DSAR Response Templates: What to Include and How to Format Your Reply
How to structure a DSAR response: what to include, how to format it, common mistakes to avoid, and a sample structure you can follow.
Last updated: 2026-02-07
Why Templates Matter for DSAR Responses
Every DSAR response needs to include specific information — and missing any of it can land you in trouble with regulators. The problem is not that the requirements are complicated. The problem is that when you are responding to a DSAR for the first time, under a ticking deadline, it is easy to forget something.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the GDPR (in particular Article 12, which requires transparent communication in clear and plain language), the CCPA (Cal. Civ. Code § 1798.130), and the UK GDPR / Data Protection Act 2018, as of the date of publication.
Templates fix this. A well-structured DSAR response template ensures you cover every required element, maintain a professional and consistent standard, and do not waste time reinventing the format every time a request comes in.
This guide covers what your DSAR response should include, how to structure it, the common mistakes that trip businesses up, and a sample structure you can adapt for your own use.
If you need the full step-by-step process for handling a DSAR from start to finish, see How to Respond to a DSAR. This article focuses specifically on the response document itself.
What Your DSAR Response Must Include
Under GDPR (and UK GDPR), a DSAR response has two components: the personal data itself, and supplementary information about your processing (GDPR Article 15(1)). Both are required.
Component 1: The Personal Data
This is the core of the response — a copy of the personal data you hold about the individual. The data must be:
- Complete — all personal data you hold, unless a specific exemption applies
- Intelligible — presented in a way the person can understand, not raw database codes
- Accurate — reflecting what you actually hold at the time of the response
- In a commonly used format — if the request was made electronically, provide the data in a commonly used electronic format (PDF, CSV, etc.) (GDPR Article 12(1))
Component 2: Supplementary Information
You must also tell the person:
- The purposes of your processing — why you collected and use their data
- The categories of personal data — what types of data you hold (identity, financial, behavioral, etc.)
- The recipients or categories of recipients — who you have shared or will share the data with
- Retention periods — how long you keep each type of data, or the criteria for deciding
- Their right to rectification — they can ask you to correct inaccurate data
- Their right to erasure — they can ask you to delete their data (subject to conditions)
- Their right to restriction — they can ask you to stop processing their data in certain circumstances
- Their right to object — they can object to certain types of processing
- Their right to complain — they can lodge a complaint with the supervisory authority (ICO in the UK, relevant DPA in the EU)
- The source of the data — if you did not collect it directly from the person, where it came from
- Automated decision-making — if you use automated decision-making or profiling, the logic involved, its significance, and its consequences
Under CCPA (Cal. Civ. Code § 1798.130), the requirements differ slightly. You must disclose:
- The categories of personal information collected
- The specific pieces of personal information collected
- The categories of sources
- The business or commercial purpose for collecting or selling
- The categories of third parties the information was shared with
The Structure of a DSAR Response
Here is how to organize your response for clarity and completeness.
Part 1: Cover Letter
The cover letter is the first thing the requester reads. It should set the context and direct them to the enclosed information.
A good cover letter includes:
Opening:
- Reference the original request (date received, how it was submitted)
- Confirm that you have processed the request under the applicable law (cite the specific regulation)
- State whether you hold personal data about the individual (if you do not, the cover letter is your entire response)
Summary of what is enclosed:
- A brief description of the data provided and how it is organized
- Reference to the supplementary information (either in the cover letter itself or as a separate section)
Any exemptions applied:
- If you have withheld any data, state that you have done so, identify which exemption applies, and explain why (to the extent you can without undermining the exemption)
- If you redacted third-party data, mention this
Supplementary information:
- Either include the supplementary information (purposes, categories, recipients, etc.) in the cover letter or reference a separate section where it is provided
Rights and complaints:
- Summarize the individual's further rights (rectification, erasure, restriction, objection)
- Provide contact details for the relevant supervisory authority
Closing:
- Offer to answer any questions about the response
- Provide a contact point for follow-up
Part 2: Supplementary Information
If you keep this separate from the cover letter (which is cleaner for complex responses), this section provides the detailed information required by law.
Structure it as follows:
Purposes of Processing:
List the reasons you process the individual's data. Be specific. "Marketing" is a purpose. "Providing the service you signed up for" is a purpose. "Legal compliance" is a purpose. Group them logically.
| Purpose | Legal Basis |
|---|---|
| Providing our service to you | Performance of contract |
| Sending marketing emails you opted into | Consent |
| Maintaining accounting records | Legal obligation |
| Fraud prevention | Legitimate interest |
Categories of Personal Data:
List the categories of data you hold. These should be meaningful to a non-specialist:
- Identity data (name, email address, phone number)
- Financial data (payment details, transaction history)
- Account data (username, preferences, settings)
- Communication data (emails, support tickets)
- Usage data (how you used our service)
- Marketing data (preferences, consent records)
Recipients:
List the organizations (or categories of organizations) you have shared the person's data with:
- Payment processor (name)
- Email marketing provider (name)
- Cloud hosting provider (name)
- Accountant/bookkeeper (name)
- Any other third parties
You can use categories ("IT service providers," "professional advisors") if listing every specific recipient is impractical, but be as specific as you reasonably can.
Retention Periods:
State how long you keep each category of data:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 2 years | To allow reactivation and handle post-contract queries |
| Financial records | 7 years from transaction | Legal obligation (tax records) |
| Marketing data | Until consent withdrawn | Based on ongoing consent |
| Support correspondence | 3 years from last contact | Legitimate business interest |
Source of Data:
If you collected data from a source other than the individual (purchased lists, partner referrals, public sources), state where you got it from.
Automated Decision-Making:
If you do not use automated decision-making or profiling that produces legal effects, say so: "We do not use automated decision-making or profiling that produces legal or similarly significant effects."
If you do, you must explain the logic involved, its significance, and the consequences — in terms the person can understand.
Part 3: The Data Itself
This is the bulk of the response. How you organize it depends on what data you hold and how much of it there is.
For Simple Responses (Limited Data):
If you hold a small amount of data, you can present it in a single document, organized by category:
Identity Data:
- Full name: [name]
- Email address: [email]
- Phone number: [phone]
Account Data:
- Account created: [date]
- Last login: [date]
- Subscription plan: [plan]
Transaction Data:
| Date | Description | Amount |
|---|---|---|
| 2025-01-15 | Monthly subscription | $29.00 |
| 2025-02-15 | Monthly subscription | $29.00 |
For Complex Responses (Multiple Systems, Large Volume):
For larger responses, organize by source system or data category, and provide an index:
Index:
- CRM data (pages 1-5)
- Email correspondence (pages 6-45)
- Support tickets (pages 46-52)
- Financial records (pages 53-58)
- Marketing records (pages 59-60)
Each section should clearly identify what system the data came from and what it represents.
For Email Data:
Emails are often the largest component. Present them chronologically or grouped by thread. For each email, include:
- Date and time
- From/To/CC fields
- Subject line
- Body content
Redact any third-party personal data (mark redactions clearly, for example: "[Name of third party redacted]").
Common Mistakes in DSAR Responses
Mistake 1: Missing Supplementary Information
Many businesses provide the data but forget the supplementary information. You must tell the person why you have their data, who you shared it with, how long you keep it, and what their rights are. Just dumping a spreadsheet of data is not a compliant response.
Mistake 2: Incomplete Data Search
Searching only your main database and missing data in emails, cloud storage, spreadsheets, or third-party systems. The requester knows what interactions they have had with you, and they will notice if their support tickets or email correspondence is missing.
Mistake 3: Providing Raw Data Without Context
A CSV export with column headers like cust_id, prf_opt_1, seg_code_mkt is not intelligible. Either export the data in a readable format or provide a legend that explains what each field means.
Mistake 4: Over-Redaction
Redacting third-party data is necessary. Redacting the names of your own staff who dealt with the customer, or withholding entire documents because one line mentions another person, is excessive. Redact narrowly and precisely.
Mistake 5: Under-Redaction
The opposite problem. Accidentally disclosing personal data about other identifiable individuals is a data breach, which creates a whole new set of problems. Review your redactions carefully.
Mistake 6: No Cover Letter or Explanation
Sending data files with no explanation, no context, and no supplementary information. The requester should not have to guess what they are looking at.
Mistake 7: Insecure Delivery
Emailing personal data as an unencrypted attachment. Use password-protected files (with the password sent via a different channel), encrypted email, or a secure download link. This is particularly important for sensitive data.
Mistake 8: Providing Data in an Unusable Format
Sending a 500-page PDF that is just screenshots of database records. Or a ZIP file with 2,000 individually named files and no index. Make the data genuinely accessible and navigable.
Mistake 9: Forgetting to Note Exemptions
If you withheld any data under an exemption, you must tell the requester. Simply leaving data out without explanation invites challenges and complaints.
Mistake 10: Not Keeping a Copy of Your Response
Always keep a copy of exactly what you sent, when you sent it, and how. If the requester or a regulator challenges your response, you need to be able to show what you provided.
Building Your Own Templates
Here is a practical approach to creating templates that work for your business.
Start With the Cover Letter
Write a standard cover letter that includes all the required elements. Leave placeholders for:
- The requester's name and details
- The date of the original request
- Any specific notes about exemptions or redactions
- The deadline and response date
Most of the cover letter will be the same for every response. The supplementary information section (purposes, categories, recipients, retention) should be based on your actual data processing activities and updated whenever those change.
Create a Supplementary Information Template
Write this once, based on your current data processing activities. It should cover:
- Your purposes and legal bases (a table works well)
- Your data categories (a simple list)
- Your recipients (by name or category)
- Your retention periods (a table)
- Information about automated decision-making (usually a brief statement)
- A standard paragraph about the individual's rights
- Contact details for the relevant supervisory authority
Review this template every six months or whenever your processing activities change.
Create Data Presentation Templates
Depending on the data you hold, create templates for presenting:
- Account/customer data (a structured document with fields)
- Communication data (a chronological format for emails and messages)
- Transaction data (a table format)
- HR/employee data (organized by category — see our guide on employee DSARs)
Create an Acknowledgment Template
A brief template for the initial acknowledgment you send when you receive a DSAR. It should confirm receipt, set expectations on timeline, and request identity verification if needed.
Create an Extension Notification Template
For cases where you need to extend the deadline. It should state that you are extending, explain why, give a revised deadline, and confirm you are working on the request.
CCPA-Specific Template Considerations
If you respond to requests under CCPA (California), your template needs some adjustments:
- The categories of personal information must align with CCPA's statutory categories (identifiers, commercial information, internet activity, geolocation, etc.)
- You must include a statement about whether you sell personal information and, if so, the categories sold and the categories of third parties to whom it was sold
- The rights information should reference CCPA-specific rights (right to delete (Cal. Civ. Code § 1798.105), right to opt-out of sale (Cal. Civ. Code § 1798.120), right to non-discrimination)
- Verification requirements differ — for requests for specific pieces of information, you need to include a declaration under penalty of perjury
A Word on Tone
Your DSAR response is a legal document, but it is also a communication with a real person. Write it clearly. Use plain English. Avoid unnecessary legal jargon.
The person reading your response might be a customer who is just curious about their data, an employee who is worried about what you know, or a solicitor who is looking for ammunition. In every case, a clear, professional, thorough response serves you well. It demonstrates competence and compliance, and it reduces the likelihood of follow-up complaints.
A response that is riddled with legal boilerplate, disorganized, or unnecessarily opaque invites exactly the kind of scrutiny you want to avoid.
The Investment Is Worth It
Building your DSAR response templates takes a few hours. Once done, they save you hours on every single DSAR you receive, and they dramatically reduce your risk of missing something required. For a small business that might receive a handful of DSARs per year, good templates are the difference between a stressful, error-prone scramble and a calm, methodical response.
References
- General Data Protection Regulation (GDPR): Article 12 (Transparent communication and clear, plain language requirements) and Article 15 (Right of access). GDPR Article 12 | GDPR Article 15
- California Consumer Privacy Act (CCPA): Cal. Civ. Code § 1798.130 — response requirements and disclosures. Full text on the California Legislative Information site
- UK GDPR / Data Protection Act 2018: ICO guidance on the right of access, including how to structure responses. ICO right of access guidance
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Download Ready-Made Templates
Our DSAR Response Templates give you everything covered in this guide in ready-to-use format — cover letters, supplementary information templates, data presentation formats, acknowledgment letters, and extension notifications. Customize them for your business and you are ready to respond to your next DSAR with confidence.