Data subject access requests (DSAR)
Under the GDPR's right of access (Article 15), a person can ask a controller to confirm whether it processes their personal data and to receive a copy. Analytics datasets can fall in scope when they contain identifiers tied to an individual. This page explains the right and why data minimisation shrinks what a DSAR can reach.
What the right of access covers
Article 15 of the GDPR gives data subjects the right to obtain confirmation of whether their personal data is processed, access to that data, and information about purposes, recipients, retention, and their other rights. Controllers must respond within a defined period, usually one month, extendable in limited cases.
The request only reaches personal data — information relating to an identified or identifiable person. Truly anonymous, aggregate analytics is outside its scope.
Analytics in scope
If your analytics retains a stable identifier (a user ID, a persistent pseudonymous cookie ID, or other data that can single out a person), those records may be personal data and therefore disclosable. Reducing what you store — shorter retention, fewer identifiers, aggregation, pseudonymisation that you cannot reverse for trivial linking — directly reduces what a DSAR can reach.
- Confirmation, a copy, and processing details must be provided
- Typically a one-month response window
- Anonymous aggregate data is outside scope
How it appears in analytics and logs
If analytics stores stable per-user identifiers, those records are likely in scope for an access request. Aggregate or pseudonymised data that cannot be linked to an individual generally reduces what must be disclosed.
Diagnostic use case
Assess whether your analytics holds personal data that a DSAR would cover, and reduce that surface by minimising identifiers and retention.
What WebmasterID can help detect
WebmasterID's minimised, aggregate-first model is designed so that little or no individually identifiable analytics data exists to be returned in a typical DSAR.
Common mistakes
- Assuming all analytics data is automatically anonymous.
- Ignoring stable user IDs when scoping an access request.
- Missing the statutory response deadline.
Privacy and accuracy notes
This page is educational and not legal advice. Whether specific analytics data is in scope depends on identifiability and applicable law; confirm with counsel.
Related pages
- Right to erasure in analytics
Article 17 of the GDPR gives individuals the right to have their personal data erased in defined circumstances, such as when it is no longer necessary or consent is withdrawn. For analytics, that can mean deleting or de-linking records tied to a person. This page explains when erasure applies and how minimised data reduces the burden.
- Data minimisation in analytics
Data minimisation is the principle that personal data should be adequate, relevant, and limited to what is necessary for the purpose. In analytics it translates to: do not collect identifiers you will not use, prefer aggregates over per-person rows, and avoid storing precise values like full IPs. Minimising at collection beats trying to protect data you never needed. This is educational, not legal advice.
- Pseudonymisation in analytics
Pseudonymisation processes personal data so it can no longer be attributed to a specific person without additional information that is kept separately and secured. It is a recognised safeguard under the GDPR — but pseudonymised data is still personal data, not anonymous. Understanding that distinction prevents over-claiming privacy protection. This is an educational overview, not legal advice.
- Privacy-first analytics
Minimised data that narrows DSAR scope.
Sources and verification notes
- EUR-Lex — GDPR Article 15 (Right of access)Statutory text of the right of access.
- EDPB — Guidelines 01/2022 on data subject rights — right of accessInterpretation of the access right.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.