FREE QUOTE
FREE QUOTE

Right of Access Requests

Data Protection & Compliance • Switzerland / EU • Updated: February 22, 2026

Right of Access Requests

A practical guide to handling the right of access (DSARs / subject access requests)—how to verify identity, search systems, redact safely, and respond on time without creating security or compliance risk.

Reading time: 11 min Difficulty: Intermediate Audience: SMEs, compliance, HR, customer support, IT & security
Book a consultation Explore consulting services

Key takeaways

  • Access requests are operational: you need a repeatable workflow and owners, not ad-hoc emailing.
  • Verify identity first: never disclose personal data to an unverified requester.
  • Search is the hard part: data sprawl (tools, inboxes, exports) is the #1 cause of failure.
  • Redact carefully: protect third-party data and security-sensitive details.
In practice: A DSAR is both a compliance request and a security event. Treat it like a controlled process with logging, approvals, and secure delivery.

What the right of access is

The right of access (often called a DSAR or “subject access request”) allows individuals to ask whether an organization processes their personal data and to receive a copy of that data along with key information about the processing.

The goal is transparency and control: people should be able to understand what data you hold, why you hold it, how you use it, and who you share it with.

Switzerland note: Swiss data protection law also provides access rights. If you operate in Switzerland and the EU, align your DSAR process so it can satisfy both regimes with one consistent workflow.

What you must provide (and what you can withhold)

A strong access response typically includes two parts: (1) a “processing summary” (the contextual information), and (2) a copy of the person’s personal data (often exported from systems).

Typical response components

Component What it means Examples
Confirmation of processing Whether you process the person’s data “We process your customer account and support history.”
Purposes Why you process the data Account management, support, billing, security
Categories of data Types of personal data held Contact data, transaction data, support tickets, device logs
Recipients Who you share data with Processors like CRM, email provider, hosting provider
Retention How long you keep the data “Invoices: 10 years; support tickets: 24 months”
Rights information Other rights and how to exercise them Rectification, deletion, objection, complaint route
Data copy The data itself Exports (CSV/PDF), screenshots, or compiled data pack
Important: You may need to withhold or redact information to protect third parties, trade secrets, legal privilege, or security. Apply redaction conservatively and document why.

A step-by-step DSAR workflow

Treat access requests like a ticketed process with a clear owner, a timeline, and a secure delivery channel.

Operational workflow (recommended)

  1. Intake and log: capture requester details, scope, date received, and request channel.
  2. Acknowledge receipt: confirm you received the request and explain next steps and identity check.
  3. Verify identity: use proportionate methods; document verification outcome.
  4. Clarify scope (if needed): narrow broad requests to reduce time and risk (without blocking rights).
  5. System search and export: pull data from defined systems and relevant repositories.
  6. Review and redact: remove third-party data and security-sensitive details as required.
  7. Quality check: verify completeness, consistency, and that the data matches the requester.
  8. Secure delivery: encrypted file transfer or secure portal; avoid plain email attachments.
  9. Close and retain evidence: store request log, response copy, and rationale for redactions.
Quick win: Create a “DSAR data map” for your top 5 systems (CRM, support, billing, HR, analytics). Most response time is lost in “Where is the data?” not in writing the response.

Identity verification and security

Identity verification is non-negotiable. A DSAR response can contain highly sensitive information. Verification should be proportionate to risk: more rigorous for sensitive data, less for low-risk accounts.

Common verification approaches (proportionate)

  • Account-based verification: respond via the logged-in account or a secure portal.
  • Out-of-band confirmation: confirm using a previously verified email/phone on file.
  • Document checks (careful): only when necessary; avoid collecting excess ID data.
  • Knowledge-based checks: confirm order IDs, last invoice amount, or similar (avoid weak secrets).
Security tip: Don’t request more personal data to verify identity than you need. Identity checks should reduce risk, not create new data exposure.

Redaction and third-party data

Access rights are not a license to disclose other people’s data. If your records contain third-party data (e.g., support tickets mentioning another customer, internal notes about an employee), you may need to redact.

Typical redaction cases

  • Third-party identifiers: names, emails, phone numbers of other individuals.
  • Security-sensitive details: credentials, tokens, detailed detection logic, internal security notes.
  • Legal privilege: communications protected under applicable legal privilege (context-dependent).
  • Trade secrets/confidential business info: where disclosure would cause harm (handle carefully).
Redaction rule: Redact minimally and explain categories of redaction (without revealing what was redacted). Keep a secure internal copy of the unredacted pack and the justification.

Response structure (practical template)

Use a consistent structure so your team can respond quickly and defensibly.

Suggested response structure

  • 1) Verification confirmation: “We verified your identity on 2026 using [method].”
  • 2) Processing summary: purposes, categories, recipients, retention, rights.
  • 3) Data copy: attached/export pack, format description, date range covered.
  • 4) Redactions/exclusions: brief explanation of why some data was withheld (if applicable).
  • 5) Next steps: how to request correction/deletion, how to escalate concerns.

Helpful tools (optional)

If your DSAR process needs secure approvals, traceability, and controlled delivery workflows:

SignNTrack – secure e-signatures & tracking Innopulse – DSAR process & governance support

Disclaimer: Links are for convenience; choose tools based on your requirements and compliance obligations.

Right of access checklist (copy/paste)

Use this checklist to handle access requests correctly and consistently.

  • We logged the request (date, channel, requester details, scope).
  • We acknowledged receipt and explained next steps and timelines.
  • We verified identity before searching and disclosing any data.
  • We clarified scope if needed (without unreasonably delaying the request).
  • We searched all relevant systems using a defined system list and identifiers.
  • We reviewed data for accuracy and ensured it belongs to the requester.
  • We redacted third-party data and security-sensitive details where necessary.
  • We delivered the response securely and retained evidence of completion.
Quick win: Create a DSAR “response pack” checklist per system (CRM, support, billing) with export steps and required fields. This turns 10 hours of hunting into 30 minutes of execution.

FAQ

What if the requester asks for “everything you have about me”?
You should still handle the request, but you can ask clarifying questions to scope it (e.g., time period, systems, context), especially if it helps you respond faster and more accurately. Document the scope clarification.
Can we refuse an access request?
In some situations requests may be refused or limited (e.g., clearly unfounded or excessive requests, or where disclosure would harm third-party rights or legal privilege). Apply this carefully, document rationale, and seek legal advice for complex cases.
Should we email the data as an attachment?
Avoid emailing sensitive data as plain attachments. Prefer a secure portal or encrypted file transfer with strong access controls. The delivery channel should match the sensitivity of the data and your risk profile.
What is the biggest operational mistake teams make?
Data sprawl and uncontrolled exports. If personal data lives in spreadsheets, inboxes, and local files, DSARs become slow and risky. Reduce sprawl with minimization, retention, standardized tooling, and governance.

About the author

Leutrim Miftaraj

Leutrim Miftaraj — Founder, Innopulse.io

Leutrim is an IT project leader and innovation management professional (BSc/MSc) focused on governance and compliance-friendly digital execution for organizations in Switzerland, including privacy-by-design, operational risk controls, and audit-ready workflows.

Governance Operational compliance Process design Swiss market focus

Reviewed by: Innopulse Editorial Team (Quality & Compliance) • Review date: February 22, 2026

This content is for informational purposes and does not constitute legal advice. For case-specific guidance, consult qualified counsel.

Sources & further reading

Use primary legal texts and regulator guidance when designing and operating DSAR processes.

  1. GDPR (Regulation (EU) 2016/679) – EUR-Lex
  2. European Data Protection Board (EDPB) – Guidelines & resources
  3. ICO – Right of access guidance (practical)
  4. Swiss Federal Act on Data Protection (FADP) – Fedlex
  5. NIST Privacy Framework (program design)

Last updated: February 22, 2026 • Version: 1.0

Want a DSAR process that is fast, secure, and audit-ready?

Innopulse supports organizations with DSAR workflows, documentation, vendor controls, and privacy-by-design governance—so rights requests are handled consistently, securely, and without operational chaos.

Book a consultation Back to Data Protection & Compliance pillar Business & IT Consulting

Driving innovation.

Quick Links

Get in touch

Newsletter

© 2026 Innopulse Consulting. All Rights Reserved.

Imprint | Privacy PolicyTerm of Use Cookies