Data Subject Access Request (DSAR): How to Make a Request?

Table of Contents

Understanding Data Subject Access Requests (DSAR): How to Make a Request and Ensure Compliance

A Data Subject Access Request (DSAR) is a key right under data protection laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). It allows individuals to access the personal data that organizations hold about them. This article explains the DSAR process, how to make a request, and what actions to take if an organization does not comply with your request.

What is a Data Subject Access Request (DSAR)?

A DSAR is a request made by an individual to an organization to obtain a copy of their personal data, understand how it is being processed, and learn why it is being processed. This right ensures transparency and allows individuals to verify the lawfulness of the processing.

How to Make a DSAR

  1. Identify the Data Controller
    • Determine which organization holds your personal data and is responsible for processing it. This is the data controller.
  2. Prepare Your Request
    • Form of Request: DSARs can be submitted verbally or in writing, but it is best to make the request in writing for documentation purposes.
    • Details to Include: Clearly state that you are making a DSAR and include any relevant information to help the organization identify your data, such as your name, contact details, and any specific data you are requesting.
  3. Submit the Request
    • Send your request to the data controller. You can typically find contact details for the data protection officer (DPO) or privacy department on the organization’s website.
  4. Proof of Identity
    • The organization may require proof of identity to ensure the request is legitimate. Be prepared to provide a copy of an identification document if asked.

What Happens After Submitting a DSAR

  1. Acknowledgment of Request
    • The organization should acknowledge receipt of your DSAR promptly, usually within a few days of receiving it.
  2. Processing the Request
    • The data controller must respond to your DSAR without undue delay and within one month. In certain complex cases, this period can be extended by up to two additional months, but you should be informed of the extension and the reasons for it.
  3. Response to DSAR
    • The response should include:
      • Copy of Personal Data: A copy of your personal data being processed.
      • Processing Information: Information about the purposes of processing, categories of personal data, recipients, retention periods, and your rights regarding the data.
      • Source of Data: Where the data was not collected from you directly, information about the source.
      • Automated Decision-Making: Information on any automated decision-making, including profiling, and the logic involved.
  4. No Fee for DSAR
    • In most cases, DSARs are free of charge. However, if the request is manifestly unfounded or excessive, particularly if it is repetitive, the organization may charge a reasonable fee or refuse to act on the request.

Filing a Complaint

If an organization does not comply with your DSAR or you are dissatisfied with the response, you can take the following steps:

  1. Contact the Organization
    • Reach out to the organization to address the issue. Provide details of your DSAR and any communication you have had with them. Sometimes, issues can be resolved through direct communication.
  2. File a Complaint with the Data Protection Authority (DPA)
    • If the organization does not resolve the issue, you can file a complaint with the relevant DPA. Provide all relevant information, including details of your DSAR, the response received, and any communication with the organization.
  3. Seek Legal Action
    • In cases of significant non-compliance, you may consider seeking legal advice to explore further actions, such as filing a lawsuit for damages caused by the violation of your rights.

DSAR Process Chart

StepDescription
1. Identify Data ControllerDetermine the organization holding your data.
2. Prepare Your RequestWrite a clear request including relevant details.
3. Submit the RequestSend the request to the data controller’s contact point.
4. Provide Proof of IdentityProvide identification if requested.
5. Acknowledge RequestOrganization acknowledges receipt of your DSAR.
6. Processing the RequestOrganization processes your request within one month.
7. Response to DSARReceive copy of your data and processing information.
8. No Fee for DSARDSARs are generally free, fees apply only for excessive requests.

What to do now?

Screenshot 2023-09-10 093721.png

Submitting a Data Subject Access Request (DSAR) is a powerful tool for individuals to understand how their personal data is being processed and to ensure compliance with data protection laws. By following the outlined process and knowing your rights, you can effectively manage your personal data. If an organization fails to comply with your DSAR, there are steps you can take to file a complaint and seek enforcement of your rights.

Screenshot 2023-09-10 093732.png

Read below or visit our DSAR Guide here.

The ‘Right to Access’ is a fundamental principle of data privacy laws, including the GDPR. It is the right granted to consumers to access the personal information that businesses have collected about them. This right allows consumers to understand what data is being processed, how it’s used, who it’s shared with, and why the business is processing it.

When a consumer exercises their Right to Access through a DSAR, the business must provide a copy of the personal data they have on the individual.

Additionally, they should provide supplementary information such as the categories of data, the purposes of the processing, and any recipients of the personal data.

By issuing a DSAR, consumers are invoking their right to access. Consequently, the business’s response to the DSAR fulfills this consumer right.

Who Has the ‘Right to Access’?

Essentially, any individual (data subject) whose personal data is being processed by a business has the ‘Right to Access.’ This right is not confined to businesses of specific countries or regions; it’s based on where the consumer is. 

For example, under the GDPR, the ‘Right to Access’ applies to any individual who resides in the European Union, regardless of the business’s residence. The consumer’s right to issue a DSAR, therefore, extends as far as the reach of the applicable data protection law.

Data protection compliance services are a tool businesses can use to outsource compliance and maintain pristine compliance in their business.

How Can a Data Subject Submit a DSAR?

Screenshot 2023-09-10 093743.png

The process for a consumer to submit a DSAR should be straightforward and accessible. Businesses must provide a clear and easily accessible method for individuals to exercise their Right to Access.

This could be through an online form on the business’s website, an email address, or even a postal address. The key is that it must be easy for the consumer to initiate a DSAR.

Typically, a DSAR will require the consumer to provide sufficient information to confirm their identity and ensure that the request is legitimate through security questions or documents. This protects against fraudulent requests that could lead to unauthorized disclosure of personal information.

This information usually includes basic contact details and any specific information that could assist the business in locating the requested data.

Once the DSAR is submitted, the business has a responsibility to acknowledge receipt of the request promptly, usually within a few days. They must then respond comprehensively to the request within a specific time frame, typically one month under GDPR. If the request is complex, the business may extend this period but should inform the consumer of any delay.

In their DSAR, the consumer should clearly specify the information they wish to access. However, they do not necessarily need to mention the GDPR or the ‘Right to Access’ specifically. As long as it’s clear that they are asking for their personal information, the business should treat the communication as a DSAR.

How to Respond to a DSAR

Screenshot 2023-09-10 093752.png

Responding to a DSAR is a crucial task for businesses. The response should be handled carefully and in accordance with the guidelines set by the relevant data protection authority. Before you start to handle any DSAR request, it’s highly advised to have viable data compliance solutions in place. 

The following steps provide a general guide on how to handle DSARs:

Acknowledge the DSAR

The first step when receiving a DSAR is to acknowledge it promptly. The consumer should receive confirmation that their request has been received and is being processed. This acknowledgment should also estimate when they can expect a full response. 

Ideally, the acknowledgment should occur within a few days, although this can be extended in complex cases. However, any extension must be communicated to the consumer with an explanation for the delay.

Verify the Identity of the Requester

Before processing the DSAR, the business should take steps to verify the requestor’s identity. This is to ensure that personal information is not disclosed to unauthorized individuals.

Here are some tips on verifying individuals.

Ask for further information to confirm the requester’s identity, such as answering security questions or providing additional identification documents.

It’s essential only to request what is necessary and to handle this data with the utmost care, as this process itself involves processing personal information.

When handling any SPI or PII information, strict identity verification must always be used to avoid any data breaches. 

Understand and Clarify the DSAR

The next step is to understand precisely what the consumer is asking for. DSARs can often be broad. For instance, a consumer might want to know what personal data is being held in general, or they might be requesting information about specific data processing activities.

If the DSAR is unclear, the business should contact the requester to clarify what information they want. This step can help streamline the process and ensure the response is relevant and useful to the consumer.

Gather the Requested Information

Once the business understands what is being asked, the next step is to gather the requested information. This process might involve multiple departments within the business, especially for larger organizations.

It’s important to ensure that all relevant data is included while excluding any information about other individuals. The collection of data can be done manually with a data protection officer or with a pre-established compliance solution.

Provide a Clear and Comprehensible Response

Finally, the business should provide a clear and comprehensible response to the DSAR. The response should include a copy of the requested personal data, along with any additional information the consumer is entitled to. 

The information should be presented in a concise, transparent, and easily accessible form, using clear and plain language.

These steps provide a general guide for businesses on responding to DSARs effectively and in compliance with data privacy laws.

However, it’s crucial for businesses to tailor these steps to their specific context, given the complexity and variability of data processing activities. If you want to outsource compliance for your businesses, our superheroes at Captain Compliance have you covered. 

Different Types of DSARs

Screenshot 2023-09-10 093802.png

Data subject access requests come in various forms, each catering to a specific right that consumers can exercise regarding their personal data. The nature of the request dictates how businesses should respond.

Below, we discuss different types of DSARs and offer brief guidance on how each should be handled:

Access to Data Summaries

One common type of DSAR is a request for a summary of the personal data held by a business. This is the most straightforward form of DSAR and requires the business to summarize the personal information it holds about the consumer, including what data is processed, why, and with whom it is shared.

Correction of Personal Data

A consumer may issue a DSAR asking for correction of their personal data if they believe it to be inaccurate or incomplete. In this case, the business should review the data and, if necessary, correct it. The consumer should be informed of any corrections made or if the data is found to be accurate, an explanation of why no changes were made.

Deletion of Personal Data

Also known as ‘the right to be forgotten,’ this type of DSAR involves a request to delete personal data. Depending on the jurisdiction, businesses might be obliged to erase personal data if the consumer withdraws consent, the data is no longer necessary, or it was unlawfully processed. However, there are exceptions, and legal advice should be sought in these cases.

Opt-Out Requests

Some DSARs involve a consumer wishing to opt out of certain data processing activities, such as direct marketing. In this situation, the business should cease the specified processing activity for that individual’s data and confirm the action with the consumer.

Employee DSARs

Employees also have the right to issue DSARs to their employers. These can be complex due to the range of data an employer might hold about an employee. As with other DSARs, employers should respond by providing the requested information within the legal time frame.

Each type of DSAR represents a different aspect of data rights. Businesses need to understand each kind and ensure they have the processes in place to handle them effectively, thereby ensuring compliance with data privacy laws.

Can You Refuse to Respond to a DSAR?

Screenshot 2023-09-10 093815.png

There may be circumstances where a business can legitimately refuse to respond to a DSAR. This usually occurs when the request is manifestly unfounded or excessive. But the right to refuse a DSAR is not absolute and should be the exception, not the norm.

Under the GDPR, a request is considered manifestly unfounded if the individual clearly has no intention to exercise their legitimate rights. For instance, if a consumer uses a DSAR to harass a company with no real purpose to access their personal data, the DSAR might be seen as manifestly unfounded.

A privacy consultant can be beneficial in cases where it’s hard to distinguish legitimate data access requests. 

Similarly, a DSAR might be considered excessive if the individual repeatedly requests the same information. However, the interpretation of these terms can be subjective, and it’s recommended to seek legal advice before refusing a DSAR on these grounds.

Refusing a DSAR should be a last resort and needs to be carefully justified. Businesses must remember that the intention behind DSARs is to enhance transparency and build trust between consumers and businesses. Refusing a DSAR without valid grounds can harm this trust and potentially lead to investigations and fines from data protection authorities.

In all cases, if a business refuses a DSAR, it must inform the consumer of their decision and the reasons behind it, as well as their right to make a complaint to the relevant supervisory authority.

Closing

Given the nuances involved in handling DSARs, businesses may seek support to ensure they are managing these requests in the most efficient and compliant way possible.

This is where Captain Compliance can assist. We provide a range of compliance services to simplify the process of managing DSARs, ensuring businesses are equipped with the knowledge and tools necessary to meet these demands confidently and effectively. 

From guiding you on how to acknowledge and verify DSARs to assisting in gathering requested information and drafting clear, comprehensible responses, our team of data privacy experts is ready to help.

Captain Compliance is your trusted partner for compliance. We can help you navigate through GDPR requirements and other data privacy laws. By prioritizing your consumers’ data rights and privacy, we help you turn regulatory compliance into a competitive advantage, setting your business apart in the market. 

Get in touch with us todayto get further help with getting your business legally compliant.

FAQs

What happens if a business fails to respond to a DSAR in time?

If a business fails to respond to a DSAR within the prescribed time limit (typically one month under GDPR), it may face penalties from the relevant data protection authority.

This could include fines, audits, or even a temporary ban on data processing activities. It’s crucial to respond to DSARs promptly and within the required timeframe.

Discover the requirements for data protection under the GDPR.

Can a business charge a fee to handle a DSAR?

Under GDPR, businesses generally can’t charge a fee to handle a DSAR. However, if a request is manifestly unfounded or excessive, a business may charge a reasonable fee for the administrative costs of providing the information or communication or taking the requested action.

Find out more about data privacy and compliance services.

How can a business ensure the DSAR process is efficient?

Having a well-structured data management system can significantly streamline the DSAR process. Businesses should aim for a system that allows for accessible locations and extraction of personal data. Additionally, employee training on data privacy laws and DSARs is also crucial for an efficient response process.

Discover more about proper employee compliance training.

How should a business deal with third-party data in a DSAR response?

When responding to a DSAR, a business must ensure it doesn’t disclose information about third parties, which could breach their privacy rights. Careful examination and potential redaction of data may be necessary to ensure third-party data is protected.

Find out more about what type of data rights subjects hold under the GDPR

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.