How to Respond to a DSAR Under GDPR & CCPA (2026 Guide)
A customer emails you asking for a copy of every piece of personal data your company has ever collected about them. A former employee demands deletion. A rights activist in Germany submits a form request asking where your vendors send their data. Welcome to the world of the data subject access request — and if you run a website, app, or SaaS that touches EU or California residents, handling one correctly is not optional.
A data subject access request (DSAR) is the formal mechanism individuals use to exercise their privacy rights. The General Data Protection Regulation (GDPR) calls it a "right of access" request. The California Consumer Privacy Act (CCPA), as amended by the CPRA, calls it a "right to know" or "right to access" request. They overlap heavily in practice, but the deadlines, scope, and verification rules differ in ways that trip up small teams every day. This guide walks through exactly how to respond, step by step, with timelines, templates, and the mistakes that most often lead to complaints.
What Is a Data Subject Access Request?
A DSAR is a request from an individual — a "data subject" under GDPR or a "consumer" under CCPA — asking a business to disclose what personal information it holds about them, why it was collected, who it was shared with, and, in some cases, to correct or delete it. The request does not have to follow any particular form. A tweet, an email sent to your support address, a form submission, or a letter all count. The obligation to respond is triggered the moment a reasonable reader would recognize it as a rights request.
Under GDPR Article 15, individuals in the European Economic Area and the United Kingdom can ask for confirmation that you process their data, a copy of that data, and a range of contextual information: categories of data, purposes, recipients, retention periods, and the source if you did not collect it from them directly. Under the CCPA as amended, California residents can request the specific pieces of personal information collected about them, the categories of personal information, the categories of sources, the business purpose, and the categories of third parties with whom it was shared or sold.
The practical upshot: you need a system for receiving, verifying, and fulfilling these requests before the first one lands. Reacting cold to a DSAR almost always blows the clock.
Who Must Comply?
GDPR applies if you offer goods or services to people in the EU/UK, monitor their behavior (think: analytics or ad tracking), or have an establishment in Europe — regardless of where your servers live. CCPA applies if you do business in California and meet one of three thresholds: annual gross revenue over $25 million, buying or selling personal information of 100,000 or more California consumers, or deriving 50% or more of annual revenue from selling or sharing personal information. Smaller startups often fall under GDPR but outside CCPA; e-commerce brands with wide reach frequently hit both.
Even if your business sits below the CCPA thresholds today, you should still build a DSAR workflow. Growth is fast, state laws are multiplying, and offering a response process is a trust signal. See our CCPA vs GDPR differences explained for a side-by-side comparison of who each law covers.
Response Deadlines at a Glance
Missing a deadline is the single most common cause of regulator complaints. Here is the clock for each major framework.
| Law | Base Deadline | Permitted Extension | Look-Back Window |
|---|---|---|---|
| GDPR (EU/UK) | 1 month from receipt | Up to 2 more months if complex | No fixed limit — all data held |
| CCPA/CPRA (California) | 45 days from receipt | Up to 45 more days with notice | 12 months prior (extended for certain requests) |
| Virginia VCDPA | 45 days | 45 more days with notice | No fixed limit |
| Colorado CPA | 45 days | 45 more days with notice | No fixed limit |
The clock under GDPR starts when you receive the request — not when you verify the requester's identity. Under CCPA, the 45-day window begins on receipt as well, even if verification is still pending. Build your intake process on the assumption that you have, realistically, about three weeks to gather data and prepare a response, with the rest of the window reserved for review and delivery.
The Six-Step DSAR Response Workflow
Every DSAR, regardless of jurisdiction, can be broken into the same six stages. Document each one in writing so you have a defensible audit trail.
1. Acknowledge Receipt Immediately
Send a short acknowledgment within one or two business days. State that you received the request, the date you received it, the jurisdiction-relevant deadline, and what identity verification you will need. This single step dramatically lowers complaint rates because requesters almost always escalate when they hear nothing.
2. Verify Identity
You must take "reasonable steps" to confirm the requester is who they claim to be. Under GDPR, this might mean matching the request to an existing account or asking for a piece of information only the account holder would know. Under CCPA, regulations distinguish between requests for categories of data (lower verification bar) and requests for specific pieces (higher bar — typically two or three data points, or a signed declaration under penalty of perjury for sensitive data).
Do not ask for more information than you need. Requiring a passport scan to verify a newsletter subscriber's email is disproportionate and itself a GDPR violation. If you cannot verify after a reasonable attempt, deny the request in writing and explain why.
3. Scope the Request
Determine exactly what the requester is asking for. Is it all data, or just marketing data? A specific time range? A copy, or deletion, or both? If the request is ambiguous, clarify in writing — but keep the clock running. Log every clarification email.
4. Search Every System
Personal data lives in more places than most teams remember. A complete search typically includes:
- Production databases and user account records
- CRM and marketing automation tools
- Email archives and help desk tickets
- Payment processors and billing systems
- Analytics platforms and event streams
- Data warehouses, backups, and log files
- Third-party processors that store data on your behalf
Keep a data map — a living inventory of where personal data sits across your stack. A good map turns a panicked three-day search into a forty-minute checklist. If you do not have one, building one is the best first project after fielding your first DSAR.
5. Prepare and Review the Response
Compile the disclosure in a structured, portable format — usually a PDF or a secure download link with JSON or CSV attachments. Redact personal information of other individuals that appears alongside the requester's data; their privacy is not overridden by the request. Exclude information protected by legal privilege, trade secrets, or a narrowly applicable exemption in the relevant law.
Have a second pair of eyes review before sending. This is the stage where mistakes leak other users' data into a stranger's inbox — by far the most damaging error a DSAR can produce.
6. Deliver Securely and Log Everything
Send the response through a secure channel: an authenticated download portal, a password-protected archive sent separately from the password, or an encrypted email. Track the delivery. Then log the entire file — request, verification, search, response, delivery timestamp — and retain it for at least as long as your data retention policy requires. Regulators will ask to see this log during any investigation.
When You Can Refuse or Charge a Fee
Both GDPR and CCPA expect you to respond for free in almost every case. You may, however, refuse or charge a reasonable fee when requests are "manifestly unfounded" or "excessive" — for example, the same person submitting weekly requests with no material change. The bar is high. Regulators rarely find a single or occasional request to be excessive, and "it took our team a lot of work" is not a legal defense.
You can also deny specific categories of data, not the entire request. If a requester asks for their account data plus internal emails about them, you may disclose the former and withhold the latter if disclosure would reveal trade secrets or another person's personal data. Explain what you are withholding and why.
Building a Self-Service DSAR Portal
Once you pass a few dozen requests a year, manual handling becomes a risk in itself. A self-service portal — a web form behind identity verification that lets users download their data — reduces response time, lowers cost, and creates a consistent audit trail. Many SaaS platforms now offer DSAR automation either as a feature or via integration.
At minimum, your intake page should live at a predictable URL (often /privacy-requests or linked from the privacy policy footer), accept email submissions, and confirm receipt automatically. Your privacy policy must describe how to submit a request and what to expect. If you sell or share personal information under CCPA, you also need a "Do Not Sell or Share My Personal Information" link on your homepage. Our legal pages checklist covers every required page in one place.
Common Mistakes That Trigger Complaints
Privacy regulators publish enforcement summaries each year, and the same mistakes show up again and again:
- Silent treatment. Failing to acknowledge receipt, so the requester assumes you ignored them and files a complaint.
- Excessive verification. Demanding government ID or notarized signatures when account credentials would suffice.
- Missed scope. Returning only what is easy to export and quietly omitting CRM notes, support chat transcripts, or backup systems.
- Leaked third-party data. Exporting raw records that include other users' emails, names, or IDs.
- Insecure delivery. Sending the response as an unprotected attachment to an unverified email address.
- No log. Having nothing on file when a regulator asks for the response record six months later.
Each of these is avoidable with a written procedure and a two-person review step. The cost of a bad DSAR response is measured in regulator fines, customer churn, and public complaints.
DSAR in a Multi-Jurisdictional World
As of 2026, more than a dozen U.S. states have enacted comprehensive privacy laws, and each creates its own flavor of access right with its own deadline, verification rules, and exemptions. Rather than run separate workflows, most mid-sized teams pick the strictest standard — typically GDPR's one-month default — and apply it globally. That approach costs slightly more in operational effort but almost entirely eliminates the risk of missing a state-specific deadline.
If your business transfers personal data outside the EU, you will also want a data processing agreement in place with any processor handling DSAR-relevant data, because they will often need to participate in the response. See our guide on what a DPA is and when you need one.
Template: DSAR Acknowledgment Email
Copy and adapt the following for your intake process. Keep it short and specific.
Hello [Name],
Thank you for submitting a privacy rights request on [Date]. We have logged it under reference #[ID]. To verify your identity, please confirm the email address associated with your account and the approximate date you created it. Once verified, we will respond within [one month / 45 days] as required by [GDPR / the CCPA]. If the request is complex, we may extend that window and will notify you before doing so.
If you have any questions in the meantime, reply to this email.
[Your Privacy Team]
Frequently Asked Questions
Do I have to respond to a DSAR from someone who is not a customer?
Yes, if you hold personal data about them. The right applies to any data subject — website visitors, newsletter subscribers, prospective customers, and former employees all qualify under GDPR. CCPA applies to California "consumers," which includes anyone whose personal information you have processed.
Can I charge a fee to fulfill a DSAR?
Only in narrow cases. Both GDPR and CCPA require responses to be free except when requests are manifestly unfounded or excessive, in which case you may charge a reasonable fee or refuse. Most requests do not qualify. See the UK ICO's guidance on the right of access for detailed criteria.
What happens if I miss the deadline?
The requester can file a complaint with their local supervisory authority (for GDPR) or the California Privacy Protection Agency (for CCPA). Regulators generally contact you first and give you a chance to respond late. Repeated or willful missed deadlines can lead to enforcement action and fines. GDPR fines can reach up to the greater of €20 million or 4% of global turnover; CCPA penalties are assessed per violation.
Do I need to hand over backups and archived data?
GDPR treats backups as "in scope" but regulators generally accept that immediate retrieval from tape or cold storage is disproportionate. Document your backup deletion cycle and explain the timeline in your response. You do need to honor the request once the data cycles back into active systems.
Can I require the request to come from a specific email or form?
No. You can offer a preferred channel, but you cannot refuse a request simply because it came by a different route. Train support staff to recognize and escalate rights requests received in any mailbox.
What counts as "personal data" for a DSAR?
Any information relating to an identified or identifiable person. That includes obvious items like names and emails, but also device identifiers, IP addresses, cookie IDs, location data, inferred preferences, and customer support transcripts. Our privacy policy primer explains the scope in plain English.
Does a DSAR apply to pseudonymized analytics data?
If the data can be linked back to a person — even indirectly — it is in scope. A hashed user ID tied to a cookie that maps to an account is personal data. Truly anonymized data is out of scope, but the bar for "truly anonymized" is high under GDPR's guidance.
This article is for informational purposes only and is not legal advice. Consult a qualified attorney for your specific situation.
For further reading on how the major privacy frameworks compare, see the European Data Protection Board and the California Attorney General's CCPA resource page.