GDPR DSAR Compliance at Scale: 200 Requests Per Month
Updated for 2026
GDPR Article 15 gives people the right to get copies of their data. The 30-day reply deadline is mandatory. Extensions to 90 days are allowed for complex requests. Fines are real: Vodafone Spain paid €1.2 million in 2021. A German company paid €225,000 in 2023. Both were fined for DSAR failures.
DSAR volume keeps growing. Privacy groups help people file requests in bulk. Browser extensions make it easy to send requests to many companies at once. Organizations that once got 10 requests a year now get 200 a month. Manual workflows built for 10 cannot handle 200. Staff time that covered a light workload cannot absorb a 20× increase. Automation is needed. See our entities page for a list of data categories we process on your behalf.
See our compliance overview and security practices for how we support GDPR.
What DSAR Processing Involves
Article 15 requires more than saying "yes, we have your data." You must send a copy. Three steps are required.
Find all personal data. Search every system — CRM, email, support tickets, marketing tools, HR records. Legal and IT must run cross-system queries together.
Remove third-party data. The copy you send must not show other people's personal information. If a support ticket has an agent's email, redact it. If an order record shows another customer's name, remove it. For high-volume programs, this third-party redaction step is where batch tools deliver the biggest time savings.
Meet format and timing rules. GDPR requires a common electronic format. PDF or plain text both qualify. The clock starts when you get the request. Missed deadlines are the main reason for enforcement action.
The DSAR Processing Numbers
Take a European e-commerce company with 200 DSARs per month.
Each request typically involves:
- 8–12 order records
- 3–7 support tickets
- 2–4 account records
- Average: about 18 documents per request
That is 3,600 documents per month needing third-party redaction.
Manual time:
- 7–15 minutes per document
- 3,600 documents = 420–900 hours per month
- About 3–6 full-time staff, just for redaction
Batch processing:
- Upload all 3,600 documents at once
- Apply a DSAR redaction preset
- Overnight run: 4–8 hours
- Human review of edge cases (~10%): about 90 hours
- Total effort: 150–200 hours per month — roughly one staff member
This shows why batch tools matter at scale. See our pricing page for batch tiers.
Encrypt-Then-Redact for Internal Records
Some teams need reversible internal records but clean external responses. A two-stage approach solves this.
Stage 1: Store documents with personal data encrypted using a controlled key. Access is restricted to authorized users. You can recover the original text if needed.
Stage 2: Apply hard redaction before sending the DSAR response. The person gets a clean document with no tokens or markers.
This keeps your records intact while meeting the legal standard for clean external responses. You can reprocess documents at any time if your redaction rules change.
Compliance Documentation
Article 5(2) — the accountability rule — means you must prove you comply. You need records. Words are not enough. For each DSAR, log:
- Date received and how you verified identity
- Systems searched and what was found
- Redaction type and entity types used
- Date and format of the response
- How edge cases were handled
Batch tools create a natural audit log. They record which documents were processed, what settings were used, and when. This helps with internal review and regulator questions. Our FAQ covers common questions on audit trail rules. See the glossary for key terms like "controller" and "processor."
What DSAR Failures Cost
The Vodafone Spain fine (AEPD, 2021) came from missed deadlines, incomplete responses, and poor identity checks. The organization also failed to reply within 30 days in many cases. The German fine (Bavarian DPA, 2023) came from delayed replies and missing data. The company sent responses that did not include all relevant records.
Both cases show what happens when volume outgrows manual capacity. Delays become routine. Systematic failures follow. Automation removes the bottleneck. It does not prevent all risk, but it addresses the capacity gap that causes most enforcement actions. Read our founder statement on building compliance by design.
Risks from Automation
Batch tools reduce work but add new risks. Know these before you deploy.
Check detection accuracy
A 2% miss rate is small on 100 documents. On 50,000 annual requests, it means thousands of errors. Test your preset on real samples before going live.
Map your processor chain
Batch systems often use OCR tools, NLP APIs, and cloud storage. Each one adds Article 28 duties and may raise data residency issues. Map the full data flow first.
Keep humans in the loop
Article 22 limits automated decisions with legal effects on people. If your system decides what to disclose or hide, add human review steps. This avoids Article 22 exposure.
Plan for admin overhead
Batch systems need updated Records of Processing, new data flow diagrams, and vendor DPAs. Most teams underestimate this work. Plan for it up front.
Implementation Checklist
Before you automate:
- Write down your DSAR intake steps
- List all systems holding personal data
- Build a data map for cross-system queries
Setup steps:
- Configure a DSAR redaction preset with the right entity types
- Set rules for what triggers human review
- Test on 5–10 sample requests first
Ongoing:
- Upload documents daily or per request
- Route flagged items to a human review queue
- Package output into the final response
- Log response dates and formats
- Review logs monthly to spot patterns in edge cases
- Update your ROPA when your process changes
Check our case studies to see how organizations have built DSAR workflows at scale.
Conclusion
DSAR volume will keep rising. Privacy tools, browser extensions for bulk filing, and media coverage all drive more requests. Expect 40–60% annual growth to continue.
Manual processes cannot keep up. Batch tools handle the redaction work so staff can focus on edge cases and response management. That is a model that scales. Manual-only is not. Organizations that invest in automation now will be better placed as volumes grow. Those that wait will face growing backlogs and rising fine risk.