A Data Subject Access Request, commonly known as a DSAR, is a formal request you can make to any organization asking it to reveal exactly what personal data it holds about you. Enshrined in the GDPR, CCPA, and a growing number of state and international privacy laws, the DSAR is one of the most powerful tools available to individuals who want to understand and control their digital footprint. Whether you are preparing to opt out of data brokers, responding to a data breach, or simply exercising your legal rights, knowing how to file a DSAR is an essential privacy skill.
What Is a Data Subject Access Request?
A DSAR is a legal mechanism that allows you to ask any company or organization what personal information it has collected, processed, or shared about you. Under the EU General Data Protection Regulation (GDPR), this is codified in Article 15. Under the California Consumer Privacy Act (CCPA), it is known as the "right to know." Similar rights exist under Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, and many other privacy frameworks around the world.
When you submit a DSAR, the organization must typically provide:
- The categories and specific pieces of personal data it holds about you
- The purposes for which your data is being processed
- The recipients or categories of recipients with whom your data has been shared
- The source of the data if it was not collected directly from you
- How long the organization intends to retain your data
- Information about any automated decision-making or profiling involving your data
This information gives you a clear picture of your exposure and helps you make informed decisions about deletion requests, opt-outs, and other privacy actions.
When Should You File a DSAR?
There are several situations where filing a DSAR is the right first step:
Before Opting Out of Data Brokers
Filing a DSAR before requesting deletion helps you understand exactly what data a broker holds. This gives you a baseline so you can verify that the data was actually removed after your opt-out request is processed.
After a Data Breach
If a company notifies you that your data was involved in a breach, a DSAR forces them to tell you precisely what information was exposed. Breach notifications are often vague — a DSAR gets you the specifics you need to protect yourself.
When a Company Refuses to Delete Your Data
If you have submitted a deletion request and the company has not complied or has only partially complied, a DSAR creates a documented record of what they still hold. This evidence strengthens any complaint you may file with a regulatory authority.
When You Suspect Unauthorized Data Collection
If you believe a company has obtained your information without your consent, a DSAR is the formal mechanism to find out what they have and where they got it.
How to File a DSAR: Step by Step
Step 1: Identify the Data Controller
The data controller is the organization that determines how and why your personal data is processed. Check the company's privacy policy to find the data controller's name and their contact details for privacy requests.
Step 2: Submit Your Request in Writing
While some jurisdictions allow verbal DSARs, you should always submit your request in writing to create a clear paper trail. You can submit via:
- Email — Send to the company's Data Protection Officer (DPO) or privacy team email, often listed in their privacy policy
- Web form — Many companies now offer a dedicated privacy rights portal or request form
- Postal mail — Send a physical letter via certified mail if you want proof of delivery
Step 3: Include the Right Information
Your DSAR should include:
- Your full name and any names previously associated with the account
- Your email address, mailing address, and phone number to help the company locate your records
- A clear statement that you are making a data subject access request under the applicable law (GDPR, CCPA, etc.)
- A description of what data you want — you can request all personal data, or specify particular categories
- Your preferred format for receiving the data (electronic copy is standard)
Step 4: Send and Document
Send your request and save a copy of everything — the email, the form submission confirmation, or the postal receipt. Note the date you sent it, because the response clock starts from the day the organization receives your request.
Pro Tip: Keep Records of Every DSAR You File
Maintain a spreadsheet or document tracking every DSAR you submit. Record the company name, date sent, method of submission, confirmation received, and response deadline. This log becomes invaluable if you need to escalate to a regulatory authority, and helps you spot patterns among companies that hold more data than expected or routinely miss deadlines.
Sample DSAR Template
You can adapt the following template for your own use:
Subject: Data Subject Access Request
To the Data Protection Officer,
I am writing to make a data subject access request under [Article 15 of the GDPR / the California Consumer Privacy Act / applicable privacy law]. Please provide me with a copy of all personal data you hold about me, including data collected directly, obtained from third parties, and derived through profiling or automated processing.
My identifying details: [Full Name], [Email Address], [Mailing Address], [Phone Number], [Account ID if applicable].
Please provide this information in a commonly used electronic format within the timeframe required by law. If you need to verify my identity, let me know what is required and I will respond promptly.
Skip the manual opt-outs
One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.
Start your free scanResponse Timelines by Law
Different privacy laws impose different deadlines on organizations:
- GDPR (EU/UK): Organizations must respond within 30 calendar days (one month). This can be extended by an additional two months for complex or high-volume requests, but the organization must notify you of the extension within the initial 30-day window.
- CCPA (California): Businesses must respond within 45 calendar days. An additional 45-day extension is permitted with written notice, making the maximum response time 90 days.
- Other US state laws: Most state privacy laws (Virginia, Colorado, Connecticut, etc.) follow a 45-day standard with similar extension provisions.
The response must be provided free of charge in most cases. Under the GDPR, a company may charge a reasonable fee only if your requests are "manifestly unfounded or excessive," particularly if they are repetitive.
Identity Verification Requirements
Organizations must verify your identity before releasing personal data. Common methods include email verification links, matching information against data on file, security questions, or requesting a government-issued ID for high-sensitivity requests. Verification should be reasonable — if a company makes it so burdensome that it discourages you from completing your request, that may itself be a compliance violation.
Watch Out: Companies That Delay or Obstruct
Some organizations use delay tactics to avoid complying with DSARs — claiming they cannot verify your identity, requesting unnecessary information, providing incomplete responses, or simply ignoring your request. If you encounter these tactics, document everything carefully. Under the GDPR, organizations that fail to comply can face fines of up to 4% of their annual global turnover. Under the CCPA, the California Privacy Protection Agency can impose penalties of up to $7,500 per intentional violation. Do not let stalling discourage you — the law is on your side.
What to Do If a Company Does Not Respond
If the response deadline passes without a proper reply, you have several options for escalation:
- Send a follow-up. Contact the company again, referencing your original request date and reminding them of the legal deadline. Sometimes a second notice prompts action.
- File a complaint with the supervisory authority. Under the GDPR, you can lodge a complaint with your national Data Protection Authority (DPA) — such as the ICO in the UK, the CNIL in France, or the DPC in Ireland. The DPA can investigate and impose penalties.
- Contact your state Attorney General. Under the CCPA and other US state privacy laws, your state Attorney General's office handles privacy complaints. In California, you can also file directly with the California Privacy Protection Agency (CPPA).
- Seek legal counsel. For serious or repeated violations, consulting a privacy attorney can help you understand whether you have grounds for a civil claim, particularly under laws that provide a private right of action.
Let PrivacyOn Handle the Heavy Lifting
Filing DSARs manually is effective but time-consuming — especially when your data is spread across dozens or hundreds of data brokers and companies. PrivacyOn automates the process of removing your personal information from 100+ data brokers, handling the opt-out requests, follow-ups, and re-removal monitoring on your behalf. With continuous scanning and dark web monitoring included, PrivacyOn ensures your personal data does not quietly reappear after you have worked to remove it.
A DSAR gives you the legal right to see what companies know about you. Pair that knowledge with a service that actively removes and monitors your data, and you take real control of your privacy — not just once, but on an ongoing basis.