Skip to content

How to Handle a Subject Access Request for GDPR

Paige Harris 2/28/22 10:13 AM

Table of Contents

How to Handle a Subject Access Request for GDPR

When running an online store or an entrepreneurial endeavor solo, using online services like e-commerce platforms and website hosting services is essential. But when you outsource your infrastructure, where does that leave your clients' and customers' personal data and right to online privacy?

To ensure the security of data that's been entrusted to you, it may at some point be necessary to send a Subject Access Request (SAR). Working with companies and platforms operating under the GDPR policy can offer significant data security benefits. Still, the Subject Access Request process may seem daunting if your company hasn't handled one before. So, what is a DSAR, and how does it work?

CTA Graphic - Data Requests


What Is a Subject Access Request?

A Subject Access Request (SAR) is when an individual or brand representative asks for access to the data and information that a company or service provider has collected about them.

It doesn't have to be an official request. For example, you can request a SAR verbally in person. If that's not possible, you can do it in writing through an email or a letter, and even through direct contact with the brand via social media.

Data Requests Enzuzo Dashboard

Easily manage your customer data requests using Enzuzo's simple workflows.


It's important to note that brands and corporations subject to privacy laws legally cannot ignore a Subject Access Request. As an individual and a business that interacts with the company, you have the right to access your personal information on their servers. While it varies by the privacy policy and industry, you can expect your request to be fulfilled within about a month. Any later and the company would optimally reach out with an estimated date.


Your DSAR Privacy Information

A Data Subject Access Request (DSAR) relates to the individual's privacy and information. It gives you the right to request a copy of all the company's data and information about you or your clients. You also have the right to know what they're using this data for, make corrections to incorrect information, and learn the names of all third-party organizations they share your data and information with.

Do Not Sell

Who Can Request a DSAR?

With minor exceptions, every individual, employee, ex-employee, and business have the right to request a DSAR from any corporate entity that handles and stores client data and information. Tax and criminal records are often excluded from the regulation.

SAR and DSAR requests are generally handled on a case-by-case basis. The provider has the right to deny a DSAR if they find it to be excessive or repetitive. Suppose the company that receives your DSAR request thinks that scraping their databases and servers for specific information may negatively affect their operations. In that case, they might deny your request fully or partially.


What Is Included in a Subject Access Request?

Most of the time, a DSAR only inquires about a handful of information regarding your personal data. While some data and information are exempt, responding to a data subject access request is mandatory by law.


What Can You Ask for in a Subject Access Request

Most companies will only provide access to the bare minimum for DSAR compliance. However, if you're more specific and direct with your request, you can receive more detailed information, such as:

  • Whether they have specific data on you or not
  • How they collect your data
  • What they're using your data for
  • Who they're sharing your data with
  • How long they'll be keeping your data
  • The security measures they have in place to keep your data safe
  • Whether they use your information for targeted marketing, profiling, or automated decision-making
  • Informing you of your data privacy rights
  • Informing you of the rights to challenge the accuracy of the information they have on you and whether you'd like them to delete it

Any other information needs to be explicitly stated in the request.


What Information Can Be Withheld?

A DSAR can't force a company to grant access to data that they process for management planning or management forecasting reasons for their business and financial activities. They can also refuse to comply with any request deemed excessive beyond reason. Such data isn't included in the "Right of Access," as it can be used against the brand. Anything that would take up too much time to search up and collect also falls within the exemption.


How Do You Write an Email Asking for Access?

Most websites, services, and online platforms that regularly handle user data and information like Shopify, Wix, and Squarespace have a dedicated page that outlines how they process GDPR data requests and access permissions. While it's established that companies are required by law to meet your DSAR request, it's essential to word it properly to avoid falling into grey territory.

Data Requests - 1

DSAR Writing examples

DSAR requests are quite forgiving and don't have a strict layout. However, here are a few DSAR writing examples and tips you should consider when drafting your email.


A clear subject

Cut straight to the point by titling your email: "Data Subject Access Request DSAR." This eliminates confusion and misunderstandings, ensuring your email is captured by any existing DSAR filters.


Introduce yourself

Companies can't hand out your personal data to anyone asking without verification of your identity, so be sure to state your full name in the message. In some cases, simply using the same email as your account is enough. But more often than not, you may have to provide proof of identity.

State your full name, date of birth, address, and phone number. Occasionally, you may have to include an official document such as your driver's license, civil ID, or passport.


Be specific

If your letter is only framed as a generic DSAR, you could end up receiving a copy of your data and nothing more. You can ask for any and all of the information mentioned in the above section. Make sure you state the information you're expecting to receive in clear bullet points.


Follow up as needed

The GDPR gives companies one month to deliver the request and two additional months if they notify you of an extension during the first month. But it's important to note that emails sometimes slip between cracks. Don't hesitate to ping and follow up if you don't receive a prompt reply whilst announcing the date of the original email to avoid starting the timeline from scratch.


Ask for help

While the laws and regulations are the same, companies handle their DSAR requests differently. Some companies provide you with a template of their own that streamlines the data access request process. If you find yourself at a dead-end, reach out for help.


Can Enzuzo Help Me With Managing Data Subject Access Requests?

When running an online store through third-party platforms, you don't just have your own data to worry about. To ensure your business's sound reputation and compliance with data privacy laws and regulations, you also need to keep track of all data your clients and customers entrust you with.

Enzuzo can help you efficiently manage data privacy for your store. It's the fastest way to create, customize and launch privacy tools on your eCommerce site. On top of handling your data compliance policies and consent forums, Enzuzo can also help you with data access requests.

Enzuzo compiles all data access requests into a single location and automates everything from identity verification to content and timeline compliance so you never miss a request. It can also help you request DSARs from the platforms you're using in order to complete a client's data subject access request, without having to draft emails from scratch.

CTA Graphic - Data Requests

Paige Harris

Paige is the growth marketing lead at Enzuzo and host of The Living Lab podcast, providing insightful articles in the privacy space.