DSAR (Data Subject Access Request)
A Data Subject Access Request (DSAR) allows individuals to request access to personal data an organization holds about them, as required under privacy laws.
What is a DSAR (Data Subject Access Request)?
A Data Subject Access Request (DSAR) is a formal request made by an individual to obtain a copy of their personal data that an organization processes. Under privacy regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), individuals—known as data subjects—have the right to know what data is collected, how it is used, and with whom it is shared.
Organizations must verify the requester’s identity, locate relevant data across systems, and provide it securely within the timeframes defined by applicable laws. DSARs are a key component of global data rights frameworks that emphasize transparency and user control.
Why a DSAR (Data Subject Access Request) matters
DSARs empower individuals to take control of their personal information and ensure transparency in how organizations manage data. Responding properly to DSARs helps build trust and demonstrate compliance with privacy regulations.
Under the GDPR, organizations must respond to DSARs within one month, while the California Privacy Rights Act (CPRA) and other state laws in the U.S. define similar rights for consumers. Failure to respond or provide inaccurate information can result in fines and reputational damage.
Establishing an efficient DSAR process reduces manual effort, prevents delays, and ensures consistent compliance across jurisdictions.
How a DSAR (Data Subject Access Request) is used in practice
- Allowing individuals to request access, correction, or deletion of personal data
- Verifying requester identity before releasing sensitive information
- Locating personal data across databases, cloud systems, and third-party vendors
- Redacting data related to other individuals to maintain confidentiality
- Documenting requests and responses for compliance audits
- Automating DSAR intake and fulfillment workflows using privacy management platforms
Related laws & standards
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Colorado Privacy Act (CPA)
How OneTrust helps with DSARs (Data Subject Access Requests)
OneTrust streamlines DSAR management with automated request intake, identity verification, and fulfillment workflows. The platform helps organizations locate data across systems, redact sensitive information, and generate compliant responses within regulated timeframes.
FAQs about DSARs (Data Subject Access Requests)
A DSAR is the GDPR’s formal mechanism for individuals to access their personal data, while consumer rights requests cover similar access, deletion, and correction rights under U.S. privacy laws such as the CCPA and CPRA.
Privacy, legal, and compliance teams typically lead the DSAR process, supported by IT or data governance teams to locate and securely share the requested data.
Under the GDPR, DSARs are one of several data subject rights. Responding accurately and within statutory deadlines demonstrates accountability and transparency under Articles 12–15 of the regulation.
