BlackEyes LogoBLACKEYES

Your rights · UK & US

What is a DSAR?

A DSAR — Data Subject Access Request — is a legal request that requires an organisation to hand over a copy of all the personal data it holds about you, along with what it uses the data for, where it got it, and who it shares it with. Under UK and EU GDPR it is free, you never have to give a reason, and the organisation must respond within one calendar month.

What a DSAR gets you

The access right sits in Article 15 of the GDPR. A valid response must include:

  • a copy of the personal data itself — profiles, records, notes, call logs, anything identifying you;
  • the purposes it is being processed for;
  • the categories of recipients it has been disclosed to — including data brokers and advertisers;
  • how long it will be kept, or the criteria used to decide;
  • where the data came from, if it wasn't collected from you directly;
  • whether it feeds automated decision-making or profiling, and the logic involved.

Where the same right exists in the US

The US has no single federal access right, but the state privacy laws converge on the same idea. California's CCPA/CPRA calls it the right to know: residents can demand the categories and specific pieces of personal information a business has collected, the sources, the purposes, and the third parties it was sold or shared to. Virginia, Colorado, Connecticut, Texas and a growing list of other states grant materially similar access rights.

The practical difference is deadlines and scope: 45 days instead of one month, and the laws apply to businesses over certain revenue or data-volume thresholds rather than to every organisation.

DSAR vs erasure — see it, or delete it

A DSAR shows you what an organisation holds. It does not remove anything. Its sibling rights do the removing: the right to erasure (GDPR Article 17, CCPA deletion) and the right to object to direct marketing. A common sequence against a data broker is: access request to see the file, erasure request to delete it, then an ICO or FTC report if they ignore you.

Ready-to-send letters for both are on our templates page.

One letter works. Hundreds are the problem.

Sending a DSAR to one company is easy. Your data sits with hundreds of brokers, and they re-list it months after deletion. BLACKEYES sends and tracks erasure requests at scale — see who holds your data first, free.

Run my free exposure check

FAQ

Is a DSAR the same as a SAR?

Yes. “Subject access request” (SAR) and “data subject access request” (DSAR) are the same thing — the access right under Article 15 of the GDPR. UK regulators tend to say SAR; corporate privacy teams tend to say DSAR.

How long does a company have to respond to a DSAR?

One calendar month under UK and EU GDPR, extendable by up to two further months for complex or numerous requests — they must tell you about any extension within the first month. Under the CCPA in California, businesses have 45 days, extendable by another 45.

Does a DSAR cost anything?

No. Companies must handle a DSAR free of charge. They may only charge a reasonable fee, or refuse, where a request is manifestly unfounded or excessive — for example, blanket repeats of a request they have just answered.

Can a DSAR be refused?

Only narrowly. A company can withhold data that would expose someone else’s personal information, legally privileged material, or where a specific exemption applies — and it must tell you which exemption it is relying on. Silence or a blanket “no” is grounds for an ICO complaint.

Do US companies have to answer a DSAR?

There is no federal US access right, but California’s CCPA/CPRA gives residents a “right to know”, and most other state privacy laws (Virginia, Colorado, Connecticut and others) include similar access rights. In practice many US companies honour access requests from anyone, because running separate processes per jurisdiction is more expensive than answering.