GDPR Data Subject Access Request: Template and Complete Guide

A Data Subject Access Request — DSAR — is a formal request to any organisation asking them to confirm whether they process your personal data, and if so, to provide a complete copy of it along with specific information about how and why they process it. It is one of the most powerful rights under the General Data Protection Regulation, and one of the least used.

That gap between power and usage matters more than most people realise. A March 2026 market study by the European Data Protection Board identified more than 40 data brokers and providers operating in Belgium alone, spanning eight distinct categories — from personal data brokers who profile and sell individual-level data, to data pools and cleanrooms where companies combine datasets, to AI platforms that integrate personal data into profiling algorithms. The study found much of this collection takes place “without the knowledge or direct control of the individuals concerned.”

Belgium is one small country. The same infrastructure exists across every EU member state and beyond. DSARs are not a theoretical right reserved for activists and lawyers. They are a practical tool for finding out exactly who holds your data, what they hold, and where it came from — before you decide what to do about it. Once you know who holds your data, the EU data broker opt-out directory maps the removal process for the most common operators.

This guide covers the legal foundation, what you are entitled to receive, the timelines organisations must follow, what the courts have decided when they do not follow them, and a ready-to-use template you can send today.

What the GDPR actually says

The right of access is established by Article 15 of Regulation (EU) 2016/679. Article 15(1) states:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information.”

Before unpacking what “the following information” includes, two definitions from Article 4 matter here:

• Personal data (Art. 4(1)) — any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses, location data, online identifiers, purchase history, browsing behaviour, and anything else that can be linked back to you.
• Controller (Art. 4(7)) — the entity that determines the purposes and means of processing your personal data. This is who you send your DSAR to. It could be a company, a government body, an employer, or a data broker.

The format requirements come from Article 12(1): any information provided must be “concise, transparent, intelligible and easily accessible, using clear and plain language.” If you submit your request electronically, Article 15(3) requires the response to be provided “in a commonly used electronic form” — meaning a structured, readable file, not a stack of scanned PDFs designed to be as unhelpful as possible.

What you are entitled to receive

Article 15(1) lists eight specific categories of information that a controller must provide alongside a copy of your personal data. Each one serves a distinct purpose.

1. The purposes of processing (Art. 15(1)(a)) — Why do they have your data? Marketing, fraud prevention, credit scoring, service delivery? They must tell you specifically, not vaguely.
2. The categories of personal data concerned (Art. 15(1)(b)) — What types of data do they hold? Contact details, financial information, behavioural data, location history, health data? The categories must be meaningful, not catch-all labels.
3. The recipients (Art. 15(1)(c)) — Who have they shared your data with, or who will they share it with? This is where a landmark ruling changed the landscape. In Austrian Post (CJEU C-154/21, 2023), the Court of Justice ruled that controllers must disclose the specific identities of recipients, not just vague categories like “marketing partners.” If they shared your data with four companies, they must name all four.
4. The storage period (Art. 15(1)(d)) — How long will they keep your data, or what criteria determine that? “As long as necessary” is not an acceptable answer. They must provide a specific period or specific, objective criteria.
5. Your rights (Art. 15(1)(e)) — They must inform you of your right to rectification, erasure, restriction of processing, and objection. This is informational — the DSAR response itself should remind you what you can do next.
6. The right to complain (Art. 15(1)(f)) — They must tell you that you have the right to lodge a complaint with a supervisory authority. In the Netherlands, that is the Autoriteit Persoonsgegevens. In other EU countries, it is the national data protection authority.
7. The source of the data (Art. 15(1)(g)) — If they did not collect the data directly from you, they must tell you where it came from. This is critical for data broker investigations. If a broker holds a profile on you, this is how you trace the chain back to its origin.
8. Automated decision-making (Art. 15(1)(h)) — If they use your data for automated decisions, including profiling, they must provide “meaningful information about the logic involved, as well as the significance and the envisaged consequences” of that processing. This covers credit scoring, insurance pricing algorithms, automated hiring filters, and similar systems.

A proper DSAR response covers all eight points. Many organisations provide incomplete responses — often omitting recipients, sources, or automated decision-making details. An incomplete response is a non-compliant response.

Who can send one — and to whom

The territorial scope of the GDPR is broader than most people assume. Article 3 determines who is protected and which organisations must comply.

The GDPR applies to anyone in the EU, not just EU citizens. A US tourist visiting Paris has full GDPR rights over data collected during that visit. A Brazilian researcher at a Dutch university has full GDPR rights. Conversely, an EU citizen living in the United States, using services targeted exclusively at the US market, does not have GDPR protection over that specific processing.

On the other side, any organisation that processes the personal data of people in the EU must comply — regardless of where the organisation is based. A data broker in the United States that profiles EU residents is subject to GDPR. A social media platform headquartered in Singapore with EU users is subject to GDPR. Physical presence in Europe is not required for the regulation to apply.

You can send a DSAR to any controller: your employer, your bank, a social media platform, a data broker you have never heard of, a retailer, a telecommunications provider, a public authority. If they process your personal data, they must respond.

Timelines and deadlines

Article 12(3) sets a clear clock. Once a controller receives your DSAR, they have one calendar month to respond. Not one business month. One calendar month.

If the request is complex — multiple systems to search, large volumes of data, or overlapping requests from many individuals — the controller may extend this by a further two months. But they must notify you of that extension within the first month, and they must explain why.

The maximum response time is therefore three months. In practice, most straightforward requests from individuals should be answered well within the initial one-month period.

Even refusals have a deadline. Article 12(4) requires controllers to inform you of a refusal, and the reasons for it, within one month. Silence is not a valid refusal. If one month passes with no response at all, the controller is already in breach.

The first copy of your data must be provided free of charge (Art. 15(3)). Controllers may charge a “reasonable fee” for additional copies, but only for the administrative cost — and only if you are requesting the same data again.

When they can refuse — and when they cannot

Article 12(5) allows controllers to refuse DSARs that are “manifestly unfounded or excessive, in particular because of their repetitive character.” Two things matter here.

First, the burden of proof is on the controller. They must demonstrate that the request is manifestly unfounded or excessive. A first-time DSAR from an individual is, by definition, neither.

Second, the Court of Justice made an important clarification in CJEU C-307/22 (2024): data subjects do not need to state reasons for their access request. A controller cannot demand that you explain why you want your data. You do not need to justify your request. The right of access exists independently of motive.

Controllers are entitled to verify your identity before responding — Recital 64 acknowledges this. But the verification must be proportionate. Asking for a copy of your passport to confirm an email address is disproportionate. Asking you to reply from the email address on file, or to confirm specific account details, is reasonable.

Where a response would include personal data about other people, Article 15(4) requires that third-party data be redacted. This is not a basis for refusing the entire request — only for redacting the specific third-party information.

DSAR vs erasure request

The distinction between Article 15 (right of access) and Article 17 (right to erasure) is important and often confused.

A DSAR is discovery: “Show me what you have.” An erasure request is action: “Delete what you have.” They serve different functions and a controller cannot substitute one for the other. If you send a DSAR, the controller must disclose your data — they cannot simply delete it and claim the matter is resolved.

In practice, a DSAR is usually the first step. You need to know what an organisation holds before you can decide whether to request deletion, rectification, or restriction. This is especially true with data brokers: you may not know what profile they have built on you until you see the DSAR response.

Erasure is not absolute. Article 17(3) lists exceptions: freedom of expression, compliance with a legal obligation, public health, archiving in the public interest, and the establishment, exercise, or defence of legal claims. A controller may lawfully retain data that falls under these exceptions even after an erasure request — but they must explain which exception applies.

What happens if they ignore you

The enforcement framework under GDPR is layered and gives data subjects several avenues.

Complaint to a supervisory authority (Art. 77) — You can file a complaint with your national data protection authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (AP), one of the more active supervisory authorities in Europe. Under the UAVG (Dutch GDPR Implementation Act), data subjects complain directly to the AP, which can investigate and impose corrective measures.

Judicial remedy (Art. 79) — You have the right to an effective judicial remedy against a controller or processor. This can be pursued in the courts of the member state where the controller is established, or where you habitually reside.

Compensation (Art. 82) — Any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation from the controller or processor responsible.

Administrative fines (Art. 83(5)) — Infringements of the data subject rights provisions, including Article 15, can result in fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher.

Enforcement: what the courts have decided

The case law around DSARs has developed significantly in recent years. These decisions shape what you can expect when you exercise your rights.

Austrian Post — CJEU C-154/21 (2023)
The Court of Justice ruled that when a data subject requests information about recipients under Art. 15(1)(c), the controller must disclose the specific identity of each recipient. Providing vague categories — “business partners” or “advertising networks” — is not sufficient. This decision fundamentally strengthened the practical value of DSARs, particularly against data brokers and organisations that share data widely.

Clearview AI — Italian, Greek, and French DPAs (2021–2022)
Clearview AI, a facial recognition company that scraped billions of images from the internet, was fined €20 million by the Italian Garante, with further enforcement actions by Greek and French authorities. The failures included non-compliance with DSAR and erasure obligations. When individuals requested access to or deletion of their biometric data, Clearview either ignored the requests or responded inadequately.

Uber — Dutch DPA (2024)
The Autoriteit Persoonsgegevens fined Uber €10 million for making it unnecessarily difficult for drivers to exercise their data subject rights. The complaints centred on the DSAR process being opaque and obstructive — requiring drivers to navigate confusing interfaces and failing to provide complete responses within the statutory timeframe.

Deutsche Wohnen — Berlin DPA (2019+)
The German real estate company was fined €14.5 million for operating an archiving system that made it structurally impossible to comply with data subject rights. The system could not distinguish between data that should be retained and data that should be deleted, meaning DSARs and erasure requests could not be properly fulfilled. The case established that organisational design choices do not excuse non-compliance.

The pattern across these cases is consistent: supervisory authorities and courts take DSAR non-compliance seriously, and “we find it difficult” is not a defence.

The template

The following template can be sent by email or post. Replace the placeholder text in square brackets with your own details. You do not need to justify why you are making this request.

Practical tips for using the template

Send from a dedicated email address. If you plan to send DSARs to multiple organisations, consider using a single email address for all of them. This makes tracking responses easier and keeps a clear paper trail.

Record the date you send each request. The one-month deadline starts from the date the controller receives the request. Keep a simple log — organisation name, date sent, deadline, response received. If you need to escalate to a supervisory authority, this record is your evidence.

Start with data brokers. If your goal is reducing your digital footprint, DSARs to data brokers are the highest-value starting point. The DSAR reveals what they hold and where it came from. The response under Art. 15(1)(c) — specific recipients — tells you who else has your data, which gives you your next list of targets. The response under Art. 15(1)(g) — the source — tells you where the chain started.

Use the response to inform your next step. A DSAR is reconnaissance. Once you see what an organisation holds, you can decide whether to request erasure under Art. 17, restrict processing under Art. 18, or object to processing under Art. 21. You cannot make informed decisions about data you do not know exists.

Follow up promptly at the one-month mark. If the deadline passes without a response, send a follow-up referencing your original request date and noting that the statutory period has expired. State that you intend to file a complaint with the relevant supervisory authority if you do not receive a response within 14 days. Most organisations respond to this.

Keep expectations realistic. A DSAR gives you visibility. It does not, by itself, remove your data. For individuals dealing with dozens or hundreds of data holders — brokers, people-search sites, marketing databases, and aggregators — the volume of work involved in sending DSARs, tracking responses, and following up with erasure requests is substantial. This is where professional removal services exist: to handle that operational burden systematically.

If you have sent DSARs and discovered that your data is held more widely than you expected — or if the scale of the removal effort is more than you want to manage alone — the Eraser service handles the full chain: identification, access requests, removal, and verification, across the brokers and platforms that hold your data.