DSAR (Data Subject Access Request) Explained: Rights, Timelines, Process, Exemptions, and Costs

DSAR (Data Subject Access Request) Explained: Your Rights, Timelines, Process, Exemptions, and Costs

A Data Subject Access Request (DSAR) gives individuals the right under GDPR Article 15 to obtain confirmation of whether an organization processes their personal data and to receive a copy of that data, along with supplementary details. Organizations must respond within one month, though exemptions allow withholding certain information in specific cases.

This guide supports individuals, such as job seekers checking data held by potential employers, in exercising their rights effectively. For organizations and employers in UK and EU contexts, it outlines compliant handling, from timelines to cost-saving automation, ensuring efficient responses amid rising request volumes.

What Is a DSAR and What Rights Does It Give You?

A DSAR is a request by an individual to access the personal data an organization holds about them, rooted in GDPR and the Data Protection Act 2018. GRC Solutions defines it as a mechanism for individuals to understand how their information is used.

GDPR Article 15 provides the legal basis, allowing people to ask what personal data an organization holds and receive a copy. Article 15(1) requires confirmation of data processing and supplementary information, such as processing purposes, categories of data, recipients, and storage periods. Kukie emphasizes this broad scope in 2026 contexts, noting that organizations must provide a wide range of details to fulfill the request fully.

These rights empower users to verify data accuracy and usage. They're particularly relevant for job seekers reviewing application data or employer feedback stored by recruiters. Such access helps individuals ensure their data is handled correctly and identify any inaccuracies or misuse.

DSAR Response Timelines: What Organizations Must Follow

Organizations face a strict one-month deadline to respond to DSARs under UK GDPR and the Data Protection Act 2018. This aligns closely with the 30-day standard in GDPR-focused guidance. Sprintlaw confirms this timeframe applies universally, while other sources like Osano specify exactly 30 days for fulfillment.

Article 12(3) allows extensions by up to two additional months for complex or high-volume requests, provided the organization notifies the requester of the reasons. GRC Solutions highlights this provision, which accounts for the complexity and/or number of requests. Urgent cases, like those involving potential data inaccuracies, prioritize quicker fulfillment. UK guidance consistently emphasizes the one-month rule to avoid delays and ensure compliance.

Common DSAR Exemptions and When Data Can Be Withheld

Not all data must be disclosed. The Data Protection Act 2018 outlines exemptions that justify withholding information. Davidson Morris highlights workplace examples like legal professional privilege, where data covered by legal advice or litigation privilege remains protected.

Other exemptions include management planning, preventing prejudice to business negotiations or corporate restructuring, and areas related to crime or taxation. GDPR Recital 63 adds that access rights cannot adversely affect others' rights and freedoms, often requiring redaction of third-party data. TermsFeed notes this balances requester needs with privacy protections, such as redacting information that could impact third parties.

Requesters should expect partial responses where exemptions apply, with organizations explaining refusals. These measures protect sensitive business or legal interests while upholding the core right to access under Article 15.

Step-by-Step Process for Handling a DSAR

Handling a DSAR starts with identity verification to prevent unauthorized access. Organizations must confirm the requester's identity, ensuring they match the data subject, especially for portal uploads. Kukie stresses this step in 2026 practices, including verifying that the person genuinely agreed to data uploads. Iubenda advises identifying the requester accurately to avoid errors and unauthorized disclosures.

Next, assess if the organization processes the individual's data per Article 15(1). If yes, compile the data, redact exempt portions (such as third-party information under Recital 63), and provide supplementary details like processing purposes, categories of data, recipients, and storage periods. Deliver the response within one month, notifying of any extension under Article 12(3). This structured approach ensures compliance while minimizing risks of non-fulfillment or data breaches.

DSAR Costs and Trends: Why Automation Matters for Employers

Manual DSAR handling averages ~USD 1,524 per request, driven by labor-intensive searches and reviews. Usercentrics quantifies this burden, reflecting the time spent on verification, data compilation, and redaction.

A 2024 survey showed a 246% increase in DSAR volumes over the prior two years, amplifying costs for employers. TechRadar links this surge to heightened privacy awareness, putting pressure on organizations to manage higher request loads efficiently.

Automation offers relief: platforms cost $15K–$40K per year but reduce DSAR-related labor by 60–80%, per 2026 analysis from Vistainfosec. For organizations facing rising volumes, these tools streamline verification, data retrieval, and redaction, improving efficiency and reducing the per-request cost significantly.

DSAR Guidance for Job Seekers vs. Employers

For job seekers: Leverage GDPR Article 15 to request personal data from employers or recruiters, such as CVs, interview notes, or rejection reasons. Expect a response within one month, with possible two-month extensions for complexity under Article 12(3). Submit clearly, providing identification to speed verification--no cost for straightforward requests. This allows you to review how your data is used in hiring processes.

For employers: Prioritize identity checks and exemptions like legal professional privilege or management planning to protect sensitive data, as outlined in the Data Protection Act 2018. Adhere to one-month timelines, using extensions judiciously with explanations. High volumes and ~USD 1,524 manual costs make automation viable, cutting labor by 60–80% for $15K–$40K annually. Assess request complexity early to apply Recital 63 redactions effectively, balancing compliance with business protections.

This split helps job seekers assert rights while guiding employers on compliant, cost-effective responses.

FAQ

What is a Data Subject Access Request (DSAR)?
A DSAR is an individual's request to access personal data held by an organization, under GDPR Article 15 and the Data Protection Act 2018, including confirmation of processing and a copy of the data.

How long does an organization have to respond to a DSAR?
Organizations must respond within one month under UK GDPR and the Data Protection Act 2018.

What exemptions allow organizations to withhold DSAR data?
Exemptions include legal professional privilege, management planning, crime/taxation under the Data Protection Act 2018, and protecting others' rights per GDPR Recital 63.

How much does handling a manual DSAR cost on average?
Manual DSARs average ~USD 1,524 per request.

Can the DSAR response timeline be extended?
Yes, by up to two months under Article 12(3) for complex or numerous requests, with notification to the requester.

Why have DSAR volumes increased recently?
A 2024 survey reported a 246% increase over the past two years, tied to growing privacy awareness.

To proceed, job seekers can draft a simple email request citing Article 15; employers should audit DSAR processes and evaluate automation for efficiency.