Data Subject Access Requests (DSARs) in Retail and Shopping Malls

Data Subject Access Requests (DSARs) have become one of the most operationally demanding areas of GDPR compliance for retailers and shopping mall operators. These environments process large amounts of personal data, including CCTV recordings, Wi-Fi analytics, marketing databases, loyalty programs, ANPR/LPR systems, access control technologies and customer service logs. The GDPR right of access requires organizations to provide individuals with confirmation of processing and access to their data within strict timelines [1].

What counts as a Data Subject Access Request in retail?

Before diving into operational workflows, it is essential to understand what constitutes a DSAR in a retail or shopping mall environment. A DSAR is any request from an identifiable individual asking to access personal data held by the organization, regardless of format or collection source.

Channels through which DSARs are submitted

In retail, DSARs commonly arrive through email, customer service web forms, social media, helpdesk tickets or in-person inquiries at customer desks. Retailers with loyalty programs may also receive DSARs through account dashboards or mobile applications.

Types of personal data typically requested

Beyond account records and purchase histories, retail DSARs frequently involve visual data. Individuals may request access to CCTV footage showing them in stores, common mall areas or parking structures. Requests can also cover Wi-Fi analytics logs, ANPR/LPR data, customer support call recordings and behavioural analytics provided by mall operators.

Obligations and timelines for DSAR responses

Retailers and mall operators must comply with GDPR requirements regarding transparency, timeliness and safe disclosure practices. Several obligations apply to every DSAR, regardless of complexity.

Response deadlines

Under GDPR Article 12 and Article 15 [1], organizations must respond within one month of receiving a DSAR. For complex cases-such as CCTV extraction and redaction-the deadline may be extended by up to two additional months, but the requester must be notified promptly.

Identity verification requirements

Organizations must verify the identity of the requester before disclosing personal data. The UK ICO highlights this as a necessary safeguard against wrongful disclosure [2]. Verification methods may include ID checks, loyalty account confirmation or comparing information already on file.

Providing data in an accessible format

Data must be delivered in a commonly used format. For video, organizations may provide MP4 exports or secure download links. Any provided footage must comply with redaction standards to protect third-party identities [2].

Why DSARs are uniquely challenging in shopping malls

Shopping malls operate complex ecosystems of tenants, shared systems and overlapping responsibilities. This makes DSAR handling more difficult than in standalone stores.

Multiple data controllers and joint responsibility

Malls frequently act as joint controllers with individual retailers. The EDPB notes that joint control requires clear allocation of responsibilities for responding to DSARs [3]. Requests involving shared CCTV or analytics may require coordination between operators and tenants.

CCTV in shared spaces and third-party presence

CCTV footage from common mall areas typically includes unrelated bystanders. Because GDPR prohibits revealing identifiable third parties, organizations must apply redaction or anonymization before releasing footage [2].

Large volumes of surveillance data

High foot traffic means substantial CCTV volume-often hundreds of cameras across large areas. The FRA has highlighted the complexity of large-scale surveillance environments and the resulting privacy risks [4].

Handling DSARs that include CCTV and visual data

CCTV-related DSARs are among the most resource-intensive. Organizations must balance access rights with privacy protections for others captured in the footage.

Locating the relevant footage

Staff must identify which cameras may have recorded the requester. This often requires reviewing timestamps, camera location maps and retention schedules. High-resolution systems (1080p, 4K) increase processing complexity and storage requirements.

Redaction requirements for third-party privacy

Footage cannot be provided if it reveals other shoppers, employees or bystanders. Redaction-typically via face blurring-is mandatory. Automated redaction tools like Gallio PRO help retailers meet GDPR obligations by anonymizing faces, license plates and sensitive elements while preserving video clarity and accelerating DSAR response time.

Retention policies and their impact on DSARs

Many retailers store CCTV for 30–60 days. If a DSAR arrives after footage has been overwritten, the controller must inform the requester. This aligns with GDPR’s accountability and transparency principles [1].

Best practices for managing DSARs in retail operations

A structured approach helps retail organizations comply with GDPR while minimizing operational burden.

Create a unified DSAR intake workflow

Centralized intake ensures consistency and prevents missed deadlines. A single inbox, case management system or privacy portal can streamline the entire process.

Implement a formal identity verification policy

To prevent unauthorized access, organizations must define acceptable verification methods. The UK ICO stresses proportional identity checks depending on the sensitivity of data requested [2].

Use automated redaction and anonymization tools

Manual redaction is slow and prone to human error. Automation via Gallio PRO improves accuracy, consistency and speed, making it easier for compliance teams to process CCTV-heavy DSARs without compromising on privacy or video usability.

Ensure clear governance between mall operators and tenants

Joint controller situations require documented agreements. The EDPB recommends data-sharing arrangements specifying roles and DSAR responsibilities [3].

Maintain audit trails and DSAR logs

Documentation proves compliance. Logs should record request dates, verification actions, data sources, redactions applied and the final response timeline.

FAQ - DSARs in Retail and Shopping Malls

Can customers request CCTV footage of themselves?

Yes. Individuals have the right to receive footage in which they appear, provided third-party identities are redacted and their identity is verified.

Can retailers refuse to provide footage because others appear?

No. Organizations must redact third parties rather than refusing access.

Can retailers charge a fee for processing a DSAR?

Only when a request is repetitive, excessive or manifestly unfounded. Standard DSARs must be free.

Do DSAR rights apply to parking ANPR/LPR data?

Yes. License plate numbers linked to an identifiable individual are considered personal data under GDPR.

How long should organizations retain DSAR-related exports?

Only as long as necessary to complete the request, verify delivery and document compliance.