DSAR Response Generator

Generate a POPIA data subject request response draft

A practical guide to handling Data Subject Access Requests (DSARs) under the Protection of Personal Information Act (POPIA). This guide covers the rights of data subjects, the process for responding to requests, and the grounds for refusal.

Generator

DSAR Response Generator

Create a response draft for access, correction or deletion requests under POPIA and PAIA-linked access processes.

Draft only. The Information Regulator PAIA Guide states that POPIA Section 23 gives data subjects access rights and information about third parties or categories of third parties who have accessed the information. Section 24 rights include correction, deletion or destruction in defined cases.

Generated draft

DATA SUBJECT REQUEST RESPONSE

Date: 2026-07-09
Reference: [reference number]

To: [requester name]

From: [organisation name]
Information Officer: [Information Officer]
Contact: [contact email]

1. Request received

We refer to your Access to personal information request received on [request received date].

2. Identity verification

We have verified the requester identity using the information provided.

3. Decision

Decision: Access provided

4. Personal information held

We hold personal information related to customer onboarding, service delivery and support records.

5. Purpose of processing

The information is processed for service delivery, verification, fraud prevention, support, billing, record keeping and legal compliance.

6. Third parties or categories of third parties

Verification providers, contracted operators, professional advisers, regulators or law enforcement where required by law.

7. Correction, deletion or objection handling

No correction or deletion action is required based on this request.

8. Refusal or limitation reasons, if any

Not applicable.

9. Next steps

Contact the Information Officer if the requester believes the response is incomplete or inaccurate.

Review note: This draft should be checked before sending, especially where PAIA grounds for refusal, third-party information, legal privilege, commercial information or identity verification concerns apply.

1. What is a DSAR Under POPIA?

  • A DSAR is a request by a data subject (or their authorised representative) to a responsible party to access their personal information held by that organisation
  • Section 23 of POPIA grants data subjects the right to request confirmation of whether a responsible party holds their personal information, and to request access to that information
  • DSARs are processed in accordance with the Promotion of Access to Information Act (PAIA), as referenced in Section 23 of POPIA
  • The responsible party must provide the information in a reasonable format and in a generally understandable form

2. Data Subject Rights

  • Right to access: Data subjects may request access to their personal information held by a responsible party (Section 23)
  • Right to correction: Data subjects may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (Section 24)
  • Right to deletion: Data subjects may request destruction of personal information that the responsible party is no longer authorised to retain (Section 24)
  • Right to object: Data subjects may object to the processing of their personal information on reasonable grounds relating to their particular situation (Section 11(3))
  • Right to complain: Data subjects may submit a complaint to the Information Regulator if they believe their rights have been infringed (Section 74)

3. How to Process a DSAR

  • Step 1: Receive and log the request - record the date received, the identity of the requester, and the nature of the request
  • Step 2: Verify the identity of the requester - confirm that the person making the request is the data subject or their authorised representative. VerifyNow can assist with identity verification at this stage
  • Step 3: Locate all relevant personal information held about the data subject across your systems and records
  • Step 4: Assess whether any grounds for refusal apply (see Section 5 below)
  • Step 5: Respond to the request within 30 days as prescribed by PAIA (Section 25(1) of PAIA)
  • Step 6: Provide the information in the format requested by the data subject, where reasonably possible

4. DSAR Response Template Structure

  • Reference number and date of the original request
  • Confirmation of the requester's identity verification
  • Description of the personal information held (categories and sources)
  • The purpose for which the information is being processed
  • Third parties or categories of third parties to whom the information has been or may be disclosed
  • If the request is refused: clear reasons for refusal citing the applicable PAIA or POPIA provision, and information about the right to appeal to the Information Regulator

5. Grounds for Refusal

  • Section 18 of POPIA provides exemptions where processing is not subject to certain conditions (e.g., processing purely for personal or household purposes, or for journalistic, literary, or artistic expression)
  • PAIA grounds for refusal may apply, including protection of third-party privacy, commercial confidentiality, or legal privilege (Sections 63-70 of PAIA)
  • Requests that are manifestly unfounded or excessive may be refused, but the responsible party bears the burden of demonstrating this
  • A prescribed fee may be charged for access to records under PAIA, but this must not be used as a barrier to access
  • Always provide written reasons for any refusal and inform the data subject of their right to lodge a complaint with the Information Regulator

6. Record Keeping for DSARs

  • Maintain a log of all DSARs received, including the date, requester details, nature of request, and outcome
  • Record the steps taken to verify the identity of each requester
  • Keep copies of all correspondence and responses provided
  • Document any refusals and the reasons given
  • Track response timelines to ensure compliance with the 30-day deadline
  • Retain DSAR records for a reasonable period in case of complaints or regulatory enquiries