Table of Contents

Who should read this?

Startup founders, small business owners, HR managers, and compliance officers in companies processing EU personal data under GDPR, especially those handling employee or customer DSARs.

They'll learn a practical step-by-step process to respond efficiently, avoid fines and investigations, and build internal procedures for future requests.

Key Takeaways

DSARs must be responded to within one calendar month; extensions possible for complex cases with notification.
Search emails, CRM, HR systems, Slack, paper files, and other reasonable locations for personal data.
Redact third-party data, legal privilege, and certain investigative info; always document decisions.
Follow steps: log request, verify ID if needed, search, review/redact, compile response, send securely.
Non-compliance risks DPC complaints, reprimands, fines up to €20M or 4% turnover, plus reputational damage.

Someone has asked to see all the data you hold on them: how to handle it

What Is a Data Subject Access Request?

A data subject access request (DSAR) is a formal request from an individual asking you to provide a copy of all personal data you hold about them, along with information about how it is being used.

The right is set out in Article 15 of the GDPR and is one of the most frequently exercised data rights in practice.

The request does not need to use the words "data subject access request" or cite any specific legislation to be valid. If someone asks "can you tell me what information you have about me" or "I'd like to see my file," that is likely a DSAR and the clock starts running from that moment.

Who Can Make a DSAR?

Any individual whose personal data you process as a data controller can make a request, including:

Current and former employees this is the most common source of DSARs for small companies, often arising in the context of a dispute or disciplinary process
Customers and end users of your product or service
Prospective employees who went through your hiring process
Contractors and freelancers whose data you hold
Third parties mentioned in your records, in limited circumstances

There is no requirement for the individual to explain why they are making the request, and you cannot refuse to respond simply because the reason seems tactical or adversarial. Employees frequently submit DSARs during or shortly after a disciplinary process, the motivation doesn't affect your obligation to respond.

What Is the Deadline for Responding?

You must respond within one calendar month from the date the request is received.

If the request arrives on 3 March, your response is due by 3 April, not 30 days later, but one calendar month.

Where requests are complex or numerous, you can extend the deadline by a further two months, but you must inform the individual within the first month that you are extending and explain why. You cannot simply let the deadline pass and respond late.

Failing to respond within the deadline is a breach of Article 15 of the GDPR and can be reported directly to the Data Protection Commission. The DPC takes response timeframes seriously and has issued formal reprimands to organisations, including small ones, for non-compliance.

What Do You Actually Have to Search?

This is the part that catches most companies off guard, because the scope of a DSAR is broader than most founders assume. You are required to search any system or location where the individual's personal data might reasonably exist, including:

Email inboxes and sent folders: including internal discussions about the individual
CRM and sales platforms: contact records, notes, activity logs
HR and payroll software: employment contracts, payslips, performance reviews, disciplinary records
Project management tools: Notion, Asana, Jira, or similar, where the individual may be mentioned
Accounting software: invoices or payment records linked to the individual
Slack, Teams, or other messaging platforms: direct messages and channel conversations where the individual is named
Paper files and physical records: filing cabinets, printed contracts, handwritten notes
Backups and archives: if you can reasonably access them and they contain the individual's data

The obligation is not to conduct an exhaustive forensic review of every byte of data, but to take reasonable and proportionate steps to identify what you hold. If a category of data is technically retrievable but disproportionately burdensome to search, you can document why you excluded it, but you cannot simply ignore obvious locations.

What Can You Redact or Withhold?

You are not required to hand over everything you find without review. Several categories of information can legitimately be withheld or redacted.

Third-party personal data is the most common reason for redaction. If an email about the requester also contains personal data about a colleague or customer, you must redact that third party's information before disclosing the email. You are not permitted to expose one person's data in order to satisfy another's request. Redact only what is necessary to protect other individuals’ personal data; if redaction renders the document meaningless, consider whether an alternative approach can satisfy the request while protecting third parties.

Legal professional privilege protects communications between you and your solicitor. Correspondence seeking or containing legal advice does not need to be disclosed.

Information that would prejudice an ongoing investigation can be withheld in limited circumstances, for example, where disclosing witness statements during an active disciplinary investigation would compromise it. This exemption is narrow and time-limited.

Information that is not actually personal data about the requester does not need to be included. General business records that don't relate to the individual fall outside the scope of the request.

Every redaction or withholding decision should be documented internally, including the legal basis for it. If the individual challenges your response, you need to be able to show your reasoning.

A Step-by-Step Process for Responding

Handling a DSAR systematically avoids the common pitfalls of over-disclosing, missing the deadline, or producing an incomplete response. Below we have set out a step-by-step process for responding.

Step 1: Log the request immediately. Record the date it was received, who it came from, and the method of receipt. This is your deadline anchor. Assign a named person to manage the response.

Step 2: Verify the requester's identity if necessary. If you have any genuine doubt about who is making the request, you can ask for reasonable verification. For a current employee contacting you from their work email, verification is not usually needed. For someone you don't recognise, a proportionate identity check is appropriate. Do not use verification as a delaying tactic, the clock does not pause while you verify.

Step 3: Search all relevant systems. Work through each system and location systematically, documenting what you searched and what you found. Assign search tasks to relevant team members, HR for employment records, engineering for database logs, finance for billing records.

Step 4: Review and redact. Review everything gathered before compiling the response. Redact third-party personal data, apply any legitimate exemptions, and document your reasoning for any material you decide to withhold.

Step 5: Compile the response. Prepare a cover letter explaining what you are providing, what you are withholding and why, and the individual's right to complain to the Data Protection Commission if they are dissatisfied. Attach the data in a readable format, PDFs, spreadsheet exports, or printed documents are all acceptable.

Step 6: Respond within the deadline. Send the response securely. If the data is sensitive, use encrypted file transfer or a secure portal rather than sending unprotected attachments by email. Confirm delivery and keep a record of what was sent and when.

What Happens If You Get It Wrong?

Ignoring a DSAR entirely, responding late without a valid extension, or providing a significantly incomplete response can each result in a complaint to the Data Protection Commission.

The DPC has the power to issue enforcement notices requiring compliance, formal reprimands, and financial penalties. For Article 15 breaches, the maximum fine is €20 million or 4% of global annual turnover, whichever is higher, though penalties of that scale are reserved for serious or repeated violations by large organisations.

For smaller companies, they are more likely to face reprimands or lower penalties. The more immediate practical risk is reputational damage and the distraction of a formal DPC investigation, which requires you to respond to queries, produce records, and justify your approach in detail.

Building a basic DSAR process before you receive one, such as a log template, a list of systems to search, and a standard response letter, means that when a request arrives, you're responding rather than scrambling.

About the Author:

Connect:

Laura Ryan is a practising Barrister at the Bar of Ireland. She graduated from the Honourable Society of King’s Inns in 2024, having previously qualified and practised as a Chartered Accountant in a big four accounting firm.

Legal

March 2026

How to Handle a DSAR Request

Key Takeaways

What Does a Probation Period Actually Do?

Hiring Your First Employee: Legal Checklist

What Happens to Shares if Founder Dies

Whistleblowing Policies: New Legal Obligations

Personal Data Breach: First 72 Hours Response

Non-Compete Clauses: What's Enforceable

Co-founder competing against your business: Irish legal remedies

Unauthorised share transfers in Ireland: Your legal remedies

Shareholder oppression in Ireland: Your complete legal guide

Shareholder dividend rights: When can you demand payment in Ireland?

Frequently Asked Questions

What is a data subject access request?

Who can make a DSAR?

What is the deadline for responding to a DSAR?

What must you search for a DSAR?

Can you redact information in a DSAR response?

Explore our other topics

How to Raise Before a Funding Round in the UK

Reserved Matters Explained: Protect Your Investment Rights

How to Incorporate a Consulting Company in Ireland