GDPR and Data Subject Access Requests: When and How to Redact

2026-01-02True Redact Team

The General Data Protection Regulation (GDPR) gives EU citizens extensive rights over their personal data, including the right to access any data an organization holds about them. But what happens when that data includes information about other people? This is where redaction becomes essential.

Understanding Data Subject Access Requests (DSARs)

Under GDPR Article 15, individuals have the right to obtain a copy of their personal data. Organizations must respond within one month (extendable to three months for complex requests). However, you cannot simply hand over all documents—you must protect third-party data.

The Third-Party Data Problem

Consider a common scenario: An employee requests all emails mentioning them. Those emails likely contain:

  • Names and contact details of other employees
  • Customer or client information
  • Supplier and vendor details
  • Information about other data subjects

GDPR Article 15(4) states that the right to access "shall not adversely affect the rights and freedoms of others." You must redact third-party personal data before releasing documents.

What to Redact in DSARs

When preparing DSAR responses, redact:

  • Names and identifying information of other individuals
  • Third-party contact details (email, phone, address)
  • Information that could identify third parties indirectly
  • Trade secrets and confidential business information
  • Information covered by legal privilege

Balancing Transparency and Protection

The key principle is proportionality. You should:

  • Provide as much information as possible to the data subject
  • Only redact what's necessary to protect others' rights
  • Consider whether pseudonymization could work instead of full redaction
  • Document your redaction decisions in case of regulatory inquiry

GDPR Penalties for Getting It Wrong

The stakes are high. GDPR violations can result in fines up to €20 million or 4% of global annual turnover—whichever is higher. Improperly handled DSARs, including failure to adequately protect third-party data, can trigger enforcement action.

Streamlining DSAR Compliance

Organizations receiving frequent DSARs need efficient processes. True Redact helps by:

  • Automatically identifying personal data across document sets
  • Distinguishing between the requester's data (keep) and third-party data (redact)
  • Processing large volumes quickly to meet the one-month deadline
  • Creating audit trails for compliance documentation