A Data Subject Access Request (DSAR) is the formal exercise by an individual of their right of access under Article 15 of the GDPR. The right gives individuals the ability to obtain confirmation of whether the controller is processing personal data about them, and if so, to receive a copy of that data and the information specified in Article 15(1): the purposes of processing, the categories of data concerned, the recipients to whom data has been or will be disclosed, the retention period, the right to rectification, erasure, and restriction, the right to lodge a complaint with a supervisory authority, any available information about the source of the data if not collected from the data subject, and information about automated decision-making including profiling.
DSARs are one of the most operationally demanding data subject rights in practice. They require organisations to locate all personal data relating to the individual across all systems and records, compile a coherent and complete response, apply exemptions where applicable, and deliver the response within the one-month deadline (extendable to three months for complex or numerous requests). For organisations with fragmented data landscapes (multiple databases, legacy systems, paper records, cloud services, email archives, third-party processors) fulfilling DSARs accurately and within the deadline requires systematic processes that cannot be improvised.
The default deadline for responding to a DSAR is one calendar month from receipt of the request. The deadline runs from the day the request is received, regardless of whether it is received by email, letter, or through a web form. Controllers cannot delay the clock by requesting clarification unless the request is genuinely unclear and the controller needs clarification to respond. Where the identity of the requester is not in doubt and the request can be understood, the one-month deadline begins immediately.
A two-month extension is available where requests are complex or numerous, but must be communicated to the data subject within the initial one-month period with an explanation of the reasons for the extension. Complexity justifying extension includes cases involving very large volumes of data requiring careful sorting, multiple systems requiring extensive searches, or requests requiring significant redaction to protect third-party data. The extension cannot be used as a routine administrative convenience.
A systematic DSAR response process begins with a defined protocol for identifying all personal data relating to the requester. This requires scope definition: which systems and data stores are in scope for the search, whether the search extends to processors holding data on the controller's behalf, whether backups are in scope, and how email and document repositories are to be searched. The scope of a DSAR is broad: it covers all personal data held by the controller in any form, structured or unstructured, including emails, documents, notes, audio recordings, and third-party processor data.
Controllers may charge a reasonable fee or refuse to act where a request is manifestly unfounded or excessive, particularly where it is repetitive. But these exceptions are narrow, and supervisory authorities take a restrictive view of their application. Refusing a DSAR or imposing a fee requires documented justification and carries the risk of regulatory complaint.
The right of access is subject to limitations where disclosure would adversely affect the rights and freedoms of others. The most common limitation in practice concerns data that includes information about third parties: where complying with a DSAR would require disclosing personal data about identifiable third parties who have not consented to that disclosure, the controller must balance the requester's right of access against the third party's privacy rights. This typically involves redacting third-party identifying information before disclosure, rather than withholding the document entirely.
Professional privilege and legal professional privilege provide exemptions in certain contexts: legal advice sought by the controller for its own purposes, and communications subject to the lawyer-client privilege, may be exempt from DSAR disclosure under Belgian national law implementing the GDPR's derogation in Article 23.
The default is that DSARs must be responded to free of charge. A reasonable, cost-based fee may be charged only where a request is manifestly unfounded or excessive, particularly where it is repetitive in nature. The fee must be cost-based (reflecting the administrative cost of providing the information) and must be communicated to the data subject before the response is provided, who then has the option to withdraw the request. Supervisory authorities scrutinise fee charging closely, and imposing fees without proper justification is itself a GDPR violation.
Yes. The right of access applies to all personal data held by the controller, including data in email systems, which frequently contains significant volumes of personal data about individuals. The practical challenge (that email archives may contain years of communications that are difficult to search systematically) does not reduce the legal obligation. Controllers should establish email search protocols as part of their DSAR process design, including keyword search parameters, mailbox scope, and archive access procedures. Where email systems are particularly large or difficult to search, this complexity may justify use of the two-month extension.
If the one-month deadline cannot be met, the controller must contact the data subject within that month to invoke the two-month extension and explain the reasons for the delay. It is not permissible to let the deadline pass without communicating with the data subject. Where neither the one-month deadline nor the extended three-month deadline can be met, the controller is in breach of the GDPR and should proactively consider whether to notify the supervisory authority. Supervisory authorities receive a significant proportion of their complaints directly from data subjects who did not receive a DSAR response on time, and these complaints are routinely investigated.
Yes. Employees are data subjects with the full range of GDPR rights, including the right of access under Article 15. An employee who submits a DSAR to their employer has the same rights as any other data subject: they are entitled to a copy of all personal data held about them across all of the employer's systems, including HR systems, email, performance management tools, and any AI system outputs relating to them. Employment context DSARs are frequently among the most operationally complex to fulfil, because of the volume of data held and because they often arise in the context of employment disputes where the data will be scrutinised carefully.
%402x.svg){kind=icon}
%402x.svg){kind=small}
%402x.svg){kind=icon}
