When an individual submits a Data Subject Access Request (DSAR), an organization must determine exactly what information should be disclosed. Many businesses mistakenly believe that responding to a DSAR simply involves sending a copy of a customer record or account profile. In reality, the obligation is broader.
Under the General Data Protection Regulation, organizations must provide both the personal data itself and additional contextual information about how that data is processed. This requirement exists to ensure transparency and allow individuals to understand how their information is collected, used, shared, and stored.
For businesses, identifying what personal data must be included in a DSAR response is one of the most complex parts of the process. Personal data may exist across multiple systems, including databases, internal documents, communication platforms, and archived files. Organizations must carefully locate and evaluate this information while protecting the rights of other individuals.
Understanding the Right of Access
The obligation to provide personal data in response to a DSAR comes from the right of access established by Article 15 of the General Data Protection Regulation. This right allows individuals to:
- confirm whether their personal data is being processed
- obtain a copy of the personal data held about them
- receive information about how and why the data is processed
The purpose of the right of access is to give individuals meaningful insight into how organizations handle their information. A DSAR response must therefore include more than raw datasets; it must provide information that allows the individual to understand the context of processing.
Organizations must also ensure that responses are clear and accessible. Providing large volumes of disorganized data without explanation may not satisfy regulatory expectations.
What Qualifies as Personal Data
Before determining what must be included in a DSAR response, organizations must understand what counts as personal data. Under the General Data Protection Regulation, personal data refers to any information relating to an identifiable individual. An individual may be identifiable directly or indirectly through identifiers such as:
- names
- identification numbers
- location data
- online identifiers
- factors specific to physical, economic, or social identity
This broad definition means that personal data can appear in many forms, including structured records, internal communications, and digital logs. As a result, organizations must conduct careful searches across their systems to identify relevant data when responding to a DSAR.
Core Personal Data That Must Be Disclosed
At the most basic level, a DSAR response must include a copy of the personal data held about the requester. The exact information varies depending on the organization and the nature of its services, but typical examples include several key categories.
Account and Identity Information
Organizations must provide personal information that identifies the individual within their systems. Examples include:
- full name
- username or account identifier
- email address
- phone number
- billing or delivery address
These records are usually stored in customer databases, user management systems, or account registration platforms. Providing this information helps confirm what identifying details the organization maintains.
Transaction and Service Records
If the individual has interacted with the organization as a customer or user, relevant records of those interactions may also qualify as personal data. Examples include:
- purchase histories
- subscription records
- service usage logs
- support tickets
These records often reveal how an individual has interacted with a product or service over time. Organizations should ensure that the data provided clearly relates to the individual making the request.
Communications and Correspondence
Emails, messages, and other communications may also contain personal data. Relevant examples include:
- customer support conversations
- email exchanges with staff
- chat transcripts
- feedback submitted by the user
If these communications contain information about the requester, they may need to be included in the DSAR response. However, organizations must carefully review communications that involve multiple individuals to ensure that the privacy rights of others are protected.
Behavioral and Usage Data
Many digital services collect behavioral data about how individuals interact with websites, applications, or platforms. Examples include:
- website activity logs
- application usage records
- login history
- device identifiers
When this data can be linked to an identifiable individual, it may qualify as personal data and should be included in the response. Organizations should ensure that such data is presented in a clear and understandable format.
Marketing and Profiling Data
Companies frequently store information about marketing preferences and behavioral profiles. This data may include:
- email marketing preferences
- advertising segmentation categories
- customer profiling information
- records of consent for marketing communications
If these records relate to the individual, they must be included in the DSAR response. Providing this information helps individuals understand how they are targeted or categorized by organizations.
Additional Information That Must Accompany the Data
In addition to the personal data itself, organizations must provide several categories of supplementary information required by the General Data Protection Regulation. This contextual information helps individuals understand how their data is being processed.
Purposes of Processing
Organizations must explain why personal data is being processed. Typical purposes may include:
- providing services
- processing transactions
- customer support
- marketing activities
- fraud prevention
Clearly explaining these purposes allows individuals to understand the role their data plays in the organization’s operations.
Categories of Personal Data
The DSAR response should describe the categories of personal data being processed. Examples may include:
- contact information
- account details
- transaction data
- behavioral data
This explanation helps individuals understand the types of data collected and maintained by the organization.
Recipients of Personal Data
Organizations must also indicate whether personal data has been shared with third parties. Examples of recipients may include:
- payment processors
- cloud service providers
- analytics platforms
- marketing partners
The DSAR response should identify either specific recipients or categories of recipients. Transparency about data sharing is a key objective of the regulation.
Data Retention Periods
Organizations must inform individuals how long their personal data will be stored. If a specific retention period cannot be provided, the organization should explain the criteria used to determine how long data is kept.
Examples may include:
- legal requirements
- contractual obligations
- internal data retention policies
Providing this information helps individuals understand when their data may be deleted.
Rights Available to the Individual
The DSAR response should also inform the individual about their additional rights under the General Data Protection Regulation. These rights may include:
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to object to processing
Providing this information ensures individuals understand the broader set of rights available to them.
Situations Where Data May Be Limited or Redacted
Although DSAR responses must be comprehensive, organizations are not required to disclose information that would infringe upon the rights of others. Certain limitations may apply.
Protecting the Rights of Other Individuals
If a document contains personal data about multiple individuals, organizations may need to redact information that relates to others. For example, an email chain may include references to multiple employees or customers. Organizations must balance the requester’s right of access with the privacy rights of others.
Confidential Business Information
In some circumstances, organizations may withhold information that constitutes confidential business data. Examples may include:
- trade secrets
- proprietary algorithms
- internal strategic documents
However, these exceptions must be applied carefully and only where justified.
Practical Steps for Identifying Personal Data
To respond effectively to DSARs, organizations should develop structured procedures for locating personal data. Common steps include:
- Identifying systems that store personal data
- Searching databases and internal platforms
- Reviewing communications and documents
- evaluating whether the information relates to the requester
Many organizations also maintain data inventories or data maps that document where personal data is stored. These resources can significantly simplify the DSAR response process.
The Role of DSAR Management Tools
Because personal data may exist across many systems, responding to DSARs can require coordination across multiple teams. Organizations increasingly rely on specialized tools to manage these processes.
Platforms such as Dsarify help businesses organize DSAR workflows, track requests, and compile relevant data from internal systems. Using structured tools reduces the risk of missed information and helps organizations maintain consistent compliance practices.
Conclusion
Responding to a Data Subject Access Request requires organizations to provide more than a simple record of customer information. Under the General Data Protection Regulation, businesses must disclose a wide range of personal data along with contextual details explaining how that data is processed.
This includes identity information, transaction records, communications, behavioral data, and marketing profiles, as well as information about processing purposes, data recipients, and retention periods.
For businesses, understanding what must be included in a DSAR response is critical for maintaining compliance and ensuring transparency. Organizations that develop structured data discovery processes and clear response procedures will be better prepared to handle DSARs efficiently while protecting the rights of individuals.
