DSAR Requirements Under GDPR
GDPR DSAR requirements: data subject rights, response deadlines, identity verification, and penalties for non-compliance.
Last updated: 2026-02-08
Data Subject Rights That Trigger DSARs
EU data subjects can submit requests to:
- Access all personal data you hold about them, plus details on how and why you process it (Article 15)
- Rectify inaccurate or incomplete data (Article 16)
- Erase personal data — the "right to be forgotten" (Article 17)
- Restrict processing while disputes are resolved (Article 18)
- Port their data in a structured, machine-readable format (Article 20)
- Object to processing based on legitimate interest or direct marketing (Article 21)
- Challenge automated decisions including profiling with legal or significant effects (Article 22)
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
30 calendar days from receipt. You can extend by an additional 2 months for complex or high-volume requests — but you must inform the data subject within the original 30-day period and explain the reason for the delay.
First copy of data must be provided free of charge. You can charge a reasonable fee for further copies or manifestly unfounded/excessive requests.
Identity Verification
Required. You must verify the identity of the requestor before disclosing personal data. The method should be proportionate to the sensitivity and risk — do not demand excessive documentation for low-risk requests. If you have reasonable doubts about identity, you may request additional information.
Penalties
- EUR 20 million or 4% of global annual revenue (whichever is higher) for the most serious violations
- EUR 10 million or 2% of global annual revenue for administrative violations
- No cure period
- Private right of action — individuals can sue for material or non-material damages (Article 82)
Enforced by Data Protection Authorities in each EU member state, coordinated by the European Data Protection Board.
DSAR-Specific Exemptions
You may decline or limit a request when:
- Disclosure would adversely affect the rights and freedoms of others (third-party data)
- The request is manifestly unfounded or excessive (you bear the burden of proof)
- Data is required for legal claims or legal obligations
- National security or public interest exceptions apply
Who This Applies To
Any business that processes personal data of EU residents — no size threshold, no revenue minimum. If you offer goods or services to people in the EU or monitor their behavior, the GDPR applies.
For the full GDPR compliance guide, see boringgovernance.com.
Related Guides
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- GDPR SAR Software — tools for handling SARs
- DSAR Exemptions — when you can refuse