This study systematically evaluates the quality of responses by major online services to General Data Protection Regulation (GDPR) data subject access requests (DSARs), focusing on three key questions: (i) whether responses comply with specific GDPR provisions, (ii) whether they align with stated privacy policies, and (iii) whether compliance has improved over time. Method: Through structured qualitative analysis of data export packages from 12 platforms collected in 2018 and 2023, we conduct the first five-year longitudinal comparison, developing a policy–practice mapping framework and a fine-grained consistency assessment model. Contribution/Results: No service fully satisfies GDPR requirements; systemic deficiencies—including nonstandard formats, incomplete data scope, and ambiguous explanations—are pervasive. Substantial misalignment persists between privacy policies and actual DSAR responses, with only marginal improvement observed over five years. The findings expose structural enforcement gaps in GDPR implementation, providing empirical evidence to inform regulatory refinement and corporate accountability practices.

The European General Data Protection Regulation (GDPR) grants European users the right to access their data processed and stored by organizations. Although the GDPR contains requirements for data processing organizations (e.g., understandable data provided within a month), it leaves much flexibility. In-depth research on how online services handle data subject access request is sparse. Specifically, it is unclear whether online services comply with the individual GDPR requirements, if the privacy policies and the data subject access responses are coherent, and how the responses change over time. To answer these questions, we perform a qualitative structured review of the processes and data exports of significant online services to (1) analyze the data received in 2023 in detail, (2) compare the data exports with the privacy policies, and (3) compare the data exports from November 2018 and November 2023. The study concludes that the quality of data subject access responses varies among the analyzed services, and none fulfills all requirements completely.