A data subject access request (DSAR) is a request for information from someone whose personal data you hold. If your organization collects personal data, anyone whose data you have can request access to their information. This includes employees, contractors, suppliers, partners and so on – it is not just about customers. A DSAR is a request an individual makes to know what data you have collected about them. GDPR states in Recital 63: “a data subject should have the right of access to personal data which have been collected concerning him or her and to exercise that right easily and at reasonable intervals, to be aware of and verify, the lawfulness of the processing.” The key factor is whether you are the controller of the data being requested.
The GDPR Policy Template gives people the right to know if you are processing personal data relating to them. If you are, you must give them access to the following information:
The purposes of the processing.
The personal data relating to them that you are processing.
The category of personal data.
How long the personal data will be held.
Information about their rights such as the right to object to processing; the right to request rectification, erasure, or restriction.
Information about their right to complain with the ICO.
From where their data protection impact assessment has been taken if you didn’t get it directly from the data subject.
The security measures you provide if you transfer personal data to a third party.
For DSAR there is a process in which a data protection officer (DPO) has the skills to handle DSARs. The stages to the right act as a reminder that you have one month to respond to the initial DSAR from the date that it is initiated and that you should keep records demonstrating that your response processes have been followed.
Verify identity: One of the first steps is to verify the identity of the requester. An Organization must protect the confidentiality of personal data, so Organization must have methods for verifying the identity of the person submitting the DSAR. If the data subject is not the person making the request, the organization will need to request appropriate proof to prove that they are legally acting on the data subject’s behalf, such as proof of guardianship, power of attorney, etc.
Identify the request: A data subject request management may assert other rights, such as the right to rectification or the right to erasure. Failure to facilitate these rights could result in a fine in the higher bracket or another administrative penalty.
Clarify the request: For DSAR organizations have 30 day time and in certain request conditions it can be extended based on the type and complexity of the request, although the individual should be informed as soon as this becomes apparent. An organization has to contact the individual to clarify the personal data which they wish to receive.
Individuals (data subjects) have the right to access and receive a copy of their personal data and other supplementary information. This is commonly referred to as a data subject access request or 'DSAR'.
Under GDPR Training, companies can only charge fees for data access if the subject's request is repetitive, excessive or unfounded. But the burden of proof rests with the data controller.
This detailed downloadable guide will walk you through the journey of completing a Data Subject Access Request (‘DSAR’). Whilst it is not exhaustive or specifically tailored to your organisation, it is indicative of the general considerations you will be expected to address when dealing with a DSAR response, such as validating a requestor, how to acknowledge a request and how to physically redact information. The guide also includes a handy walkthrough checklist to assist you to complete each DSAR, as well as a series of templates to help you construct appropriate responses.
DSARs can be complex by their nature. It is not uncommon for professionals to have a variety of different views on how to approach DSARs (such as when redactions should apply). If you remain unsure, it is important that you seek further advise or guidance from a Data Protection Officer (DPO) or advice from a privacy specialist.