A subject files a DSAR, what do I deliver and in what form?
A DSAR covers the data you hold on someone plus context: purposes, recipients, retention. GDPR sets a one-month deadline, extendable once by two months.
Try this first
- 1Verify the requester's identity before you hand anything over. Ask for the minimum needed; an ID copy with masked national number and photo is acceptable, but only if other verification fails.
- 2List every system the person could appear in: CRM, mail archive, tickets, phone logs, marketing tool, HR (for employees), CCTV footage if retained.
- 3Deliver in a common electronic format. PDF or CSV works, add context for codes and fields.
- 4Include the required info: purposes, categories, recipients (sub-processors and country), retention, source if not collected directly, and subject rights.
- 5Carefully redact what you cannot share: data of others, trade secrets, or items covered by a legal exemption. Document what you held back and why.
When to bring us in
If the request is tangled with legal disputes or complaints against your company, talk to a lawyer before you reply.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.