A DSAR (Data Subject Access Request) is a person's exercise of their right to obtain a copy of the personal data an organisation holds about them — including, for surveillance, footage in which they appear. Under GDPR Article 15 individuals can ask whether they are being recorded and request a copy, usually within one month and ordinarily free of charge. A request from someone saying "I was in your store on Tuesday at 3 pm, give me the video of me" is a DSAR the operator must be able to answer.
Handling it well depends on the system being searchable and privacy-aware. The operator has to locate the relevant footage (which is far easier with good forensic search than by manual scrubbing), and then disclose the requester's own data without exposing other people — which means masking or redacting the faces of uninvolved bystanders before release, because their privacy rights are not waived by someone else's request. The right is not absolute: it can be limited where it would adversely affect others' rights, or by exemptions such as an ongoing investigation.
The pitfalls are inability to find the footage, over-disclosure, and the retention trap. If a system cannot search its footage, meeting the one-month deadline is painful; if it hands over a clip showing third parties unredacted, the response itself breaches their privacy; and footage that has already hit its retention limit and been deleted simply cannot be produced — which is lawful if the retention policy is sound, but must be explained. Build search, redaction, and a documented DSAR process in advance, and treat redaction of others as mandatory, not optional. This is engineering guidance, not legal advice — confirm specifics with qualified counsel.
