Data Subject Access Request (“DSAR”)
A Data Subject Access Request (DSAR) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. The Data Subject Access Request provides the right for data subjects to see or view their own personal data as well as to request copies of the data. A Data Subject Access Request must be made in writing. In general, verbal requests for information held about an individual are not valid DSARs. In the event a formal Data Subject Access Request is made verbally to a staff member of the Company, further guidance should be sought from Data Protection Officer, who will consider and approve all Data Subject Access Request applications. A Data Subject Access Request can be made via any of the following methods: email, fax, post, corporate website or any other method. DSARs made online must be treated like any other Data Subject Access Requests when they are received, though the Company will not provide personal information via social media channels.
The Rights of a Data Subject
The rights to data subject access include the following:
• Know whether a data controller holds any personal data about them.
• Receive a description of the data held about them and, if permissible and practical, a copy of the data.
• Be informed of the purpose(s) for which that data protection impact assessment is being processed, and from where it was received.
• Be informed whether the information is being disclosed to anyone apart from the original recipient of the data; and if so, the identity of those recipients.
• The right of data portability. Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (Word, PDF, etc.). However, such requests can only be fulfilled if the data in question is:
1) provided by the data subject to the Company,
2) is processed automatically and
3) is processed based on consent or fulfilment of a contract.
• If the data is being used to make automated decisions about the data subject, to be told what logic the system uses to make those decisions and to be able to request human intervention.
Requirements for a valid DSAR
In order to be able to respond to the Data Subject Access Requests in a timely manner, the data subject should:
• Submit his/her request using a Data Subject Access Request Form.
• Provide the Company with sufficient information security policy for small business to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).
Subject to the exemptions referred to in this document, the Company will provide information to data subjects whose requests are in writing (or by some other method explicitly permitted by the local law), and are received from an individual whose identity can be validated by Company.
However, Company will not provide data where the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular information.
Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g. by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g. a copy of a particular form or email records from within a particular department)
Consumer right of access is a core component of many privacy laws in effect around the world today. Privacy laws in Canada and the EU representative go back several decades, but changing consumer sentiments around privacy have driven updates to existing laws as well as motivated more countries to enact comprehensive data privacy laws. In the US, several states, including California, are considering or have implemented privacy laws, and the US is considering a federal level law as well. In addition, Brazil, Singapore, and China have all put new privacy regulations into effect that mirror many of the tenants of the EU’s GDPR.
Individuals have the right to access their personal data, and this is commonly referred to as subject access. A number of privacy laws such as the GDPR or CCPA give individuals the right to obtain a copy of their personal data as well as other supplementary information. This helps individuals to understand how and why businesses are using their data, and checks that they are doing it lawfully.
The right of access also allows the data subject to exercise further rights such as rectification and erasure. In most cases, the right to access is afforded to customers as well as company employees.
Lack of compliance with subject rights can have significant impact on a company. Under the GDPR Policy Template and other similar privacy laws, an omitted or incomplete disclosure is subject to fines.
Responsibilities
The overall responsibility for ensuring compliance with a DSAR rests with the Data Protection Officer. If the Company acts as a data controller towards the data subject making the request then the DSAR will be addressed based on the provisions of this procedure. If the Company acts as a data processor the Data Protection Officer will forward the request to the appropriate data controller on whose behalf the Company processes personal data of the data subject making the request.