Qualitative In-Depth Analysis of GDPR Data Subject Access Requests and Responses from Major Online Services
Daniela Pöhn, Nils Gruschka
TL;DR
This paper presents a qualitative, in-depth analysis of GDPR data subject access requests and responses from seven major online services, comparing 2018 and 2023 exports and aligning them with each service's privacy policy. Using a template-driven, manual review across two European accounts, it reveals substantial variation in data scope, readability, and retention disclosures, with no service fully meeting all DSAR requirements. The findings highlight longitudinal changes (notably for Amazon and Apple) and identify systemic gaps in completeness, correctness, and policy-data traceability. The work underscores the need for clearer DSAR guidelines and more transparent, consistent data-export practices to strengthen user rights under GDPR.
Abstract
The European General Data Protection Regulation (GDPR) grants European users the right to access their data processed and stored by organizations. Although the GDPR contains requirements for data processing organizations (e.g., understandable data provided within a month), it leaves much flexibility. In-depth research on how online services handle data subject access request is sparse. Specifically, it is unclear whether online services comply with the individual GDPR requirements, if the privacy policies and the data subject access responses are coherent, and how the responses change over time. To answer these questions, we perform a qualitative structured review of the processes and data exports of significant online services to (1) analyze the data received in 2023 in detail, (2) compare the data exports with the privacy policies, and (3) compare the data exports from November 2018 and November 2023. The study concludes that the quality of data subject access responses varies among the analyzed services, and none fulfills all requirements completely.