Recognising an access request
An access request (also known as DSAR - Data Subject Access Request) is the most common request you can receive as a business owner. A customer, employee, applicant, or website visitor asks you to tell them what personal data you hold about them.
The request does not need to be formal. “What data do you have about me?” in an email is already an access request. You do not need a form for it.
Step 1: Register the request
Note down immediately:
- Who is making the request
- When you received it (the one-month deadline starts now)
- Through which channel it came in
- What exactly is being asked
Template: Request Register
Keep track of every request in a register: who, when, what was asked, and how it was handled.
View the template arrow_forwardStep 2: Verify the identity
Before providing data, you must be certain that you are communicating with the right person. Otherwise you risk a data breach by giving data to the wrong person.
How to verify?
- If the person already has an account with you: have them confirm the request through that account
- If you know the person (e.g. an employee): a confirmation via the known email address is sufficient
- For unknown persons: ask for a copy of an ID document. Ask the requester to redact the national ID number and photo - you don’t need those
Don’t take more than necessary: the identity check must be proportionate.
Template: Identity Verification
A standard letter asking the requester to confirm their identity.
View the template arrow_forwardStep 3: Collect the data
Search all your systems where personal data of the requester may be stored:
- CRM system - customer data, notes, communication history
- Email system - correspondence with the person
- Accounting - invoices, payment data
- HR system - if it concerns a (former) employee
- Website - form submissions, account data
- Paper files - contracts, correspondence
Be thorough. If you miss data later, the requester may file a complaint.
Step 4: Prepare your response
Your response must contain the following information:
The data itself
A copy of all personal data you process about the data subject.
Additional information
- Processing purposes - why you process the data
- Categories of data - what types of data you hold
- Recipients - with whom you have shared the data
- Retention period - how long you retain the data
- Rights - the data subject has the right to rectification, erasure, restriction, and objection
- Right to complain - the data subject can file a complaint with the supervisory authority
- Source - if you did not obtain the data from the data subject themselves, where it came from
Template: Access Request Response
A ready-to-use response that contains all mandatory information elements.
View the template arrow_forwardStep 5: Send the response
- Deadline - within one month of receiving the request
- Extension - for complex requests you may extend by two months, but inform the requester within the first month
- Format - if the request was made electronically, provide the data in a common electronic format (PDF, Excel)
- Cost - the first request is free. For repeated or manifestly excessive requests, you may charge a reasonable fee
- Secure - send the data through a secure channel, not as an unencrypted email attachment
Step 6: Document
Record how you handled the request: when received, when answered, what data was provided, which systems were searched. This is your evidence if the data subject later files a complaint.
Common pitfalls
- Responding too late - a month passes quickly. Register the request immediately and start the same day
- Forgetting data - search all systems, not just your CRM
- No identity check - providing data to the wrong person is a data breach
- Redacting too much - you may redact data of third parties, but not the requester’s own data
GDPRWise generates response templates and helps you keep a register of all received requests.