Data Subject Access Requests in Canada: PIPEDA, Law 25 and GDPR
Most organizations that collect personal information from customers have never received a formal data subject access request. Many have never thought about what they would do if they did. That gap is closing faster than most leaders realize.
A data subject access request (DSAR) is one of the most common ways individuals exercise their privacy rights. Under data protection law, individuals have the right to access the personal information an organization holds about them, and in many jurisdictions to correct, delete, or object to the processing of it as well. DSARs are widely associated with GDPR, but Canadian privacy legislation gives individuals these rights too. Organizations operating in Canada that have no process for handling them are sitting on a visible, enforceable compliance gap.
What Is a Data Subject Access Request (DSAR)?
A data subject access request (DSAR) is a formal exercise of an individual's right to access their personal information. The individual, referred to as the data subject, submits a request to an organization asking for a copy of the personal information it holds about them, including information they provided directly, information the organization generated, and information inferred from their behaviour.
The organization must consolidate everything it holds across all systems, remove anything that would compromise the privacy of other individuals or expose confidential business information, and deliver it in a format the individual can actually use.
DSARs are the most complex individual rights request an organization will receive. They touch every system where personal information lives: CRMs, marketing platforms, support tools, data warehouses, billing systems. Organizations without a clear data inventory find these requests extremely difficult to fulfill accurately and on time.
The term DSAR comes from GDPR and is widely used in UK and EU contexts. In Canada the equivalent right exists under PIPEDA and provincial privacy legislation, though the terminology differs slightly. The substance is the same: an individual asks what you have on them, and you are required to tell them.
Do Canadian Organizations Have to Respond to Data Subject Access Requests?
Yes. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), individuals have the right to access the personal information an organization holds about them. This is not a discretionary courtesy. It is a legal obligation that applies to private-sector organizations engaged in commercial activity across Canada, with limited exceptions.
Organizations must respond within 30 days of receiving a request. Extensions are available in limited circumstances but must be communicated to the individual. Failure to respond, responding late, or responding incompletely can result in a complaint to the Office of the Privacy Commissioner of Canada (OPC), which can escalate to a formal investigation.
For organizations operating in Quebec, Law 25 introduces additional obligations beyond what PIPEDA requires. These are covered in detail below.
What Rights Do Individuals Have Beyond Access?
A data subject access request specifically covers the right to access personal information. But individuals have additional privacy rights that organizations need to be prepared to handle, and requests for these often arrive through the same channel.
The Right to Correction
Individuals can request that an organization correct inaccurate personal information it holds about them. This is generally the most straightforward right to fulfill. The challenge is ensuring the correction flows through every system where that information is held, not just the one the individual interacted with. Organizations must document how each correction request was handled.
The Right to Deletion
The right to deletion is not a right under PIPEDA. Canada does not require organizations to delete personal information on request. Individuals are increasingly aware of this right from GDPR and submit deletion requests regardless.
Our recommendation is to comply where you reasonably can. It builds goodwill, it is directionally aligned with where Canadian privacy law is heading, and it reduces the likelihood of a complaint to the OPC. For organizations subject to Law 25 or operating in GDPR jurisdictions, deletion is a legal obligation, not a discretionary choice, however the right to deletion relates to the indexing of your information.
The Right to Object
Individuals can object to an organization's processing of their personal information when they believe it was collected without a proper basis or used beyond its intended purpose. Objection requests require the organization to review the legal basis for the processing in question and either justify it or stop it. They are often a precursor to a deletion or correction request.
How to Respond to a DSAR in Canada Under Law 25 and Cross-Border Frameworks
Quebec's Law 25 expanded individual rights significantly beyond what PIPEDA requires, including the right to data portability and the right to be informed of automated decision-making. It also introduced more explicit documentation requirements for how requests are handled.
Organizations that handle personal information about individuals in the EU, UK, or California face further obligations under GDPR, UK GDPR, and CCPA/CPRA respectively. A DSAR process built only around PIPEDA will not be sufficient for organizations operating across these jurisdictions. Each framework has different timelines, different rights, and different documentation requirements. Organizations need a process that can identify which framework applies to a given request and respond accordingly.
What Your Privacy Notice Needs to Say
Every organization's public-facing privacy notice should clearly disclose what rights individuals have, how they can exercise those rights, who to contact, and how long a response will take. A well-structured privacy governance program will define these requirements before a request ever arrives.
This is not optional. PIPEDA requires organizations to be transparent about their information practices, and that includes making individual rights findable and accessible. A privacy notice that buries this information in dense legal language, or omits it entirely, is not compliant.
The rights you disclose should be tailored to the jurisdictions you actually operate in. A Canadian organization that sells to EU customers needs to address GDPR rights. A Quebec-based organization needs to address Law 25 rights specifically. A template copied from a US or UK resource will not cover what your organization actually needs to disclose.
One practical note: once individuals know they have these rights and have a clear channel to exercise them, they use them. Every organization Bamboo Data Consulting has been appointed as vCPO for has seen a steady month-on-month increase in requests after updating their privacy notice to properly disclose these rights. The channel creates the volume and with the use of AI, data subject access requests have become more sophisticated. That is not a reason to hide the channel. It is a reason to have a process ready before you open it.
What Happens When You Have No Process
The most common data subject access request failure is not malicious. It is simply that no one in the organization knows what to do when a request comes in. It gets forwarded, ignored, mishandled, or responded to late. Any of those outcomes can result in a complaint to the OPC or the equivalent provincial authority.
Regulators treat the absence of a DSR process as evidence of broader privacy governance gaps. A complaint about a missed access request becomes an investigation into your privacy program as a whole. That is a disproportionate consequence for something that is entirely preventable.
Your process should define how requests are received, how identity is verified, what systems need to be checked, who is responsible for compiling the response, what legitimate grounds exist for denying a request, and how responses are documented. That documentation matters if a complaint is ever filed. A privacy risk assessment can help identify where your current process has gaps before a request exposes them.
Rights are requests, not automatic obligations in every case. There are circumstances under which an organization can decline to fulfill a request, but those circumstances need to be defined in your process before the request arrives, not improvised after.
Need Help Managing Data Subject Access Requests in Canada?
If your organization collects personal information from customers and does not have a documented process for handling data subject access requests, that is the starting point. Not the privacy notice, not the data privacy awareness training. The process. Everything else flows from knowing how you would actually respond if a request arrived tomorrow.
If you are unsure what rights apply to your organization, what your privacy notice needs to say, or how to build a DSAR process that works across multiple jurisdictions, we can help.
Talk to us about your organization's privacy obligations
Frequently Asked Questions About DSARs in Canada
What is the difference between a DSAR and a data subject request?
A data subject access request (DSAR) specifically refers to the right to access personal information. A data subject request (DSR) is a broader term that covers all individual privacy rights, including access, correction, deletion, and objection. In practice the terms are often used interchangeably, but a DSAR technically refers to access only.
How long does an organization have to respond to a DSAR in Canada?
Under PIPEDA and Quebec’s Law 25, organizations must respond within 30 days of receiving a request. Extensions are permitted in limited circumstances but must be communicated to the individual before the 30-day deadline passes.
Can a Canadian organization refuse a data subject access request?
Yes, in limited circumstances. PIPEDA allows organizations to refuse access requests where fulfilling them would reveal personal information about another individual, where the information is subject to solicitor-client privilege, or where disclosure could reasonably be expected to threaten the safety of another person, among other grounds. Any refusal must be communicated to the individual along with the reason and information about how to challenge the decision.
Does PIPEDA require organizations to delete personal information on request?
No. The right to deletion does not exist under PIPEDA. Canada requires organizations to retain personal information only for as long as necessary for the purpose it was collected, then dispose of it appropriately. That is a retention obligation, not a deletion-on-request obligation. Organizations subject to Quebec's Law 25 or operating in GDPR jurisdictions do face deletion obligations under those frameworks.
What is the penalty for not responding to a DSAR in Canada?
Failure to respond to a DSAR under PIPEDA can result in a complaint to the Office of the Privacy Commissioner of Canada. The OPC can investigate, issue findings, and make recommendations. Quebec's Law 25 already carries administrative monetary penalties of up to $25 million dollars or four percent of worldwide turnover for the most serious violations.