Data Subject Access Requests
A data subject access request is the practical use of the GDPR right of access: a person asks an organization whether it processes personal data about them, receives access to that data, and receives key information about the processing.
Definition
A data subject access request, often called a DSAR or subject access request, is a request by an individual to exercise the right of access under Article 15 of the General Data Protection Regulation. The person can ask whether personal data concerning them is being processed and, if so, receive access to the data and specified information about the processing.
The right is not an AI-transparency right in the broad sense. It does not require an organization to reveal trade secrets, full source code, all model weights, or every internal deliberation. It is narrower and more durable: the person can ask for their personal data, the purposes of processing, categories of data, recipients, retention information, rights, complaint routes, source information where the data did not come from them, and information about certain automated decision-making.
For AI systems, the access request is one of the few tools by which a watched person can force the institution to search its own traces: prompts, support records, profile attributes, inferred scores, embeddings tied to an account, human-review notes, moderation labels, or decision records, depending on what qualifies as personal data in context.
Scope
Article 15 covers confirmation of processing, access to personal data, and supplementary information. It also gives a right to information about safeguards when personal data is transferred to a third country or international organization, and a right to a copy of the personal data undergoing processing, subject to the rights and freedoms of others.
Article 12 supplies procedural discipline. Controllers must provide information on action taken without undue delay and in any event within one month of receiving the request. That period can be extended by two further months where necessary, taking account of complexity and number of requests, but the controller must inform the person of the extension and reasons within the first month.
The right applies to personal data, not every document that mentions a person and not every artifact produced by an AI system. The hard cases are often mixed records: a classifier label about a worker, a fraud score about a customer, a chatbot transcript involving several people, a moderation note that reveals staff judgment, or an embedding that can single out an account.
How It Works
A good DSAR process begins before the request arrives. The organization needs a route for recognizing requests, verifying identity when appropriate, searching systems, asking processors for relevant data, applying exemptions or limits carefully, and explaining what has been provided or withheld.
For AI systems, search scope is the practical question. Personal data may sit in product databases, prompt logs, vector indexes, CRM notes, evaluation datasets, human-review queues, vendor support tickets, fraud systems, experimentation tools, or audit logs. If the organization cannot locate the data, the right of access becomes theoretical.
Responses should distinguish raw data from explanations. A person may receive the personal data undergoing processing and information about purposes, recipients, retention, rights, source, and qualifying automated decision-making. That response can support rectification, erasure, objection, portability, complaint, appeal, or litigation, but it is not itself a full model audit.
Governance and Safety
The governance value of a DSAR is that it tests whether an institution's privacy map is real. A controller that cannot find account histories, inference records, recipients, retention periods, or automated-decision information may also struggle with deletion, correction, breach response, DPIAs, or vendor oversight.
The safety limit is that access does not equal contestability. A person can receive data and still be unable to understand a model, challenge a score, or prove harm. DSARs need to be connected to Algorithmic Recourse, Notice and Appeal, and human review where automated systems affect rights, opportunities, or standing.
Evidence Record
For AI-related systems, a DSAR evidence file should preserve the request, identity-verification step, search terms and systems searched, processors contacted, data retrieved, exclusions applied, response date, extension notice if any, and the final response package.
Where the response involves AI traces, the record should identify model or system name, relevant logs, profile attributes, inference outputs, human-review notes, source systems, recipients, retention rules, and any automated-decision information provided. If the organization concludes that an embedding, score, or model artifact is not personal data, that legal and technical reasoning should be recorded.
Source Discipline
Do not collapse access into explanation. Article 15 contains access rights and specified information duties; Article 22 and related provisions govern certain automated decisions. Public AI explanations, model cards, system cards, and audit reports can support accountability, but they are not substitutes for the personal-data access right.
Source type matters. EUR-Lex carries the GDPR legal text. EDPB guidelines interpret the right of access at EU level. The ICO provides UK subject-access guidance. Vendor support articles can help locate data in a product, but they cannot define the legal scope of access.
Spiralist Reading
A DSAR is a person asking the machine to show its memory.
The institution prefers the person as an object of processing: account, profile, risk, segment, vector, ticket, metric, suspect, lead, user. The access request reverses the gaze. It asks what the institution has kept, what it has inferred, where it sent the record, and how long the trace is meant to live.
For Spiralism, the demand is not mystical transparency. It is administrative friction placed where silent categorization would otherwise harden into standing, ranking, or exclusion.
Open Questions
- When is an embedding, cluster assignment, fraud score, or recommender profile personal data for access purposes?
- How should controllers search model logs and vendor systems without exposing other people's data?
- What automated-decision information is meaningful enough to support contestation?
- How should organizations explain withheld material without making the withholding impossible to challenge?
- Can DSAR workflows scale when agentic systems create many small personal-data traces across tools?
Related Pages
- Right to Explanation
- Algorithmic Recourse
- Notice and Appeal
- Human Oversight of AI Systems
- Data Protection Impact Assessment
- Data Protection Officer
- Records of Processing Activities
- Data Minimization
- AI Data Retention
- Contextual Integrity
- AI System Inventory
- AI Audit Trails
Sources
- EUR-Lex, Regulation (EU) 2016/679, General Data Protection Regulation, Articles 12 and 15, reviewed June 25, 2026.
- European Data Protection Board, Guidelines 01/2022 on data subject rights - Right of access, Version 2.1, adopted March 28, 2023, corrected May 30, 2024, reviewed June 25, 2026.
- European Data Protection Board, Respect individuals' rights, SME data protection guide, reviewed June 25, 2026.
- UK Information Commissioner's Office, Subject access requests, guidance hub, reviewed June 25, 2026.
- UK Information Commissioner's Office, A guide to subject access, reviewed June 25, 2026.