DSARs are the result of the GDPR's right of access – one of eight data subject rights enshrined in the Regulation. When an individual submits a data subject access request (or SAR, as it was known under the Data Protection Act), organisations must provide them with a copy of any relevant information about them.
A Data Subject Access Request (DSAR) is a request addressed to the organization that gives individuals a right to access information about personal data the organization is processing about them and to exercise that right easily at reasonable intervals, in order to be aware of, and verify the lawfulness of the processing.
Every individual has the right to know and obtain information about the purposes of personal data processing.
The organization is obligated to provide confirmation that they are processing personal data, a copy of personal data and other information including:
Purpose of personal data processing
Third-parties with whom the organization is sharing personal data if any
Categories of personal data the organization is processing
Source of data, (if the data is not collected from the individual)
Data retention period or for how long will organization keep data
Information about automated decision-making (including profiling)
Information about their GDPR rights (right to rectification, right to erasure, restriction of processing…).
[RELATED TOPIC: What are 8 Data Subject rights according to the GDPR]
When responding to a DSAR, the organization is obligated to provide a copy of personal data and the information security policy template for small business listed above.
DSAR can be submitted by anyone whose personal data the organization is processing. The individuals are not obligated to provide any reason for submitting a DSAR and can request a copy of their data at any time.
Contrary to some beliefs, DSAR is not applied only to employees, but also to customers, partners and contractors. According to some research on the state of data rights, the requests mostly originate from customers rather than employees.
This is especially true in the U.S. However, employees of companies headquartered in the EU request personal data at a significantly higher rate than employees of companies headquartered in other parts of the world.
DSAR can also be submitted on behalf of someone else if that person is authorized by the data subject. Examples would be:
Parent requesting on behalf of a child
Legal representative requesting on behalf of the client
Relative or a friend
Person appointed as a guardian
The organization has a right and an obligation to ask for a written authorization or other documents supporting the authorization.
DSAR can be submitted in writing or verbally. For example, over the phone, or by filling out the form on the web.
Through any channel, including social media, and to any person inside the organization (for example to the marketing department).
Also, the request does not have to be addressed as a DSAR request, mention GDPR or any specific right.
The person can simply ask to get insight into their data or to get information about the processing of their personal data and the organization is obligated to recognize the request and respond timely.
This is why it is extremely important that key personnel and departments are familiar with data subject rights and know how to recognize DSAR and which steps to take when they receive such a request.
According to the Recital 64 of the GDPR, the organization should use all reasonable measures to verify the identity of an individual who requests access, in particular in the context of online services and online identifiers.
The two most popular ways of verifying data subject’s identity are via email and via photo identification, while organizations also rely on login with email and password, challenge questions, and identity proofing platform.
The organization should not request more information than is necessary during the verification process.
You should avoid requesting formal identification documents, and if possible try to use other reasonable ways of verification, like an identity proofing platform or email and password login.