GDPR Subject Access Request: How to File a DSAR

By Fix AI Editorial Team·3 min read·Updated April 2026·EU · UK · GDPR · Privacy · DSAR

You suspect a company is holding more data on you than they should — or you just want a copy of everything they have. The legal mechanism is a Data Subject Access Request (DSAR), and under GDPR Article 15 it costs nothing, requires no special form, and almost always works. Here is how to do it correctly the first time.

What Article 15 Actually Gives You

GDPR Article 15(1) gives every data subject the right to obtain from a controller: GDPR Art.15(1)

Confirmation that they are processing your personal data (yes/no)
A copy of that data
The purposes of processing
The categories of data concerned
The recipients (or categories of recipients) it has been disclosed to — including in third countries
How long they intend to keep it (or the criteria they use to decide)
The existence of your rights to rectification, erasure, restriction, and objection
The right to lodge a complaint with a supervisory authority
Where the data came from, if not collected from you directly
The existence of automated decision-making, including profiling, and meaningful information about the logic involved

The "copy" obligation in Article 15(3) is the part companies most often try to dilute. It means an actual copy of the personal data — not a vague summary, not a screenshot of an admin panel, not "we hold name, email, and order history."

How to File a Valid DSAR

You do not need a form, a lawyer, or a fee. An email is enough. The request is valid as long as it makes clear (a) who you are, (b) that you are requesting your personal data, and (c) what scope you want.

Subject: Subject Access Request — [Your full name]

Dear [Controller],

Under Article 15 of the GDPR (and the UK GDPR if applicable), I am requesting access to all personal data you hold about me, together with the supplementary information listed in Article 15(1)(a)–(h).

Please include: account data, transaction history, support correspondence, internal notes, marketing-segment tags or scores assigned to me, recordings of any calls, and any data shared with third parties (including for advertising or analytics).

My identifiers: [email address(es)], [account ID if known], [phone number].

Please respond within one month as required by Article 12(3). Confirm receipt by return.

Use the email address you registered with, or attach a recent invoice as proof of identity. The controller can ask for "reasonable" verification but cannot demand a passport or government ID for a routine consumer DSAR.

The One-Month Deadline (and the Two-Month Extension)

Under Article 12(3), the controller must respond within one month of receiving your request. They can extend this by up to two further months for complex or numerous requests, but they must notify you of the extension — and the reason — within the original one-month window. GDPR Art.12(3) Silence past month one is a breach. A "we'll get back to you" with no extension reason is a breach.

Free, Except for the Manifestly Unfounded Carve-Out

Article 15(3) requires the first copy to be free. The controller can charge a "reasonable fee based on administrative costs" only for additional copies, or refuse a request that is "manifestly unfounded or excessive" (Article 12(5)) — and they bear the burden of proving it. In practice, this exception is narrow: filing a DSAR after a complaint, or filing one alongside an erasure request, is not "manifestly unfounded."

What to Do When They Refuse or Stall

Send a follow-up on day 31 citing Article 12(3) and the absence of any extension notice.
Lodge a complaint with your supervisory authority. EU residents: your national DPA (CNIL in France, AEPD in Spain, Datatilsynet in Denmark, etc.). UK residents: the Information Commissioner's Office (ICO) at ico.org.uk.
Keep a paper trail. Forward every email to a separate folder. Note exact dates. Supervisory authorities care about timestamps.

Most companies cooperate within 31 days once a complaint is filed, because the alternative is a regulator-led audit of their entire DSAR pipeline.

One Limit Worth Knowing

Article 15(4) says the right to a copy "shall not adversely affect the rights and freedoms of others." This lets controllers redact third-party personal data (e.g. someone else's email visible in a support thread). It does not let them redact your data, internal scoring of you, or the names of company staff acting in a professional capacity.

Related Guides

Fix AI lets you practice DSAR escalations against AI agents that try to fob you off with "we already gave you that information." Sharpen the script before you need it.

Practice GDPR Disputes Free →

← Back to Fix AI