The Data Subject Access Request shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
The European Union’s General Data Protection Regulation (GDPR) provides EU residents and any consumer or individual who interacts with EU Representative organizations the right to access their information. Meanwhile, other data privacy laws such as the California CCPA (to be replaced by CPRA on January 1, 2023) or Brazilian LGPD also provide consumers with such rights to access, rectify, and erase their data. Business organizations who collect and store data often receive DSAR requests from individuals. They are required to address DSARs appropriately to ensure compliance with the data privacy regulations.
DSARs are also commonly referred to as Subject Access Requests (SAR), Data Subject Requests (DSR), or Subject Right Requests (SRR). These abbreviations all mean exactly the same thing: the right for consumers to make a request about their data to companies that process is.
Over time, DSAR and SAR have become the most commonly used terms for data subject requests.
Data subject access requests (DSAR) are simply a request from a person who believes that your organization stores data on them. In legal terms, this person is known as a data subject. Typically, a DSAR asks for a list of all the personal data your company may have stored on the individual.
Companies may receive DSARs at any time and from anyone — whether they have interacted with your information security policy for small business and you hold data on them or not. Businesses and other organizations such as yours are obligated to respond to DSARs with a copy of relevant information you may have on the data subject. If no data is held, the person that has requested their data must also be informed of this.
In terms of EU law, the GDPR sets out the right for individuals to request their data EU-wide. Following the UK’s exit from the Union, the legislation was copied over to the UK to form the GDPR Policy Template UK.
The GDPR sets out individuals’ right to access their information as per Recital 63 of the GDPR Training:
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.