What Is Included in a DSAR Request? A Complete Breakdown Under GDPR

Understanding what is included in a DSAR request is essential for organizations handling personal data under GDPR.

While many businesses know they must respond to DSARs, fewer fully understand the scope of information that must be disclosed. A DSAR response is not just about providing raw data—it must also explain how that data is processed.

If you’re new to the topic, it helps to first understand what a DSAR request is and how the response process works in practice.

In this guide, we’ll break down what a DSAR request covers, what must be included in a response under GDPR Article 15, and the challenges businesses face when identifying all relevant data.

---

Understanding the Scope of a DSAR Request

A DSAR request gives individuals the right to access their personal data and understand how it is used.

This includes:

• Whether their data is being processed
• What data is held
• How and why it is used

Under GDPR, this right is rooted in transparency and accountability.

Importantly, a DSAR is not limited to obvious data. It applies to any information that can identify an individual, either directly or indirectly.

 To see how this fits into the full process, refer to how to respond to a DSAR request

---

Types of Personal Data Included in a DSAR Response

Personal data in a DSAR response extends far beyond basic identifiers.

It may include:

• Contact details such as name and email
• Technical data such as IP addresses and device information
• Behavioral data such as browsing activity
• Transactional records such as purchase history
• Internal records such as customer support interactions or HR data

In many cases, it also includes inferred or derived data, such as user profiles created for marketing or analytics purposes.

For a structured approach to identifying this data, see the DSAR request checklist

---

What GDPR Article 15 Requires You to Disclose

Under Article 15, organizations must provide more than just data—they must provide context.

This includes:

• Confirmation of processing
• A copy of personal data
• Purpose of processing
• Categories of data
• Recipients or third parties
• Retention periods
• Source of data
• Information about rights
• Details of automated decision-making (if applicable)

 For a practical example of how this is structured, see DSAR response example under GDPR

These elements work together to give individuals a complete understanding of how their data is handled.

---

Raw Data vs Contextual Information

One of the most common misunderstandings is the difference between raw data and contextual information.

• Raw data refers to the actual data points (e.g., email address, transaction logs)
• Contextual information explains how and why that data is used

Providing raw data alone is not sufficient under GDPR.

Organizations must explain:

• Why the data was collected
• How it is processed
• How long it is stored
• Who it is shared with

This distinction is critical for compliance and often determines whether a response meets regulatory expectations.

---

Real-World Examples of DSAR Responses

In practice, DSAR responses vary depending on the organization and context.

---

Example: E-commerce Business

A customer requests access to their data.

The response includes:

• Order history
• Payment-related information
• Marketing preferences
• Explanation of data sharing with payment providers

---

Example: SaaS Company

An employee submits a DSAR.

The response includes:

• HR records
• Internal communications
• System access logs
• Explanation of data processing for performance management

---

These examples show how DSAR responses combine data + explanation.

---

What Is NOT Included in a DSAR Response

Not all information must be disclosed.

Common exclusions include:

• Data that does not relate to the individual
• Fully anonymized or aggregated data
• Confidential third-party information
• Certain internal notes (depending on context)

Organizations must carefully balance transparency with privacy and confidentiality.

---

Challenges in Identifying All DSAR Data

Many organizations struggle to fully identify all relevant data.

---

Data Fragmentation

Personal data is often stored across multiple systems.

---

Unstructured Data

Emails, documents, and chat logs are harder to search and extract.

---

Third-Party Dependencies

External processors may delay or complicate data retrieval.

---

Time Constraints

The one-month deadline creates pressure, especially for complex requests.

Understanding the DSAR timeline under GDPR helps manage these challenges effectively

---

Frequently Asked Questions (FAQs)

---

1. What is included in a DSAR request?

All personal data related to an individual, along with information about how it is processed.

---

2. Does a DSAR include inferred data?

Yes, if it relates to an identifiable individual.

---

3. Do companies need to explain how data is used?

Yes, this is required under GDPR Article 15.

---

4. Are internal notes included in a DSAR?

Sometimes, depending on whether they relate to the individual and applicable exemptions.

---

5. Is anonymized data included in a DSAR?

No, if it cannot identify an individual.

---

6. What is the biggest challenge in DSAR responses?

Identifying and compiling all relevant data across systems.

---

Conclusion

Understanding what is included in a DSAR request is fundamental to GDPR compliance.

A complete DSAR response must go beyond raw data to provide meaningful insight into how personal data is processed.

Organizations that approach DSARs with clarity and structure can:

• Reduce compliance risks
• Improve response quality
• Build trust with users

As data ecosystems become more complex, mastering the scope of DSAR responses is essential for long-term compliance.