Available only in Switzerland

Schweizerform is currently available exclusively for users in Switzerland. Account creation from your region is restricted.
Schweizerform LogoSchweizerform
Back to templates
Business·Request

Data Subject Access Request (DSAR)

Professional DSAR form for Swiss and European organisations. Enables individuals to exercise their rights of access, correction, deletion, and portability under the Swiss nFADP Art. 25 and GDPR Art. 15. Includes identity verification and scope specification.

About this template

The Data Subject Access Request (DSAR) form provides a structured, compliant channel for individuals to exercise their privacy rights with your organisation. It covers all rights available under the Swiss Federal Act on Data Protection (nFADP Art. 25-32) and the European GDPR (Art. 15-22), including the right of access, the right to rectification, the right to erasure (right to be forgotten), the right to restriction of processing, and the right to data portability. Identity verification is built in to prevent fraudulent requests.

  • Requestor identity: full name, email, and date of birth
  • Relationship to the organisation: customer, employee, contractor, website visitor, other
  • Type of right being exercised: access, correction, deletion, portability, restriction, objection
  • Scope of the request: specific data categories or timeframes
  • Preferred response format: PDF, CSV, email, postal mail
  • Identity verification document upload
  • Optional: third-party representative authorisation
  • Signature confirming request accuracy

Response deadline: 30 days under nFADP and GDPR

Under both the Swiss nFADP and the EU GDPR, organisations must respond to a valid DSAR within 30 days of receipt. Where the request is complex or voluminous, a one-time extension of an additional 60 days is permitted, but the requestor must be informed within the initial 30-day period. Failure to respond on time can trigger complaints to the FDPIC (Federal Data Protection and Information Commissioner).

How to use this template

1

Open the template

Click 'Use template' to create a copy in your dashboard.

2

Add your organisation details

Update the form title and description to include your organisation's name and the contact details of your Data Protection Officer or privacy contact.

3

Link your privacy policy

Add a link to your privacy policy in the description so requestors understand what data you hold.

4

Configure access controls

Restrict form response access to your privacy or legal team only. Submitted DSARs contain sensitive identity information.

5

Set up acknowledgement notification

Configure an automated acknowledgement email to be sent to the requestor upon submission, confirming receipt and your 30-day response timeline.

6

Process and close requests

Log each DSAR in your data subject rights register, process the request within 30 days, and document your response for audit purposes.

Data subject rights in Switzerland: nFADP and GDPR context

The revised Swiss nFADP, in force since 1 September 2023, significantly expanded the rights of data subjects and aligned Switzerland's legal framework more closely with the EU GDPR. For Swiss organisations that also handle data of EU residents, both regimes may apply simultaneously. Understanding the scope and procedural requirements of each right is essential for building a compliant DSAR handling process.

The right of access (Auskunftsrecht)

Under nFADP Art. 25 and GDPR Art. 15, every data subject has the right to obtain confirmation of whether personal data concerning them is being processed, and if so, to receive a copy of that data together with supplementary information: the purposes of processing, the categories of data, the recipients or categories of recipients, the retention period, the source of the data, and information about any automated decision-making. Swiss law provides for access free of charge; a fee may only be levied if the request is manifestly excessive.

The right to erasure (Recht auf Loeschung)

The right to erasure (also known as the 'right to be forgotten') requires organisations to delete personal data without undue delay when: the data is no longer necessary for the original purpose; consent has been withdrawn and no other legal basis applies; the data has been unlawfully processed; or erasure is required under applicable law. Erasure requests cannot always be fully honoured — data retained for legal obligations (e.g. accounting records, contractual disputes) may be exempt, but the requestor must be informed of any limitation and its legal basis.

Identity verification: balancing privacy and security

A key challenge in DSAR handling is verifying the identity of the requestor without creating a disproportionate barrier to exercising data rights. Organisations should request the minimum information needed to identify the data subject in their systems — typically name, email address or account identifier, and date of birth. Requesting copies of identity documents should be limited to cases where identity genuinely cannot be confirmed through other means, as collecting copies of passports creates additional data protection obligations.

Frequently asked questions

Can an organisation charge a fee to respond to a DSAR?

Under both the nFADP and GDPR, the first copy of personal data provided in response to an access request must be provided free of charge. For subsequent requests or requests that are manifestly unfounded or excessive, a reasonable fee reflecting administrative costs may be charged, or the request may be refused. The basis for any fee or refusal must be communicated to the requestor in writing.

What if the DSAR involves third-party data?

Where fulfilling a DSAR would involve disclosing personal data of a third party (e.g. names of colleagues in an email chain), the organisation must balance the rights of both parties. Options include redacting third-party identifying information before providing the response, or, if redaction is not possible without rendering the information meaningless, withholding that portion and explaining why. Legal advice should be sought for complex cases.

What is the role of the FDPIC in DSAR disputes?

The Federal Data Protection and Information Commissioner (FDPIC / EDOEB) is the Swiss supervisory authority for data protection. If an individual believes their DSAR has been improperly handled — refused without justification, responded to late, or responded to incompletely — they can file a complaint with the FDPIC. The FDPIC can investigate and issue recommendations, and since the nFADP revision, has enhanced enforcement powers including the ability to initiate proceedings.