What is a Subject Access Request (SAR) or Data Subject Access Request (DSAR)?

A Subject Access Request (SAR), also known as a Data Subject Access Request (DSAR), is a formal request from an individual to access the personal data an organization holds about them. Under GDPR Article 15 and similar provisions in other privacy laws, individuals have the right to obtain confirmation of whether their data is being processed, access to the personal data itself, and supplementary information about how that data is used. This right allows people to understand what organizations know about them and verify that their data is being handled appropriately.

For email marketers, a SAR typically requires providing all subscriber data held about the requester: email address, name, profile attributes, preference settings, consent records, engagement history (opens, clicks, conversions), segmentation assignments, and any other personal information you've collected or generated about them. You must also explain how you use this data, where it came from, who you've shared it with, and how long you'll retain it. The response should be comprehensive-omitting data categories you hold would be a violation.

Organizations must have processes in place to handle SARs efficiently. This includes verifying the requester's identity (to prevent data exposure to impostors), locating all relevant data across systems (ESP, CRM, analytics, backups), compiling a readable response, and delivering it within required timeframes. Most privacy regulations allow SARs to be made verbally or in writing, through any channel, so you should be prepared to receive and process requests arriving via email, customer service, postal mail, or your website. A SAR is a subscriber saying "show me what you know about me"-and you must answer completely and honestly.