What Is a Data Subject Access Request?

A Data Subject Access Request (DSAR) is a formal written request from an individual – the data subject – to an organisation, asking that organisation to provide a copy of the personal data it holds about them. DSARs are a cornerstone of data protection law, giving individuals a direct way to see what information is being processed and to verify that it is being handled lawfully, fairly, and transparently. In the Irish context, the right of access is enshrined in Article 15 of the General Data Protection Regulation (GDPR) and further clarified by the Data Protection Act 2018.

Personal data covers almost any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers, and any factors specific to that person’s physical, physiological, genetic, mental, economic, cultural, or social identity. A DSAR may be made for any reason – curiosity, concern about accuracy, preparation for litigation, or simply to exercise a fundamental right. Regardless of the motive, organisations must treat each DSAR seriously and respond within strict timelines.

Ireland’s data protection landscape is shaped primarily by the GDPR (Regulation (EU) 2016/679) and the national implementing legislation, the Data Protection Act 2018. The Irish Data Protection Commission (DPC) is the independent supervisory authority responsible for enforcing these laws and issuing guidance on the handling of DSARs.

Key Provisions Under the GDPR

Article 15 of the GDPR gives every data subject the right to obtain from a controller confirmation as to whether personal data concerning them is being processed, and, where that is the case, access to that data. The controller must also provide a copy of the data being processed, along with certain supplementary information:

  • The purposes of the processing.
  • The categories of personal data concerned.
  • The recipients (or categories of recipients) to whom the personal data has been or will be disclosed, especially recipients in third countries or international organisations.
  • The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
  • The existence of the right to request rectification or erasure, restriction of processing, or to object to processing.
  • The right to lodge a complaint with the DPC.
  • Where the data has not been collected from the data subject, any available information as to its source.
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences.

The Data Protection Act 2018 adds some Irish-specific provisions. For instance, Section 61 of the Act allows a controller to refuse to comply with a DSAR where the request would involve disclosing information relating to another individual, unless that individual has consented or it is reasonable to comply without their consent. The Act also provides exemptions for certain types of processing, such as research, archiving, and crime prevention, though these must be applied narrowly.

The Right to a Copy and the Manner of Response

Under Article 15(3), the controller must provide a copy of the personal data undergoing processing. The first copy is free of charge; a reasonable fee may be charged only for subsequent copies or for requests that are manifestly unfounded or excessive. The data should be supplied in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Where possible, the data should be provided electronically in a commonly used format such as a PDF, CSV, or JSON file.

How to Submit a DSAR in Ireland

Any individual can make a DSAR directly to an organisation. There is no specific form or magic phrase required – a simple email or written letter clearly stating the request is sufficient. However, to ensure the request is processed efficiently, it is best to:

  • Address the request to the organisation’s Data Protection Officer (DPO) or the designated data protection contact person, if known.
  • Provide sufficient personal details so the organisation can verify identity (e.g., full name, email address, account number, or reference number).
  • Specify the type of data or time period of interest, especially if the organisation holds a large volume of data (e.g., “All personal data processed between January 2023 and January 2024”).
  • Indicate a preferred format for the response (e.g., electronic or paper).

The organisation may request additional proof of identity before responding. This is permissible as long as the request is proportionate. For example, asking for a passport copy is reasonable; asking for an original document that is expensive to obtain may be considered excessive. The organisation should also confirm receipt of the DSAR and explain the next steps, including the expected timeline.

What Organisations Must Do When They Receive a DSAR

Once a DSAR is received, the organisation (the data controller) must act without undue delay and in any event within one month of receipt. The clock starts ticking on the day the request arrives – if the organisation needs to verify identity, the timeline is paused until the verification is complete. The one-month period can be extended by a further two months where the request is complex or where the data subject has made multiple requests. If an extension is needed, the organisation must inform the data subject within the first month, explaining the reasons for the delay.

Here are the essential steps for handling a DSAR in Ireland:

  • Validate the request: Confirm that it is indeed a DSAR and that the requester has identified themselves.
  • Verify identity: Use reasonable measures to ensure the person making the request is who they claim to be. This may involve checking internal records, asking for a passport, or using two-factor authentication.
  • Search for the data: Locate all personal data held across the organisation – not just in the primary IT system, but also in emails, cloud storage, archives, backups (if retrievable), paper files, CCTV footage, and any third-party systems used.
  • Review and redact: Before disclosing, review the data to remove any third-party personal data that cannot be lawfully shared, or any information that might prejudice a crime investigation or legal proceedings. The organisation must balance the data subject’s right of access against the rights of others.
  • Provide the response: Send the data in a clear format, along with the supplementary information required by Article 15. Include a covering letter explaining what has been provided and any exemptions relied upon.
  • Document everything: Keep an internal log of the DSAR, the steps taken, and the rationale for any decisions. This is vital for accountability and for defending any complaint to the DPC.

Challenges in Handling DSARs

DSARs can be resource-intensive, especially for organisations with sprawling data ecosystems, legacy systems, or high staff turnover. Common challenges include:

  • Data discovery: Personal data may be scattered across multiple databases, shared drives, email accounts, and even internal chat platforms. Without proper data mapping, locating the relevant data can take weeks.
  • Volume and complexity: A single DSAR can involve thousands of documents. Reviewing, redacting, and collating this material within a month is often extremely difficult.
  • Third-party data: Disclosing an individual’s data may inadvertently reveal information about another person (e.g., a colleague’s salary or a customer’s complaint). The organisation must decide whether to redact, withhold, or seek consent.
  • Manifestly unfounded or excessive requests: The GDPR allows an organisation to refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive. However, the burden of proof lies with the organisation, and the bar is set high. The DPC expects controllers to show concrete evidence of abuse, not just inconvenience.
  • Cross-border requests: If the data subject is based in another EU country, the organisation must still comply, and may need to coordinate with other data controllers or data processors.
  • Employee requests: Employees can make DSARs at any time, including during disciplinary proceedings or after leaving employment. These requests are often sensitive and time-sensitive, requiring careful handling to avoid conflicts with employment law.

Best Practices for Organisations

To manage DSARs efficiently and avoid DPC enforcement, Irish organisations should adopt the following practices:

1. Maintain a Personal Data Inventory

A data inventory or data map that records what personal data is collected, where it is stored, who has access, and how long it is retained is the single most useful tool for responding to DSARs. Without it, searching for data becomes a fire-drill. The inventory should be kept up to date and reviewed regularly.

2. Implement a DSAR Policy and Procedure

Formalise the process: designate a DSAR owner (often the DPO), define roles and responsibilities, set internal deadlines (e.g., respond within 20 days to allow a buffer), and create template letters for acknowledgment, identity verification, extensions, and final responses. Train all staff who might receive a DSAR – especially front-line customer service and HR teams – so they recognise one immediately and forward it to the right person.

3. Use Technology to Automate Searches

Leverage e-discovery tools, data loss prevention platforms, or dedicated DSAR management software to search across systems, flag personal data, and automate redaction. For organisations using a modern data platform like Directus, building a DSAR workflow that queries the database and exports relevant data can dramatically reduce manual effort. However, any automated solution must be tested to ensure it captures all relevant fields.

4. Apply Exemptions Carefully

The GDPR and the Data Protection Act 2018 provide limited exemptions to the right of access – for example, to protect legal professional privilege, to avoid obstructing criminal investigations, or where the data is subject to a legally binding confidentiality agreement. Do not rely on blanket exemptions; each case must be assessed individually, and the reasons for refusing or limiting access must be documented and communicated to the data subject.

5. Communicate Proactively

If a DSAR will take longer than a month, inform the data subject within the first month and explain why. If some data is withheld, explain the legal basis. A data subject who feels kept in the loop is far less likely to escalate a complaint to the DPC. Conversely, silence or unresponsiveness is the surest way to invite regulatory scrutiny.

6. Monitor and Learn

Track DSAR volumes, turnaround times, and types of requests. Use this data to identify recurring problem areas – for instance, if many requests relate to HR data, consider improving how employee data is organised. Regularly review the DSAR process and update it in line with DPC guidance.

Recent Developments and DPC Guidance

The DPC has issued several enforcement decisions and guidance notes that shape how DSARs are handled in Ireland. Notable points:

  • Guidance on the charging of fees: The DPC has stated that fees must be limited to administrative costs and are only permissible for manifestly unfounded or excessive requests. A blanket “administration fee” for all DSARs is not lawful.
  • Guidance on automated decision-making: When a DSAR relates to automated decisions or profiling, the organisation must provide meaningful information about the logic behind the decision, not just a copy of the data. This is especially relevant for organisations using AI or machine learning.
  • Enforcement actions: The DPC has imposed significant fines on organisations that failed to respond to DSARs within the one-month period or that provided incomplete responses without proper justification. For example, in 2023, a major Irish airline was fined €400,000 for failing to adequately respond to multiple DSARs.
  • Interaction with other rights: The DPC has clarified that the right of access does not overrule other legal obligations such as professional secrecy or data subject access requests made by another person. Organisations must balance rights and may need to redact or seek third-party consent.

For the most current guidance, organisations should regularly consult the DPC’s official website at dataprotection.ie and refer to the EDPB (European Data Protection Board) guidelines on the right of access. The full text of the GDPR is available at EUR-Lex. Additionally, the Irish Data Protection Act 2018 can be found on the Irish Statute Book at irishstatutebook.ie.

Why DSARs Matter Beyond Compliance

Beyond the legal obligation, a well-handled DSAR strengthens trust. When an individual asks an organisation “What do you know about me?” and receives a complete, clear, and timely response, it demonstrates that the organisation takes privacy seriously. In today’s data-driven world, that trust is a competitive advantage. For educators and students, understanding DSARs is not just about knowing the law – it is about empowering individuals to exercise their fundamental right to control their own information. By embedding a culture of transparency and respect for personal data, Irish organisations can build stronger relationships with customers, employees, and the public.