Right of access · Practical guide

Turn a data subject access request into a controlled workflow.

A DSAR is a legal request, but most of the effort is operational: recognise it, confirm scope and identity appropriately, find the relevant records, review the result and preserve evidence of the response.

What is a data subject access request?

A data subject access request (DSAR) is a GDPR Article 15 request in which a person asks an organisation to confirm whether it processes their personal data, provide access to that data and explain the processing. The controller must act without undue delay and generally within one month of receiving the request.

The right, in plain English

What does a DSAR ask an organisation to do?

Under Article 15 GDPR, an individual has the right to obtain confirmation of whether personal data concerning them is being processed and, where it is, access to the personal data and specified information about the processing. That information includes matters such as purposes, categories, recipients or recipient categories, envisaged storage period or criteria, and information about other rights.

The response is more than a raw database export. Records must be connected to a clear explanation, reviewed for scope and the rights of others, and delivered in an intelligible form. The appropriate result depends on the actual request and processing context.

Not legal advice: this page is an operational overview based on official EU materials. A controller should have a qualified person review the facts, applicable law and final response.

From inbox to response

A defensible seven-stage workflow.

The stages are stable; the decision inside each stage is case-specific. Record uncertainty instead of silently resolving it.

01 / RECOGNISE

Preserve the request

Keep the original wording, channel and received time. Route it to a named owner.

02 / CLASSIFY

Confirm the right and scope

Separate access from erasure or other rights. Record clarifications without losing the original request.

03 / IDENTITY

Assess identity proportionately

Use what the organisation already knows; request additional information only where justified and necessary.

04 / DISCOVER

Map systems and identifiers

Translate email, account ID and billing identifiers into a source-by-source retrieval plan.

05 / ASSEMBLE

Collect and organise records

Preserve source context, identify gaps and keep an evidence trail of searches and exports.

06 / REVIEW

Apply human judgement

Check third-party information, scope, applicable limitations, readability and response wording.

07 / RESPOND

Deliver and retain evidence

Use an appropriate secure channel, record the decision and apply the agreed case-retention rule.

Do not confuse the clocks

One month is the legal framework. Twenty-four hours is a preparation target.

Article 12 requires action without undue delay and generally within one month. A justified extension can apply in specified circumstances. Trace proposes a much narrower operational target for accepted pilot cases: prepare the available materials for review within 24 hours.

The 24-hour target starts only after scope, access and operational capacity are confirmed. It does not guarantee completion, override legal timing or remove the need for identity and third-party review.

Read the EDPB’s official deadline explanation and the Trace operational deadline guide.

Common questions

What changes from case to case.

A repeatable workflow should expose judgement calls, not pretend they have one universal answer.

What is a data subject access request?
It is a request by an individual to exercise the GDPR right of access. Under Article 15, the person can obtain confirmation of whether their personal data is being processed, access to that data and specified information about the processing.
Does a request need to say “DSAR” or cite the GDPR?
Article 12 requires controllers to facilitate the exercise of data-subject rights. A request should be assessed by its substance, not only by whether it uses a particular label. The organisation should have a route for recognising and escalating possible rights requests.
How long does an organisation have to respond?
The controller must act without undue delay and generally within one month. Where necessary because of complexity or number of requests, that period may be extended by two further months, with notice and reasons given within the first month. Timing and any extension should be reviewed for the specific case.
Can an organisation ask for identity information?
Where the controller has reasonable doubts about the identity of the person making the request, Article 12(6) permits it to request additional information necessary to confirm identity. The request should be necessary and proportionate to the doubt and risk.
Is every copy of every record disclosed?
Not automatically. Article 15 sets the right and required information, while the rights and freedoms of others must also be considered. Scope, third-party data, exemptions and the form of the response require authorised, case-specific review.

A controlled first request

Your next access request can begin with a mapped workflow.

Trace is accepting applications for a limited concierge pilot. No live personal data should be submitted through the public application.