Data Subject Access Request (DSAR) Requirements in Ireland and the UK

What is a Data Subject Access Request (DSAR)?

A Data Subject Access Request (DSAR), also called a subject access request or SAR, is the exercise of an individual's right under Article 15 of the GDPR to obtain confirmation of whether an organisation is processing their personal data and, if so, a copy of that data together with prescribed supplementary information. The same right applies in Ireland under the EU GDPR and in the UK under the UK GDPR, so the substance of what an individual can ask for is closely aligned across both jurisdictions even though the supervisory authorities and some procedural rules differ.

Article 15(1) entitles the requester not only to a copy of their personal data but also to information about the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients, the envisaged retention period, the existence of their other rights, the right to lodge a complaint with a supervisory authority, the source of the data where it was not collected from the individual, and the existence of any automated decision-making including profiling.

A DSAR can be made verbally or in writing, to any part of the organisation, and the requester does not have to use the words 'subject access request' or cite Article 15. This is one of the most common operational traps: a complaint email, an HR grievance, or a line in a customer-service chat can all be valid DSARs that start the statutory clock.

Is responding to a DSAR a legal obligation in Ireland and the UK?

Yes. Responding to a valid DSAR is a binding legal obligation in both jurisdictions, not a customer-service courtesy. In Ireland the right of access sits in Article 15 of the EU GDPR (Regulation (EU) 2016/679), supervised and enforced by the Data Protection Commission (DPC), with domestic detail in the Data Protection Act 2018. In the UK the equivalent right sits in Article 15 of the UK GDPR, supervised and enforced by the Information Commissioner's Office (ICO), with procedural detail in the Data Protection Act 2018 as amended by the Data (Use and Access) Act 2025.

Failure to respond, or responding incompletely or late, can lead to a complaint to the DPC or ICO, a regulator-ordered remedy, and in serious or systemic cases an administrative fine. Both regulators treat access requests as a frequent source of complaints, so DSAR handling is a high-volume, high-scrutiny area of day-to-day compliance.

• Who it binds: every controller processing the requester's personal data, in Ireland under the EU GDPR and in the UK under the UK GDPR.
• Who can be asked: a processor that receives a DSAR must pass it to the relevant controller, who remains responsible for responding.
• Who enforces it: the Data Protection Commission (DPC) in Ireland and the Information Commissioner's Office (ICO) in the UK.

What must an organisation provide in response to a DSAR?

Article 15 sets out a fixed list of what a complete response must contain. Beyond a copy of the personal data itself, the response must explain the context of the processing so the individual can understand and, if they wish, challenge it. The information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Article 12(1)).

• A copy of the personal data undergoing processing (Article 15(3)).
• The purposes of the processing.
• The categories of personal data concerned.
• The recipients or categories of recipients, especially recipients in third countries or international organisations, and the safeguards used for any such transfers.
• The envisaged retention period, or the criteria used to set it.
• The existence of the rights to rectification, erasure, restriction and objection.
• The right to lodge a complaint with the DPC (Ireland) or the ICO (UK).
• Where the data was not collected from the individual, any available information about its source.
• The existence of automated decision-making, including profiling, and meaningful information about the logic involved and the consequences for the individual (Article 15(1)(h)).

What is the deadline to respond, and when can it be extended?

The core deadline is identical in Ireland and the UK: under Article 12(3) the organisation must respond without undue delay and, in any event, within one month of receiving the request. The one-month period runs from the day of receipt and is calculated as a calendar month, so a request received on 15 March is due by 15 April; where there is no corresponding day in the next month, the period ends on the last day of that month, and if the deadline falls on a weekend or public holiday both regulators treat the next working day as the due date.

The period can be extended by up to two further months (a maximum of three months in total) where this is necessary taking into account the complexity and number of requests (Article 12(3)). To rely on the extension, the organisation must inform the requester of the extension and the reasons for the delay within the first month. The extension is for genuinely complex or high-volume situations, not for ordinary administrative convenience.

Both regulators allow the clock to be paused in limited circumstances. Where the organisation reasonably needs to verify the requester's identity under Article 12(6), or needs to clarify the scope of a broad request, the time limit does not start (or is paused) until that information is provided. In the UK, the Data (Use and Access) Act 2025 puts this long-standing 'stop the clock' approach for identity verification and clarification onto a statutory footing as the relevant provisions are commenced. The DPC applies the equivalent practice under the EU GDPR and, separately, recommends that controllers aim to respond as quickly as possible rather than waiting until the end of the month.

Can an organisation charge a fee for a DSAR?

In both Ireland and the UK the default position is that a DSAR must be handled free of charge (Article 12(5)). An organisation cannot impose a fee simply because a request is inconvenient or time-consuming.

A reasonable fee, based on administrative cost, is permitted only in narrow cases: where the request is manifestly unfounded or excessive, or where the individual asks for further copies of data already provided. The same Article 12(5) test allows the organisation to refuse to act on a manifestly unfounded or excessive request instead of charging a fee. In every case the burden is on the organisation to demonstrate that the high 'manifestly unfounded or excessive' threshold is met, and a refusal must be explained to the requester along with their right to complain to the regulator and to seek a judicial remedy.

Verifying identity and the rights of others

An organisation may, and often should, take reasonable steps to confirm the identity of a requester before disclosing personal data, so that data is not released to the wrong person. Article 12(6) allows the controller, where it has reasonable doubts about the requester's identity, to ask for additional information needed to confirm it, and Recital 64 reinforces using reasonable measures to verify identity, particularly in the context of online services. The verification request must be proportionate: organisations should not demand excessive documentation as a tactic to delay or deter a legitimate request, and should only ask for information genuinely needed to confirm identity.

A DSAR is limited to the requester's own personal data. Where records contain mixed personal data about other identifiable individuals, the organisation must balance the requester's right of access against the rights and freedoms of those third parties, disclosing the third party's information only where that person has consented or where it is otherwise reasonable to disclose without consent. The DPC and ICO have both published guidance on handling mixed personal data, redaction, and the difference between withholding genuinely third-party data and over-redacting to avoid the work. The DPC's guidance expects organisations to carry out and document a case-specific balancing assessment for any data withheld on third-party grounds.

Exemptions: when can data be withheld?

Neither the right of access nor the obligation to respond is absolute. Both jurisdictions allow specific, limited exemptions, but the structure differs and each exemption must be applied narrowly, on a case-by-case basis, and only to the extent necessary.

In Ireland, restrictions on the right of access are grounded in Article 23 of the EU GDPR and given domestic effect by the Data Protection Act 2018. Section 60 of the Act restricts the rights in Articles 12 to 22 where this is necessary and proportionate for important objectives of general public interest, such as national security and defence, the prevention, detection, investigation or prosecution of criminal offences, the administration of tax, and the establishment, exercise or defence of legal claims. Legal professional privilege is dealt with separately: section 162 of the Act provides that the right of access does not apply to personal data that is subject to legal advice or litigation privilege, or where compliance would breach an obligation of confidence. The data controller must be able to identify the specific statutory basis relied upon and explain it to the requester.

In the UK, the main exemptions sit in Schedule 2 to the Data Protection Act 2018. These include the crime and taxation exemption, legal professional privilege (Schedule 2, paragraph 19), management forecasts, negotiations, confidential references, and others, with further special-category and research-related provisions in Schedules 3 and 4. Many UK access exemptions are 'prejudice-based': the crime and taxation exemption, for example, applies only to the extent that complying would be likely to prejudice the protected purpose, and exemptions must be assessed for each item of data rather than applied as a blanket refusal. The legal professional privilege exemption in paragraph 19 applies to information over which privilege could be maintained in legal proceedings, regardless of prejudice.

DPC (Ireland) vs ICO (UK): a side-by-side comparison

The legal core of the right of access is harmonised because both regimes derive from the GDPR, but the supervisory authority, the underlying statute, and a handful of procedural details differ. The table below summarises the practical distinctions that matter when an organisation operates across both jurisdictions.

Common pitfalls in DSAR handling

Most DSAR failures are operational rather than legal. The right of access is well understood; the breakdowns happen in recognition, search, tracking and review.

• Not recognising the request: a DSAR can be verbal, informal, and addressed to anyone, so requests buried in complaints or HR correspondence are missed and the deadline is breached before anyone notices.
• Starting the clock late or not tracking it: without a logged receipt date and a defined owner, the one-month deadline is easy to miss, and the extension cannot be relied on because the notification window has already passed.
• Over-using the extension or exemptions: treating every request as 'complex', or applying a Schedule 2 exemption or an Irish section 60 or section 162 restriction as a blanket refusal rather than item by item, exposes the organisation to a well-founded complaint.
• Incomplete searches: failing to cover email, chat, ticketing, HR, backups and shadow systems leaves out personal data the requester is entitled to; in the UK the test is a reasonable and proportionate search, not a token one.
• Weak third-party redaction: either disclosing other people's data, or over-redacting to save effort, both create risk and can attract regulator criticism.
• No audit trail: if the organisation cannot show what it searched, what it disclosed, what it withheld and why, it cannot defend its response to the DPC or ICO.

2026 regulatory developments

In the UK, the Data (Use and Access) Act 2025 (which received Royal Assent on 19 June 2025) is the most significant recent change for access requests. It codifies the long-standing ICO expectation that organisations carry out a 'reasonable and proportionate search' rather than an exhaustive one, and it places the 'stop the clock' mechanism for identity verification and scope clarification on a statutory footing. These data-protection changes are being commenced in stages by commencement regulations, so organisations should check which provisions are in force and follow the ICO's current published guidance for the operative detail rather than assuming every change is live.

In Ireland, the EU GDPR text is unchanged, and the DPC continues to treat access requests as a major source of complaints. The DPC's 2025 guidance, including its March 2025 blog on handling subject access requests, reinforces expectations around timeliness, properly reasoned use of restrictions, and careful, documented handling of mixed personal data. Organisations operating in both jurisdictions should not assume the UK's 'reasonable and proportionate search' language changes their EU obligations, and should document their search and review approach under each regime separately.

A further 2026 theme is the intersection of access rights with automated decision-making and AI. Article 15(1)(h) already requires meaningful information about the logic of automated decisions, and the phased application of the EU AI Act increases the importance of being able to explain AI-assisted processing when an individual asks. A practical governance approach is to keep these explanations consistent with what is recorded elsewhere, such as the organisation's record of processing activities and its assessments, so a DSAR response does not contradict the documentation a regulator can already see.

How Acompli helps with DSAR readiness

Acompli's DSAR tooling is built to make access requests faster and more defensible without removing human judgement. The software assists the people responsible for the request: it helps log and date-stamp incoming requests, route them to the right owner, track the one-month deadline and any extension, surface likely locations of the requester's personal data, and draft response packs for review. It can classify and flag potential third-party data and possible exemptions so a reviewer can decide what to redact or withhold.

Every consequential step stays with a person. Acompli does not decide on its own whether an exemption applies, whether a request is manifestly unfounded or excessive, or what to release; it surfaces and drafts, and a human reviewer or DPO approves the final response. This keeps the legal calls where they belong while reducing the manual overhead that causes missed deadlines and inconsistent disclosures.

Because DSAR handling draws on the same underlying picture of the organisation's processing, it works best alongside an up-to-date record of processing activities and assessments. Linking access requests to that source material is what lets an organisation answer consistently and show its working if the DPC or ICO ever asks.

Primary sources

• GDPR Article 15 (right of access) - EUR-Lex Regulation (EU) 2016/679
• DPC (Ireland) - The Right of Access guidance
• DPC (Ireland) - Data Subject Access Requests FAQ
• ICO (UK) - A guide to the right of access (subject access)
• Data Protection Act 2018 (Ireland) - Irish Statute Book
• Data Protection Act 2018 (UK) Schedule 2 exemptions - legislation.gov.uk
• Data (Use and Access) Act 2025: data protection and privacy changes - GOV.UK

DSAR requirements FAQ