Who Can Submit a DSAR Under the General Data Protection Regulation?

This guide explains who qualifies, including customers, employees, website users, and authorized representatives, and what businesses must know to handle these requests correctly.

The right to access personal data is one of the most important rights individuals have under modern privacy laws. Under the General Data Protection Regulation, individuals can request access to the personal information that organizations hold about them through what is known as a Data Subject Access Request (DSAR).

For businesses, understanding who can submit a DSAR is essential. Many organizations assume that only customers can make these requests, but the law is much broader. Employees, website visitors, former clients, and even authorized representatives may all have the right to submit requests for personal data.

Failing to recognize a legitimate DSAR can create serious compliance risks. If an organization ignores or mishandles a valid request, it may face regulatory complaints, investigations, or enforcement actions.

Understanding the Right of Access

The legal foundation for DSARs comes from Article 15 of the General Data Protection Regulation, which establishes the right of access. This right allows individuals to:

  • confirm whether their personal data is being processed
  • obtain access to that personal data
  • receive additional information about how the data is used

The purpose of this right is to promote transparency and accountability. Individuals should be able to understand how organizations collect, store, and use their personal information. To exercise this right, individuals submit a Data Subject Access Request. The key point is that the right belongs to the individual whose data is being processed, not to the organization that holds the data.

Who Qualifies as a Data Subject

To understand who can submit a DSAR, businesses must first understand the concept of a data subject. Under the General Data Protection Regulation, a data subject is an identifiable natural person whose personal data is processed by an organization. A natural person refers to a living individual. This means:

  • the GDPR protects people
  • it does not apply to companies or legal entities

If an organization processes personal data that relates to a person, that individual becomes a data subject and gains certain rights under the regulation. These rights include the ability to submit a DSAR.

Customers and Service Users

Customers are one of the most common groups that submit DSARs.

When a business collects personal information during transactions, registrations, or service usage, that information falls within the scope of the General Data Protection Regulation. Examples of customer data include:

  • account registration details
  • purchase histories
  • customer support interactions
  • payment records
  • marketing profiles

Because businesses rely heavily on personal data to provide services, customers frequently want to know what information is stored about them. A typical DSAR from a customer might ask for:

  • all personal data held by the company
  • records of interactions
  • copies of communications
  • details about how the data has been used

Organizations must treat these requests seriously and provide the required information within the legal timeframe.

Employees and Former Employees

Employees represent another major category of individuals who submit DSARs. Organizations collect large amounts of personal data during employment, including:

  • recruitment records
  • employment contracts
  • performance reviews
  • payroll information
  • internal communications

Because of the amount of information involved, employee DSARs can be particularly complex. Former employees may submit requests to access records related to their employment, especially during disputes or investigations. For example, a former employee might request:

  • copies of performance evaluations
  • HR communications
  • disciplinary records
  • internal emails mentioning their name

Employers must carefully review such requests and identify personal data that relates specifically to the requester. However, organizations must also consider the privacy rights of other individuals whose information may appear in the same records.

Website Visitors and Online Users

People who interact with websites or online services can also submit DSARs if their personal data has been collected. Many websites collect personal data through:

  • user accounts
  • analytics tools
  • cookies
  • tracking technologies
  • newsletter subscriptions

Even if the user never becomes a customer, the organization may still process their personal data. For example, a website visitor might submit a request asking:

  • what information was collected through cookies
  • whether analytics data identifies them
  • whether their data was shared with third parties

Organizations must determine whether they hold personal data that can be linked to the individual making the request. If such data exists, the individual has the right to access it.

Business Contacts and Professional Relationships

Individuals who interact with companies in a professional capacity may also have DSAR rights.

Examples include:

  • suppliers
  • contractors
  • consultants
  • job applicants
  • business partners

Even though these individuals interact with organizations as part of professional activities, their personal data is still protected.

For example, a consultant might request access to:

  • communications with the company
  • records stored in internal systems
  • information included in project documentation

If the data relates to an identifiable person rather than a corporate entity, the individual may submit a DSAR.

Job Applicants

Job applicants are often overlooked when businesses consider DSAR obligations.

Recruitment processes frequently involve collecting large amounts of personal data, including:

  • resumes and CVs
  • cover letters
  • interview notes
  • background checks
  • candidate assessments

Applicants may request access to this information to understand how hiring decisions were made.

For example, a candidate might ask for:

  • notes taken during interviews
  • evaluation records
  • communications between hiring managers

Organizations must evaluate these requests carefully and provide relevant personal data where appropriate.

Former Customers or Former Users

Individuals do not lose their DSAR rights simply because their relationship with a company has ended. Former customers can still submit requests regarding data collected in the past. For example, a former subscriber might request:

  • copies of account information
  • marketing records
  • transaction history

If the organization still retains that data, it must respond to the DSAR.

This is why data retention policies are important. Companies should clearly define how long personal data is stored and when it should be deleted.

Authorized Representatives

In some cases, a DSAR may be submitted by a third party acting on behalf of the data subject. Common examples include:

  • lawyers representing clients
  • parents acting for children
  • legal guardians representing vulnerable individuals

Organizations must verify that the representative has the legal authority to act on behalf of the individual. This usually requires documentation such as:

  • written authorization
  • power of attorney
  • legal guardianship documents

Without proper verification, organizations should not disclose personal data to the representative.

Parents or Guardians Acting for Children

Children are also protected under the General Data Protection Regulation. If an organization processes the personal data of a child, that child has the right to access their information. However, because children may not always exercise their rights independently, parents or legal guardians may submit DSARs on their behalf. Organizations should evaluate:

  • the age of the child
  • the legal authority of the parent or guardian
  • whether disclosure is in the child’s best interests

Proper verification procedures are important before releasing any information.

Individuals Located in the European Union

The GDPR applies primarily to individuals located within the European Union. However, the regulation also applies to organizations outside the EU if they:

  • offer goods or services to people in the EU
  • monitor the behavior of individuals in the EU

This means that companies around the world may receive DSARs from EU residents. For example, an online service based outside Europe may still be subject to the General Data Protection Regulation if it serves European customers. Businesses operating internationally must therefore be prepared to handle requests from individuals in multiple jurisdictions.

Who Cannot Submit a DSAR

While the right of access is broad, not every request qualifies as a DSAR. Certain types of entities do not have DSAR rights.

The GDPR protects natural persons, not corporations. A business cannot submit a DSAR about corporate data.

Anonymous Individuals

If an organization cannot identify the person making the request, it may ask for additional information to verify identity.

Requests for Non-Personal Data

If the information requested does not relate to an identifiable individual, the request may fall outside the scope of the regulation. Organizations should carefully evaluate requests to determine whether they involve personal data protected by the GDPR.

Verifying the Identity of the Requester

Before responding to a DSAR, organizations must verify the identity of the requester. This step is critical because releasing personal data to the wrong person could create a serious privacy breach.

Verification methods may include:

  • confirming account credentials
  • requesting identification documents
  • verifying email addresses associated with accounts

The level of verification should be proportionate to the sensitivity of the data involved. Organizations should avoid collecting excessive additional information during the verification process.

Why Businesses Must Understand DSAR Eligibility

Understanding who can submit a DSAR is essential for compliance. If organizations fail to recognize legitimate requests, they risk:

  • regulatory complaints
  • reputational damage
  • legal disputes

At the same time, companies must avoid disclosing personal data to unauthorized individuals. Clear policies, employee training, and structured DSAR workflows help ensure requests are handled properly. Many organizations also rely on dedicated tools, such as Dsarify, to track and manage requests efficiently.

Conclusion

Under the General Data Protection Regulation, any identifiable individual whose personal data is processed by an organization has the right to submit a Data Subject Access Request.

This includes customers, employees, website users, applicants, and other individuals whose data is stored by a company. In some cases, authorized representatives such as lawyers or parents may submit requests on behalf of data subjects.

For businesses, recognizing these requests and responding appropriately is a critical part of data protection compliance. Organizations that develop clear processes for identifying and handling DSARs will be better positioned to meet regulatory requirements, maintain transparency, and build trust with the individuals whose data they process.

Share your love
threatcity26
threatcity26
Articles: 11

Leave a Reply

Your email address will not be published. Required fields are marked *