GDPR Data Subject Access Requests (DSARs) for Spiritual Practitioners: A 2026 Guide
A client asks for all data you hold. You have 30 days. How astrologers and tarot readers handle DSARs correctly under UK/EU GDPR in 2026.
A past client emails: "Can you tell me what information you have about me?" That sentence - informal, no legal language - is a valid Data Subject Access Request under UK and EU GDPR. Your response deadline starts the moment it arrives.
DSARs are not only for large businesses. Any practitioner who holds EU or UK client data - a name, an email address, a birth chart input, a session note - can receive one. Here is how to handle it correctly without missing the deadline or over-disclosing.
What Is a DSAR and When Does It Apply
A Data Subject Access Request (DSAR) is a legal right under GDPR (Article 15) allowing any individual to request a copy of all personal data a controller holds about them, plus information about how that data is used.
For a spiritual practitioner, this applies whenever:
- You hold personal data of EU or UK residents (regardless of where you are based)
- A client, subscriber, or contact asks to see their data
The request does not need to say "DSAR," cite GDPR by name, or arrive in writing. Any informal request - by email, social media message, phone call, or even in person - counts. "What do you have on me?" is sufficient.
Source: Osano; Termly, 2026
The 30-Day Response Clock
You must respond within 1 calendar month from the date you receive the request. This is month-based (not 30 fixed days) - a request received on January 31 is due by February 28.
For complex or numerous requests, you can extend by up to 2 additional months (maximum 3 months total). If you use the extension, you must notify the requester within the first month with the reason for the delay.
Source: ICO UK (authoritative); GDPR Local, 2026
For a solo practitioner, most DSARs are not complex - a client asking for their session notes and email records does not require a 3-month extension. Treat the 1-month deadline as hard.
How a DSAR Can Arrive (Every Channel Counts)
Channel | Valid DSAR? |
|---|---|
Email to any business address | Yes |
Instagram DM or WhatsApp message | Yes |
Phone call | Yes |
Verbal request in person | Yes |
Formal letter | Yes |
The request landing in your Instagram DMs on a Saturday at 11pm counts. The clock starts. Set up a system to capture and flag any request regardless of channel.
Source: Osano; DataGrail, 2026
Verifying Identity
Before responding with data, verify you are sending it to the right person. GDPR limits what verification steps you can require - you cannot demand documents you do not already have from the person.
Practical approaches:
- Ask them to confirm via the same email address they used when booking or subscribing
- Ask them to verify a detail from their original booking (session date, product purchased)
- Match their contact details against your existing records
Do not ask for a passport or government ID unless your original intake process collected this. Most spiritual practitioners did not collect ID at intake, so the verification should use information you already hold.
Source: DataGrail, 2026
What Data to Search
For a solo spiritual practitioner, a DSAR search typically covers:
- Email inbox and sent folder (search by client name and email address)
- Email marketing platform (Kit, Mailchimp, Flodesk - export their subscriber record and tags)
- Booking system (Acuity, Calendly, TidyCal - their appointment history)
- CRM or Notion database (session notes, intake form responses)
- Google Drive or Dropbox (any files with their name or associated content)
- Cloud storage for session recordings (Zoom cloud, Loom, etc.)
- Payment records (Payhip, Gumroad, Stripe - their purchase history)
- Any WhatsApp or Telegram message threads
Do not overlook personal devices if you communicate with clients via personal social media or messaging apps.
What to Include in Your DSAR Response
The DSAR response must include (Source: OpenForest, 2026; Logikcull, 2026):
Element | What to provide |
|---|---|
Copy of all personal data | In a clear, accessible format - PDF or CSV |
Purpose of processing | Why you hold this data |
Categories of data | Types of data held |
Recipients/third parties | Where data is stored ("Kit email platform, Notion, Google Drive") |
Retention period | How long you keep it |
Data source | How you collected it |
Their rights | Right to rectification, erasure, restriction, portability |
You can redact personal data of third parties. If a session note mentions another person by name, redact that person's name before disclosing the note - their data is not the requestor's to access.
You cannot charge for responding to a DSAR unless the request is "manifestly unfounded or excessive." First requests are almost never excessive for a solo practitioner.
Special Considerations: Birth Charts, Session Notes, and Sensitive Data
This is where spiritual practitioners differ from most freelancers.
Birth data (name, date of birth, time, place of birth) collected for astrology is personal data under GDPR. If combined with health information - a medical astrology reading, for example - it may qualify as "special category" data requiring additional protection under Article 9.
Session notes from readings and energy healing can become special category data if they reference the client's health, emotional state, religious beliefs, or spiritual practices. Special category data requires a higher lawful basis for processing (typically explicit consent rather than legitimate interest).
Video recordings of sessions are personal data. They must be disclosed in a DSAR response if stored.
For the question of how long to retain these records before deletion - and how deletion on request works when invoices must be kept - see the GDPR data retention guide for spiritual practitioners.
For the broader framework of protecting client data at collection, see the birth data privacy GDPR guide and the protect client data guide.
Source: GDPR Local; ICO special category guidance [VERIFY specific ICO URL]
Consequences of Getting It Wrong
Missed deadlines give the individual the right to escalate to the ICO (UK) or their national data protection authority (EU).
GDPR fines can reach up to EUR 20 million or 4% of annual global turnover - whichever is higher. For procedural failures (late response, incomplete response) rather than serious data breaches, fines at the lower range are more typical. But an ICO investigation - even one that ends in a warning - consumes significant time.
For solo practitioners, the more realistic consequence is reputational: a client who feels their data request was ignored or mishandled rarely returns, and may share the experience.
Source: Osano; DataDriven Legal, 2026
A 5-Step DSAR Workflow for Solo Practitioners
1. Receive and log: Note the date the request arrived, the channel, and the exact wording. Your deadline starts now.
2. Verify identity: Confirm via existing information you already hold.
3. Search all data locations: Email, CRM, booking system, cloud storage, messaging apps, payment records.
4. Compile the response: Personal data in PDF or CSV, plus the required contextual information (purpose, categories, recipients, retention, rights).
5. Send and document: Deliver within 1 month. Keep a copy of your response and the date sent.
For GDPR compliance at the data collection stage - including cookie consent on your website - see the GDPR cookie consent guide for spiritual businesses.
Frequently Asked Questions
What if a client asks me to delete all their data, not just see it?
That is a Right to Erasure request under GDPR Article 17, distinct from a DSAR. You must delete all personal data within 30 days, except any records you are legally required to keep (such as invoices within your statutory tax retention window). For the full deletion workflow, see the GDPR data retention guide.
Do I need to respond to a DSAR from someone who never became a paying client?
Yes, if you hold any personal data about them. A newsletter subscriber, a free consultation inquiry, or a social media follower you have in your CRM - all are data subjects with DSAR rights.
Can I refuse a DSAR?
In limited circumstances: if the request is manifestly unfounded or excessive, or if complying would adversely affect the rights and freedoms of others. A regular client request for their session notes is not manifestly unfounded. Refusals require documented justification and risk ICO challenge.
Do I need a Data Protection Officer (DPO) as a solo practitioner?
Generally no. DPO requirements apply to public authorities, organizations engaged in large-scale systematic monitoring, and organizations processing special category data at large scale. A solo practitioner with dozens or hundreds of clients typically does not meet those thresholds. Still, having a documented privacy policy and internal process for handling DSARs is good practice.
Does GDPR apply to practitioners based outside the EU or UK?
Yes, if you process data of EU or UK residents. A practitioner in the US, Australia, or Argentina who serves UK or EU clients is subject to GDPR for those clients' data. The ICO and EU data protection authorities can and do take action against non-EU businesses that violate GDPR in relation to EU residents.
