The Anatomy of a DSAR: What Exactly Can a User Request?

What Is a DSAR?

A Data Subject Access Request (DSAR) is a formal request by an individual to a data controller to exercise their rights under data protection law. While the term "DSAR" is most associated with the GDPR's right of access (Article 15), it has expanded in practice to encompass all data subject rights. Understanding the full scope of what users can request is critical for building a compliant response process.

With the DLA Piper GDPR Fines and Data Breach Survey (January 2025) reporting an average of 363 data breach notifications per day, and regulators increasingly focused on data subject rights enforcement, organizations cannot afford to mishandle DSARs.

The Core GDPR Rights

Right of Access (Article 15)

The most common DSAR type. Data subjects can request:

• Confirmation of whether their personal data is being processed
• A copy of all personal data held about them
• Information about purposes, categories of data, recipients, retention periods, and data sources
• Information about automated decision-making including profiling

Right to Rectification (Article 16)

Data subjects can request correction of inaccurate data and completion of incomplete data. You must validate the rectification request and update all systems where the data is stored.

Right to Erasure / Right to Be Forgotten (Article 17)

Perhaps the most operationally challenging right. Data subjects can request deletion when:

• Data is no longer necessary for its original purpose
• Consent is withdrawn
• The data subject objects and there are no overriding legitimate grounds
• Data was unlawfully processed
• Deletion is required by law

Right to Restriction (Article 18)

Data subjects can request that processing be restricted (data is stored but not used) while accuracy is contested, processing is unlawful but deletion is not wanted, or an objection is pending review.

Right to Data Portability (Article 20)

Data subjects can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. This applies to data provided by the subject, processed on the basis of consent or contract, and processed by automated means.

Right to Object (Article 21)

Data subjects can object to processing based on legitimate interests or the public interest, including profiling. For direct marketing, the right to object is absolute.

Beyond GDPR: Other Regulations

CCPA/CPRA adds the right to know, right to delete, right to opt out of sale/sharing, and right to limit use of sensitive information. LGPD includes similar rights with variations. With 20 US states now having comprehensive privacy laws, the permutations of requestable rights are expanding rapidly.

Practical Implications

Your DSAR fulfillment system must handle all of these request types, not just access requests. Each type has different operational requirements, different exemptions, and different timelines. Building a unified intake and workflow system that routes requests by type while maintaining consistent SLAs is essential for scalable compliance.

Jerisaliant's DSAR module supports all GDPR right types plus CCPA/CPRA, LGPD, and other frameworks, with configurable workflows per request type and automated routing.