Introduction to DSAR
The Data Subject Access Request (DSAR) forms a critical part of various data privacy regulations worldwide, including the General Data Protection Regulation (GDPR) in Europe, and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) in the U.S. Introduced in 2018, DSAR under GDPR has been designed to empower individuals with control over their personal data. As one of the eight rights provided by GDPR, the right of access, permits individuals to obtain information about the data that an organization holds about them, including details about its usage, reasons for data collection, and more. This right has been expanded under GDPR and other privacy laws to include new mandatory information categories that organizations must provide. Furthermore, these regulations have simplified the process for individuals to make such requests and access their data.
Deciphering the Data Subject Access Request
DSARs are essentially requests made by individuals to organizations for information regarding their personal data. It enables them to exercise their right to know about the lawful processing of their data at reasonable intervals. Organizations are mandated to reveal the purpose behind the processing of personal data, amongst other things, under GDPR, CCPA/CPRA, and other similar laws.
Responsibilities of the Company/Organization
Upon receiving a DSAR, organizations are obligated to confirm the processing of personal data, provide a copy of it, and additional information such as: - The purpose of data processing
- If data is shared with third-parties, who they are
- The categories of data being processed
- Data source (if not collected from the individual)
- The data retention period
- Information about automated decision-making and profiling
- The individual's rights under respective privacy laws like GDPR, CCPA, CPRA, etc.
Who can File a DSAR?
Any individual whose personal data is being processed by an organization can file a DSAR, regardless of their relationship with the organization - be it employees, customers, partners, or contractors. DSARs can be filed on behalf of another individual, provided they have the necessary authorization.
Process of Submitting a DSAR
DSARs can be submitted in writing or verbally, such as over the phone or by filling out an online form. The request can come through any channel and need not specifically mention the GDPR, CCPA, CPRA, or any other specific right or regulation. The organization is obligated to recognize and promptly respond to such requests. A Submission for may look like this:
Identity Verification
Under privacy laws such as GDPR, CCPA, CPRA, and others, organizations are to take reasonable measures to confirm the identity of the individual making the request. Importantly, excessive information should not be demanded during this process.
Company Response
Companies should have a designated person to oversee compliance with DSAR processes. Automation can aid in the efficient management of DSARs, especially for smaller teams.
Responding to DSARs: Timelines and Fees
DSAR responses should be provided within one month from the receipt of the request. Charging a fee for a DSAR is generally not permissible, except in cases of unfounded or excessive requests. Any fees charged should cover administrative costs only.
Refusal to Respond to DSARs
Organizations may refuse to respond to a DSAR if the request is deemed manifestly unfounded or excessive. Such decisions must be defensible to the supervisory authority.
Automating DSARs for Compliance
DSARs are just one of the rights conferred by privacy regulations like the GDPR, CCPA, CPRA, and others. As compliance, reputation, and customer transparency are major drivers for fulfilling DSARs, many organizations invest in privacy tools to manage DSARs, thereby ensuring transparency and compliance.
The Role of PieEye
PieEye serves as a leading solution for managing data subject rights. It automates the DSAR process, providing a centralized hub for overseeing requests and supplying necessary information for managing data subject requests within specified deadlines. This automation enhances transparency and compliance, providing organizations with a clearer insight into the preferences and requirements of data subjects.
How DSARs Impact Your Shopify or BigCommerce Store
When a customer submits a DSAR to your eCommerce brand, you need to know exactly what data you're holding about them—and you likely hold more than you realize. Your Shopify or BigCommerce store captures customer names, emails, phone numbers, purchase history, and IP addresses. But you're also collecting data through third-party integrations: Klaviyo tracks email engagement, Google Analytics records browsing behavior, Meta Pixel logs site interactions, and your payment processor stores payment method details.
The challenge is that this data lives in multiple systems. A customer's email preferences might be in Klaviyo while their browsing history sits in Google Analytics. When you receive a DSAR, you have 30 days to compile everything—and if you don't have a clear process for pulling data from each tool, you'll miss information and face compliance violations.
Start by mapping all the tools your brand uses and where customer data flows. Document which platform owns which data points. Then create a checklist so when a DSAR arrives, you know exactly where to look. Many brands miss this step and only provide data from their core platform, leaving out third-party integrations entirely. That's not a complete response, and regulators will catch it.
Your team also needs to know who's responsible for responding. Designate one person—often your privacy officer or compliance lead—to receive DSARs, coordinate across departments, and send the final response. Without clear ownership, requests get lost or delayed.
DSAR Requests and Cookie Banners: What's Connected
Your cookie banner and DSAR process are more intertwined than you might think. When you collect consent for analytics cookies, retargeting pixels, or marketing emails, you're documenting which data collection the customer agreed to. That consent record becomes part of their DSAR response.
If a customer files a DSAR, they can ask why you're processing their data—and your answer depends on what consent they gave (or didn't give). If they rejected marketing cookies but you're still sending them to Klaviyo, that's a problem you need to explain in the DSAR response, and it reveals a compliance gap in your cookie banner or consent flow.
Review your cookie banner settings regularly to ensure they match your actual data practices. If your banner says you won't use Google Analytics without consent, but your tracking code fires automatically, that inconsistency will show up when customers request their data and notice you've been collecting it anyway.
Some brands also include a DSAR link directly in their cookie banner or privacy policy, making it easier for customers to submit requests. This transparency builds trust and reduces the friction between consent collection and data access rights.
Common DSAR Mistakes eCommerce Brands Make
Many mid-market brands accidentally violate DSAR requirements because they don't understand the scope of what they must provide. The most common mistake is treating a DSAR like a customer service request instead of a legal obligation.
Don't ask unnecessary questions before fulfilling a DSAR. Yes, you need to verify identity, but asking for a government ID, credit card information, or excessive documentation is a red flag to regulators. A simple email confirmation—"Is this the email address on your account?"—is usually sufficient for an existing customer.
Another mistake is charging fees when you shouldn't. You can only charge a fee for manifestly unfounded or excessive requests, and it must cover administrative costs, not profit. Most DSARs aren't in that category, so most DSARs should be free.
Brands also often fail to include data from connected services. If you use a loyalty program, referral platform, or review tool, that data is still about the customer and must be included. Don't just send what's in your Shopify database and call it complete.
Finally, don't ignore requests that don't explicitly say "DSAR" or mention specific regulations. A customer email saying "Can I see what data you have about me?" is a DSAR. You're legally required to recognize and respond to it, whether or not they use formal language.