Also known as a data subject request (DSR) or data subject access request (DSAR), a subject access request (SAR) is a formal request by an individual (data subject) to a controller (company) to disclose what personal data the organization has collected about the individual and how they use or intend to use it. Consumers are granted the right to request this information under data privacy laws such as GDPR and CCPA/CPRA.
Subject access request (SAR)
Frequently asked questions
A subject access request (SAR) under GDPR allows an individual to request and receive a record of all the personal data — both digital and paper — an organization has collected about them.
Subject access requests should include any information relating to the personal information an organization has collected about you, including:
Data the organization collected (unless the information could compromise someone else’s identity or an investigation)
Why the organization collected the data
How the organization processed the data
Who the organization shared the data with
How long the organization has had the data
How much longer the organization is planning on keeping the data
If the organization used the data to make an automatic decision about you
If the organization used the data to make a customer profile about you
Individuals can make a SAR on their own behalf or ask someone else — such as a relative or friend — to make the request on their behalf with written permission.
Information exempt from SARs includes data that would also identify another individual or data that would negatively impact an ongoing official or legal inquiry.
SAR requests under GDPR must be fulfilled within 30 days of receipt of the request, although this can be extended if the request is complex — in this case, businesses must inform individuals within 30 days that their request will take longer to fulfill.
If companies ignore a subject access request, individuals can apply for court orders that compel the release of information or provide monetary compensation.