What is a DSAR under GDPR?

A Data Subject Access Request (DSAR) is a right under GDPR Article 15 allowing any individual to request a copy of the personal data an organization holds about them. Organizations must respond within 30 days, provide the data in an accessible format, and include information about processing purposes, retention periods, and third-party recipients. Requests can arrive through any channel, including email, web forms, or verbal communication.

How should organizations verify identity for a DSAR?

Identity verification must be proportionate to the sensitivity of the data involved. For routine requests, confirming details already on file like email address and account information is usually sufficient. For sensitive data, organizations may request a government-issued ID copy. Verification should not be used as a barrier to delay responses. Article 12 allows organizations to request additional information only when there are reasonable doubts about the requester's identity.

Legitimate DSAR Processing

Process a data subject access request end to end.

What You'll Learn in Legitimate DSAR Processing

Verify requester identity using proportionate measures without demanding excessive personal documentation
Locate personal data across all organizational systems including CRM, email, analytics, and backup databases
Apply exemptions correctly for legally privileged material and third-party personal data in shared records
Compile a complete response package that meets all Article 15 information requirements within the 30-day deadline
Identify operational bottlenecks in the DSAR process and implement efficiencies for repeated requests

Legitimate DSAR Processing Training Steps

Introduction

Alice works in the Privacy Operations team at CloudServe Technologies, a B2B SaaS provider that helps businesses manage their cloud infrastructure. Her role involves handling data subject access requests (DSARs) under GDPR. Today, she will process a legitimate DSAR from a verified customer – a request that requires careful attention to deadlines, data discovery, and third-party redaction.
DSAR Receipt

Alice receives a new email in her work inbox. The subject line indicates it is a formal data subject access request. The email is from jennifer.martinez@acme-corp.com - a verified customer whose company has an active contract with CloudServe Technologies.
Identity Verification

Before processing the request, Alice must verify that the person making the request is actually Jennifer Martinez. However, GDPR requires that verification be proportionate - Alice should not create excessive barriers. Since the request came from an email address already associated with the customer account, and includes the correct customer ID, Alice has reasonable assurance of identity.
Logging the Request

Alice accesses the DSAR queue in the privacy portal. She sees Jennifer's request has been automatically logged with today's date, which starts the 30-day response clock. The system shows all the information needed to verify the requestor's identity against existing customer records.
Sending Acknowledgment

With identity verified, Alice now needs to send an acknowledgment email to Jennifer. This confirms receipt of the request and sets expectations for the response timeline. Good practice is to acknowledge DSARs promptly, even though GDPR does not strictly require it.
Data Discovery

Now Alice must search all company systems for Jennifer's personal data. GDPR requires providing all personal data held about the individual - not just obvious places like the CRM. Alice needs to check: CRM records, support tickets, billing systems, email communications, system logs, and any backups that might contain personal data.
Running Data Search

Alice enters Jennifer's email address to search across all connected systems. The privacy portal automatically queries the CRM, support ticketing system, billing platform, and access logs. The search returns data from multiple sources - some containing only Jennifer's data, and some containing data about other individuals as well.
Supervisor Call - Redaction Requirements

While reviewing the search results, Alice notices that several support tickets contain data about other ACME Corp employees who were CC'd on communications. She needs guidance on how to handle third-party data. She calls her supervisor, David Chen, to discuss the redaction requirements.
Reviewing and Redacting Data

Following David's guidance, Alice reviews the compiled data export. She identifies several pieces of information that need redaction: - Email addresses of other ACME Corp employees in support ticket threads - Names of CloudServe staff members who handled support cases - Internal ticket IDs that could expose other customers' data Alice must provide Jennifer with all her own data while protecting others' privacy.
Applying Redactions

Alice carefully reviews each data source and applies redactions to protect third-party information. The privacy portal helps by highlighting potential third-party data, but Alice must make the final decision on each redaction. She ensures that all of Jennifer's personal data remains visible while other individuals' information is properly obscured.

What You'll Learn in Legitimate DSAR Processing

Legitimate DSAR Processing Training Steps

Introduction

DSAR Receipt

Identity Verification

Logging the Request

Sending Acknowledgment

Data Discovery

Running Data Search

Supervisor Call - Redaction Requirements

Reviewing and Redacting Data

Applying Redactions