Data Subject Access Request (DSAR)
The right to ask, with a clock attached — one request, every system in scope, and a deadline the law set before you read it.
- Term
- DSAR
- Grants
- Access to one's personal data held
- Deadlines
- ~30 days (GDPR), 45 (CCPA-family)
- Scope
- Every system, including marketing's
Forms & parts of speech
Definition in plain terms
A data subject access request (DSAR) is a person's formal demand to see the personal data an organization holds about them — what data, from where, used how, shared with whom. The right anchors GDPR (Article 15) and runs through the CCPA family, India's DPDPA, and most modern regimes, each with a statutory clock: roughly 30 days under GDPR, 45 under CCPA-style laws, extendable once with notice. The request is simple to make and revealing to receive — it audits, in one letter, whether an organization actually knows where its personal data lives.
The mechanics
The process has fixed anatomy: intake (a findable channel — privacy portal, dedicated address), identity verification proportionate to the data's sensitivity (over-verification is its own violation; under-verification leaks data to imposters), discovery across every system holding personal data, compilation into intelligible form with the metadata rights require (purposes, recipients, sources, retention), legal review for third-party data and exemptions, and delivery on deadline with records kept. The marketing stack is where discovery goes to die, because personal data sprawls exactly where this glossary's entries live: the ESP and its engagement logs, the CDP and CRM, loyalty systems, CUSTOMER-MATCH-style audience uploads, the DATA-LAYER's event streams in analytics, call recordings in CONVERSATION-INTELLIGENCE tools, survey platforms, and the suppression lists that must themselves be searched. A data map — which systems hold what, keyed by which identifiers — converts DSAR response from archaeology to lookup, and DSAR tooling (privacy-ops platforms with system connectors) industrializes it where volume justifies. Two operating truths: requests spike after breaches, PR events, and angry-customer moments (they are often grievances wearing a legal right — handle the grievance too); and the response is itself a privacy act, so sending one person's file to another via sloppy verification is the failure mode regulators remember.
When it matters
DSARs matter to every organization under modern privacy law — which is every organization with EU, UK, California, or Indian customers — and they matter operationally to marketing because marketing's tools hold most of the personal data and least of the documentation. The discipline is preparation: a current data map across the stack, an intake-verification-discovery workflow rehearsed before volume arrives, deletion and correction flows built alongside (the rights travel together), and the cultural one — a DSAR answered well is trust repaired; answered late or wrong, it is a regulator's easiest case.
Synonyms & antonyms
Synonyms
Antonyms
Origin & history
The access right predates the acronym — European data-protection law carried it from the 1995 Directive — but GDPR's 2018 arrival, penalty schedule, and one-month clock made DSAR an operational discipline, and the CCPA family plus privacy-ops tooling turned it into standing infrastructure.
Etymology: source.
Usage trends
Search interest for this term over the last five years:
Common questions
- What is a DSAR?
- A person's formal request to access the personal data an organization holds on them — data, sources, purposes, recipients — anchored in GDPR Article 15 and echoed across the CCPA family and newer regimes.
- What are the DSAR deadlines?
- Roughly 30 days under GDPR and 45 under CCPA-style laws, extendable once with notice — the clock starts at receipt, not at readiness.
- Why are DSARs hard for marketing teams?
- Personal data sprawls across the marketing stack — ESPs, CDPs, audience uploads, analytics events, call recordings — and discovery without a data map is archaeology on a statutory deadline.
Related tools & calculators
- toolCAC calculator
- toolLTV:CAC calculator
Resources & people to follow
- referenceGDPR Article 15 — right of access
- referencePrivacy-operations practice literature (DSAR workflows)
- referenceRGM analysis — the data map converts DSARs from archaeology to lookup; build deletion alongside access
Curated, non-competitor resources verified per term.
Related training
- modulePerformance marketing
Disciplines
Areas of marketing where data subject access request (dsar) is a core concern: