Data Subject Access Request (DSAR)
A Data Subject Access Request (DSAR) allows individuals to request access to the personal data an organization holds about them, as well as information on how it is processed.
What is a Data Subject Access Request (DSAR)?
A Data Subject Access Request (DSAR) is a formal request made by an individual (data subject) to an organization asking for confirmation of whether their personal data is being processed, and if so, to receive a copy of that data.
DSARs are a core requirement under the GDPR, CCPA, and CPRA, empowering individuals to exercise control over their personal information.
Organizations must respond to DSARs within specific timeframes—typically one month under the GDPR—providing details on data sources, purposes of processing, recipients, and retention periods.
Why Data Subject Access Requests (DSARs) matter
DSARs promote transparency and trust by giving individuals greater control over their personal data. They help ensure accountability and compliance with global privacy regulations.
For organizations, responding efficiently to DSARs is critical to avoid regulatory penalties and reputational harm. Automated DSAR workflows streamline the intake, verification, and fulfillment processes while reducing human error.
In an increasingly data-driven world, honoring DSARs demonstrates a commitment to user rights and responsible data handling.
How Data Subject Access Requests (DSARs) are used in practice
- Receiving and verifying individual identity before processing a request
- Compiling all relevant data from systems, databases, and vendors
- Responding within regulatory deadlines (e.g., one month under the GDPR)
- Providing copies of personal data and explaining processing purposes
- Automating DSAR intake and tracking with dedicated compliance tools
- Documenting fulfillment for audit and compliance reporting
Related laws & standards
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Brazil General Data Protection Law (LGPD)
How OneTrust helps with Data Subject Access Requests (DSARs)
OneTrust automates the entire DSAR lifecycle—from intake and identity verification to fulfillment and tracking—ensuring compliance with GDPR, CPRA, and other global privacy laws. The platform helps organizations manage requests at scale while maintaining accuracy, efficiency, and transparency.
Explore Solutions →
FAQs about Data Subject Access Requests (DSARs)
A DSAR provides individuals access to their personal data, while a data deletion request asks the organization to erase that data under applicable privacy laws.
Privacy, compliance, and legal teams typically manage DSARs, supported by IT and security teams that locate and provide access to requested information.
Under the GDPR, individuals have the right to access their personal data. DSARs help organizations demonstrate compliance by enabling transparency and empowering individuals to exercise their data rights.
