Preserve the request
Keep the original wording, channel and received time. Route it to a named owner.
Right of access · Practical guide
A DSAR is a legal request, but most of the effort is operational: recognise it, confirm scope and identity appropriately, find the relevant records, review the result and preserve evidence of the response.
What is a data subject access request?
A data subject access request (DSAR) is a GDPR Article 15 request in which a person asks an organisation to confirm whether it processes their personal data, provide access to that data and explain the processing. The controller must act without undue delay and generally within one month of receiving the request.
The right, in plain English
Under Article 15 GDPR, an individual has the right to obtain confirmation of whether personal data concerning them is being processed and, where it is, access to the personal data and specified information about the processing. That information includes matters such as purposes, categories, recipients or recipient categories, envisaged storage period or criteria, and information about other rights.
The response is more than a raw database export. Records must be connected to a clear explanation, reviewed for scope and the rights of others, and delivered in an intelligible form. The appropriate result depends on the actual request and processing context.
Not legal advice: this page is an operational overview based on official EU materials. A controller should have a qualified person review the facts, applicable law and final response.
From inbox to response
The stages are stable; the decision inside each stage is case-specific. Record uncertainty instead of silently resolving it.
Keep the original wording, channel and received time. Route it to a named owner.
Separate access from erasure or other rights. Record clarifications without losing the original request.
Use what the organisation already knows; request additional information only where justified and necessary.
Translate email, account ID and billing identifiers into a source-by-source retrieval plan.
Preserve source context, identify gaps and keep an evidence trail of searches and exports.
Check third-party information, scope, applicable limitations, readability and response wording.
Use an appropriate secure channel, record the decision and apply the agreed case-retention rule.
Do not confuse the clocks
Article 12 requires action without undue delay and generally within one month. A justified extension can apply in specified circumstances. Trace proposes a much narrower operational target for accepted pilot cases: prepare the available materials for review within 24 hours.
The 24-hour target starts only after scope, access and operational capacity are confirmed. It does not guarantee completion, override legal timing or remove the need for identity and third-party review.
Read the EDPB’s official deadline explanation and the Trace operational deadline guide.
Common questions
A repeatable workflow should expose judgement calls, not pretend they have one universal answer.
A controlled first request
Trace is accepting applications for a limited concierge pilot. No live personal data should be submitted through the public application.