What is a SAR?
A Subject Access Request (SAR), also known as a Data Subject Access Request (DSAR), is the formal exercise by an individual of the right under GDPR Article 15 (and KVKK Article 11) to obtain confirmation of whether personal data is being processed, a copy of that data, and supplementary information (purposes, categories, recipients, retention, source, rights, ADM logic). The right is gateway to the broader data subject rights toolkit.
Operational SAR mechanics
- Receipt and acknowledgement: via any channel — email, postal, web form. Article 12 requires reasonable accessibility.
- Identity verification: proportional; do not demand excessive proof.
- Response deadline: one month under GDPR (extendable two more months for complexity); KVKK 30 days.
- Cost: free in most cases; manifestly unfounded/excessive requests can attract a reasonable fee or refusal.
- Format: machine-readable where requested electronically; clear, intelligible language.
Common SAR challenges
- Third-party data: redact identifying information of others appearing in the responsive set.
- Confidential business information: may be withheld where it would adversely affect rights of others.
- Privileged communications: legal advice privilege may apply.
- Volume: large discovery-style SARs in litigation contexts require scoping and reasonable interpretation.
KVKK kapsamında SAR
KVKK Madde 13, “Veri Sorumlusuna Başvuru Usul ve Esasları Hakkında Tebliğ” çerçevesinde yazılı veya KEP, güvenli elektronik imza, mobil imza ya da Kurulun belirleyeceği yöntemlerle yapılır. Yanıt 30 gün içinde, ücretsiz; talep ek maliyet doğurursa Kurulun belirlediği tarifeye göre ücret alınabilir (mevcut: 10 sayfanın üzerindeki her sayfa için 1 TL, CD/USB için maliyet bedeli). Reddedilen veya yanıtsız kalan talepler için veri sahibi 30 gün içinde KVKK Kurulu’na şikâyet edebilir.
Do: publish a clear SAR process with multiple channels; train front-line teams to recognise and route requests; maintain a SAR log.
Don’t: stall, over-verify, or apply blanket refusals — KVKK Kurulu and EU DPAs regularly fine inadequate SAR handling.