Handling Data Subject Access Requests (DSARs): A Practical Guide

Written byHubSecure Editorial Team

Practical guides for secure client portals, RBAC, onboarding and regulated client operations.

Reviewed byHubSecure Security & Compliance Review

Reviewed for security positioning, workflow accuracy and implementation clarity.

Last updatedMay 7, 2026

Checked against the current HubSecure marketing site and product positioning.

A Data Subject Access Request (DSAR) is a formal request from an individual to receive a copy of all personal data your organisation holds about them, along with information about how it is being processed. Any person whose data you hold can submit one — including current and former employees, clients, prospects, and members of the public.

The right of access under GDPR Article 15 is one of the most commonly exercised data subject rights, and one of the most operationally demanding to fulfil correctly. Supervisory authorities across Europe regularly receive complaints about organisations that responded late, incompletely, or disclosed third-party data without redacting it.

Related HubSecure buying path

Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo

Related security, privacy and governance resources

Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.

Related use case

This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.

What a DSAR must include in the response

When responding to a DSAR, you must provide:

• Confirmation of whether you process personal data about the individual
• A copy of the personal data itself
• The purposes of processing
• The categories of data concerned
• Recipients or categories of recipients to whom data has been disclosed
• The retention period or criteria used to determine it
• The individual's rights to rectification, erasure, restriction, and objection
• The right to lodge a complaint with a supervisory authority
• If data was not collected from the individual: information about the source
• If subject to automated decision-making: meaningful information about the logic involved

The 30-day clock

The deadline is 30 calendar days from receipt of the request — not 30 working days. If the request is complex or you receive a high volume of simultaneous requests, you may extend the deadline by a further two months, but you must inform the individual within the first 30 days that an extension is being taken and explain why.

The clock starts when you receive the request, not when you acknowledge it or when you start processing it. A request made verbally, via social media, or through an informal email all count.

Where to search

A DSAR response must be comprehensive. You cannot limit the search to your primary CRM or one email account. Every system that might hold personal data about the individual must be searched:

• CRM and client management systems
• Email accounts (including shared mailboxes and archived mail)
• File servers and document management systems
• HR and payroll systems (for employee DSARs)
• Accounting and billing systems
• Call recording systems
• CCTV (if identifiable footage exists)
• Third-party processors — check your DPAs for data held by vendors
• Backup archives (if the data would otherwise be included)

Redacting third-party data

One of the most common DSAR mistakes is disclosing documents that contain personal data about other individuals. A client file, for example, may contain details of counterparties, references, or staff members. These third-party individuals have not made the request, and disclosing their data could itself be a GDPR violation.

Before sending any document, review it for third-party personal data and redact appropriately. Where redaction is so extensive that the document loses all meaning, you may consider whether providing it in redacted form serves the purpose of the right of access. Document your redaction decisions.

When you can refuse or limit a DSAR

DSARs can be refused or limited in narrow circumstances:

• Manifestly unfounded or excessive requests — particularly repetitive requests clearly intended to harass; you must be able to demonstrate this
• Legal professional privilege — legal advice documents may be withheld on privilege grounds where applicable
• Prevention and detection of crime — some information relevant to fraud or criminal investigation may be withheld
• AML tipping-off — information that would disclose a SAR filing or ongoing investigation under AML legislation

If you refuse a request, you must inform the individual of the reasons and their right to complain to the supervisory authority and seek judicial remedy.

Can we charge a fee for DSARs?

No, in most cases. Responses must be provided free of charge. An exception applies for manifestly unfounded or excessive requests — you may charge a reasonable fee or refuse to act, but you must be able to justify the characterisation.

What if we cannot identify the individual?

If you cannot verify the identity of the requester with reasonable certainty, you may ask for additional information to identify them. You should not request more information than is necessary. If identity remains unverifiable, you may be unable to comply — document this carefully.

Do employees have the same right as clients?

Yes. Employees (and former employees) have full DSAR rights under GDPR. Employee DSARs are often the most complex — they span HR systems, email, performance reviews, disciplinary records, and more.

Reviewed for regulated teams

Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.

Authors · Reviewers · Editorial policy