European Union Privacy Laws — GDPR DSAR Requirements
GDPR data subject access request requirements for businesses serving EU residents. Rights, deadlines, penalties, and compliance guidance.
Last updated: 2026-03-01
The European Union's General Data Protection Regulation (GDPR) is the most influential privacy law in the world. It applies to any organization that processes personal data of EU residents, regardless of where the organization is based. There is no revenue threshold or company size exemption — if you hold personal data of people in the EU, the GDPR applies to you.
The GDPR grants data subjects a broad set of rights, including the right of access (commonly called a DSAR or subject access request). Organizations must respond within 30 calendar days, with the possibility of a 2-month extension for complex or numerous requests.
Disclaimer: This content is for informational purposes only and does not constitute legal advice. Consult a qualified attorney or data protection professional for guidance specific to your organization.
Enforcement
The GDPR is enforced by Data Protection Authorities (DPAs) in each EU member state. Each DPA operates independently but cooperates through the European Data Protection Board (EDPB). The lead supervisory authority for cross-border processing is determined by the location of the organization's main establishment in the EU.
Maximum penalties under the GDPR are EUR 20 million or 4% of global annual revenue, whichever is higher. Lower-tier violations carry penalties of up to EUR 10 million or 2% of global revenue.
Key Features for DSAR Compliance
- No threshold: Applies to all organizations processing EU personal data, regardless of size or revenue
- 30-day deadline: Must respond within one calendar month of receiving the request
- Free of charge: The first copy must be provided free; reasonable fees allowed for additional copies
- Format: Information must be provided in a commonly used electronic format if requested electronically
- Right to complain: Data subjects can lodge complaints directly with their national DPA
Guides
- GDPR DSAR Requirements — full DSAR compliance breakdown including rights, deadlines, identity verification, and penalties
Related Resources
- How to Respond to a DSAR — step-by-step response process
- DSAR Exemptions — when you can refuse or limit a response
- DSAR Response Deadlines — deadline comparison across jurisdictions
- GDPR Compliance Software — tools for GDPR compliance