How do you handle a data access request form?

There comes a time in every company's lifespan when an email is received from a data subject asking for access to their personal data. The General Data Protection Regulation (GDPR) specifically empowers individuals to request their personal data and protect their rights. Knowing how to handle a data access request form is critical to remain compliant with the GDPR and other relevant legislation. 

‍

What is a data access request (“DAR”)?

‍

In simple terms, a data access request in general is a request made by a data subject or “requestor” to request a data user to supply him with a copy of his personal data. This is usually done for the “requestor” to understand what data is held about them, how it is used, who it is shared with, and to ensure accuracy and lawful processing.

‍

How do you comply with a DAR?

‍

Upon receiving a DAR, a data user should follow the following steps:

1. Ascertain the identity of the requestor;
2. Assess whether it holds the relevant personal data.

‍

According to the GDPR, if a data user holds the relevant personal data, it should supply a copy of the requested data in an intelligible form and within 40 calendar days after receiving the DAR.

‍

Even if the data user does not hold the requested data, it is still required to inform the requestor within 40 days.

‍

Charge for complying with a DAR

‍

A data user may impose a fee for complying with a DAR which should not be excessive and not later than the time period under the applicable data privacy laws.

‍

These are usually framed as administrative costs for the time, effort and out-of-pocket expenses that come along with compliance. 

‍

Refusing to comply with a DAR

‍

A data user should refuse to comply with a DAR if:

‍

• It is not supplied with sufficient information to identify the requestor;
• It cannot comply without disclosing personal data of a third party;
• Where compliance is prohibited under the GDPR or any other relevant ordinance.

‍

A data user must give written notice and reasons for refusal to the requestor within 40 days from receiving the DAR and a log entry containing the particulars of the reasons must be kept for four years.

‍

Ready to Generate your Data Access Request Form?

‍

Effortlessly generate a DAR’s in minutes in just a few clicks with Doclegal.ai. We have over 2800 lawyer-curated templates built for multiple jurisdictions to meet the unique legal challenges of the common law markets while maintaining global relevance.

‍

Want to dive deeper? Check out our other blogs related to Data Privacy, Protection and Compliance:

‍

• The Importance of a Privacy Policy for Your Business in 2025
• SaaS Agreements Simplified: Meaning, Legal Issues, Examples & Template

‍