copy of government ID (though you can push back on this if it seems excessive)

Step 3: Be Specific (But Not Too Specific)

You don't need to know exactly what data exists to request it. A general request for "all personal data you hold about me" is valid. However, being specific can help:

  • Speed up the process
  • Ensure nothing is overlooked
  • Target particular concerns (e.g., "all location data" or "any data shared with third parties")

Step 4: Reference the Relevant Law

Citing the specific regulation adds weight to your request and clarifies your legal standing. See the templates below.

Step 5: Keep Records

Document everything:

  • Screenshot or save a copy of your request
  • Note the date you submitted it
  • Save any confirmation or ticket numbers
  • Track the response deadline

Ready to Submit a DSAR?

We've created ready-to-use templates for GDPR, CCPA, and other privacy regulations. Just copy, customize with your details, and send.

DSAR Templates Free templates for GDPR, CCPA, and more

What to Expect After Submitting

Acknowledgment

Most companies will confirm receipt within a few days. If you don't hear anything within a week, follow up.

Identity Verification

Expect the company to verify your identity before releasing data. This might involve:

  • Clicking a confirmation link sent to your email
  • Providing additional account details
  • Submitting identification documents
  • Answering security questions

Tip: If a company asks for excessive documentation (like a notarized ID for a simple request), push back. Verification should be proportionate to the sensitivity of the data.

The Response

Companies typically provide data in one of these formats:

  • Online portal download — You log in and download a file (common with large tech companies)
  • Email attachment — Data sent as PDF, CSV, or JSON files
  • Secure link — A temporary download link
  • Physical mail — Rare, but some companies still do this

Timeline

GDPR: 30 days, extendable to 90 for complex requests

CCPA: 45 days, extendable to 90 days

Most other laws: 30-45 days

Extensions require the company to notify you and explain why they need more time.

When Companies Can Refuse

DSARs aren't absolute. Companies can decline or limit their response in certain circumstances:

Legitimate Reasons for Refusal

  • Cannot verify your identity — They need to confirm you are who you claim to be
  • Request is manifestly unfounded or excessive — Repeated requests for the same data, or requests intended to harass
  • Data involves other people — Information that would reveal personal data about third parties may be redacted
  • Legal privilege — Attorney-client communications or legally privileged documents
  • Trade secrets — Proprietary algorithms or business-sensitive information (though they must still confirm they have your data)
  • Ongoing legal proceedings — In some cases, data relevant to litigation may be withheld

Red Flags

Be skeptical if a company:

  • Ignores your request entirely
  • Claims they "don't have any data" when you know they do
  • Provides only partial data without explanation
  • Charges a fee without legal basis
  • Misses the deadline without communicating
  • Makes the process unreasonably difficult

What If a Company Doesn't Comply?

If your DSAR is ignored or improperly handled, you have options:

1. Follow Up

Send a reminder citing the legal deadline. Sometimes requests get lost or delayed—a polite follow-up often resolves the issue.

2. Escalate Within the Company

Ask to speak with the Data Protection Officer or legal team. Reference your original request and the missed deadline.

3. File a Complaint

Report the company to the relevant supervisory authority:

  • EU: Your national Data Protection Authority (e.g., ICO in the UK, CNIL in France, BfDI in Germany)
  • California: California Attorney General's office
  • Other US states: State Attorney General
  • Canada: Office of the Privacy Commissioner

Complaints are free to file and can result in investigations, fines, and enforcement actions against the company.

4. Legal Action

In some jurisdictions, you can sue for damages resulting from DSAR violations. This is typically a last resort, but privacy laws increasingly provide for private rights of action.

Tips for Effective DSARs

  • Use the email address associated with your account — This speeds up verification and helps the company locate your data.
  • Be polite but firm — You're exercising a legal right, not asking a favor.
  • Keep it simple — Overly complex requests may be used as justification for delays.
  • Request electronic delivery — Specify that you want data in a commonly used electronic format.
  • Set a calendar reminder — Track the deadline so you can follow up promptly if needed.
  • Submit to multiple companies at once — If you're doing a personal data audit, batch your requests.
  • Don't be discouraged by verification requests — They're a legitimate security measure, even if inconvenient.
  • Review what you receive carefully — Companies sometimes provide incomplete data, hoping you won't notice.

What People Discover From DSARs

DSAR responses often reveal surprising information:

  • Inferred data — Predictions about your income, interests, political views, or purchase intent that you never provided
  • Historical data — Information from years ago you assumed was deleted
  • Third-party data — Information purchased from data brokers or received from partners
  • Tracking data — Detailed logs of your activity, location history, or browsing behavior
  • Internal notes — Customer service notes or flags on your account
  • Shadow profiles — Data collected about you before you even created an account
  • Sharing history — A list of third parties who received your data

These discoveries can inform whether you want to continue using a service, request deletion, or change how you interact with the company.

DSARs and Privacy Policy Monitoring

DSARs and privacy policies work together to give you a complete picture of how companies handle your data:

  • Privacy policies tell you what a company says it does with data
  • DSARs reveal what a company actually has and does

If there's a mismatch—for example, a privacy policy claims data is deleted after 30 days, but your DSAR reveals data from two years ago—that's a red flag worth investigating or reporting.

Tracking changes to privacy policies helps you understand when companies expand their data practices, which may prompt you to submit new DSARs to see how those changes affect your information.

Frequently Asked Questions

Does it cost money to submit a DSAR?
No. Under GDPR, CCPA, and most other privacy laws, companies must respond to DSARs for free. They can only charge fees if requests are "manifestly excessive"—and they must justify that determination.
Can I submit a DSAR to any company?
You can submit to any company that holds your personal data. Whether they're legally obligated to respond depends on applicable privacy laws. Companies subject to GDPR, CCPA, or similar regulations must comply. Others may respond voluntarily or may not respond at all.
How often can I submit DSARs?
There's no hard limit, but making repeated requests for the same information in a short period could be deemed "excessive" and give the company grounds to charge a fee or refuse. Annual requests are generally considered reasonable.
Will submitting a DSAR affect my relationship with the company?
Legally, companies cannot retaliate against you for exercising your privacy rights. In practice, most companies process DSARs routinely and it has no impact on your account or service.
Can I submit a DSAR on behalf of someone else?
Yes, but you'll need written authorization from that person, and the company will verify that authorization. Parents can typically submit on behalf of minor children.
What if the company says they have no data?
If you believe this is false, ask them to confirm they searched all relevant systems. If you have evidence they should have data (like account confirmation emails), provide it. If they still claim to have nothing, you can file a complaint with the relevant authority.
Is a DSAR the same as requesting my data be deleted?
No. A DSAR is a request to access your data. A deletion request (Right to Erasure under GDPR, Right to Delete under CCPA) is separate. You might submit a DSAR first to see what exists, then request deletion.

The Bottom Line

A DSAR puts you in control. It forces companies to reveal what they know about you, how they're using that information, and who else has access to it. The process can be eye-opening—and it's entirely free.

Whether you're curious about what a specific company has collected, preparing to delete your data, or simply exercising your rights as a matter of principle, a DSAR is a powerful tool in your privacy toolkit.

Start with the companies you interact with most. You might be surprised by what you find.

See DSAR in the Privacy Glossary →

Monitor the Policies Behind Your Data

Track privacy policy changes from the companies that hold your information. Know when they update their data practices.

Start Tracking Free