DSAR Template Generator
Generate Data Subject Access Request templates for GDPR compliance
To: [Company Name]
From: [Your Name]
Date: 2026-05-21
Subject: Data Subject Access Request
Dear Data Protection Officer,
I am writing to request access to all personal data you hold about me, as provided for under Article 15 of the General Data Protection Regulation (GDPR).
Please provide me with:
1. Confirmation of whether you are processing my personal data
2. A copy of all personal data you hold about me
3. The purposes of the processing
4. The categories of personal data concerned
5. The recipients or categories of recipients
6. The retention period or criteria for determining it
7. Information about any automated decision-making, including profiling
My account details:
- Name: [Your Name]
- Email: [your@email.com]
Please respond to this request within one month as required by the GDPR. If you need to verify my identity, please contact me at the email address above.
Thank you for your prompt attention to this matter.
Sincerely,
[Your Name]About This Tool
You want to know what a company has on you. GDPR Article 15 gives you that right (in the EU and UK), and CCPA does similar in California. But the request needs to be specific enough that the company can't bounce it as malformed. The generator builds the letter for you — recipient, requesting party, what you want disclosed, in the format companies actually act on.
Fill in your details, the company's data protection officer or generic privacy contact, and the categories you're requesting. Output is a copy-paste email or letter with the right legal references for the regime you're invoking (GDPR, UK GDPR, CCPA).
Not legal advice. If a company refuses or stonewalls, escalation paths differ by jurisdiction.
The structure of a valid Data Subject Access Request mirrors what data protection law actually demands. You identify yourself (enough that the company can confirm it's really you, not enough that it becomes a privacy risk in itself), you cite the legal basis (GDPR Article 15 for EU/UK, CCPA for California, similar provisions for other jurisdictions), you specify the scope of what you want disclosed, and you state how you want to receive the response (electronic format is standard). Companies subject to GDPR have one month to respond, extendable to three months for complex requests; CCPA gives them 45 days, extendable to 90.
A worked example: you want to know what a major retailer has on you. The generator produces a letter addressed to the company's data protection officer (or generic privacy contact) that opens with a clear statement: 'Pursuant to Article 15 of the General Data Protection Regulation, I am requesting access to my personal data.' It then specifies categories — purchase history, marketing preferences, support interactions, profiling data, sources of data, and recipients with whom data has been shared. It provides your name, email, and account number for identity verification, and requests electronic delivery to your email address.
Where requests get bounced: vague scope ('all my data'), missing identity verification, or sending to a generic support email rather than the privacy contact. The generator builds in the language that triggers the legal clock — phrases like 'this is a formal data subject access request under [GDPR/CCPA]' put the company on notice that the response window has started. Companies typically have automated DSAR intake systems; using their formal channel ensures the request gets routed correctly rather than sitting in a customer-service queue.
What the generator can't do: force compliance. If a company stonewalls, your remedy under GDPR is filing a complaint with your country's data protection authority (DPA). Under CCPA, you can complain to the California Attorney General. The DPA route in EU countries has been more responsive than the equivalent in the U.S., partly because GDPR has serious enforcement teeth (fines up to 4% of global annual revenue). Smaller companies sometimes ignore initial requests and only respond after the DPA reaches out. Your follow-up patience and DPA reach-out is the actual enforcement mechanism behind the legal text.
The about text and FAQ on this page were drafted with AI assistance and reviewed by a member of the Coherence Daddy team before publishing. See our Content Policy for editorial standards.