The Right of access empowers individuals to obtain information about the data organizations hold about them, providing them with an understanding of the purposes and methods behind the use of their data.
Even though the Right of access is not a novelty, the GDPR expands it with new mandatory categories of information that the organization is obligated to provide and makes it easier for individuals to submit their requests, access their data, and get information.
The access request is one of the most common types of requests organizations receive, so sooner or later, as an organization, you will have to deal with answering the DSAR.
What is a Data Subject Access Request?
Individuals can exercise this right easily and at reasonable intervals to verify the lawfulness of the processing.
Every individual has the right to know and obtain information about the purposes of personal data processing.
What information are you obligated to provide in a DSAR response?
The organization is obligated to provide confirmation that they are processing personal data, a copy of personal data, and other information, including:
- Purpose of personal data processing
- Third parties with whom the organization is sharing personal data, if any
- Categories of personal data the organization is processing
- Source of data (if the data is not collected from the individual)
- Data retention period or for how long will the organization keep data
- Information about automated decision-making (including profiling)
- Information about their GDPR rights (right to rectification, right to erasure, restriction of processing…).
When responding to a DSAR, the organization is obligated to provide a copy of personal data and the information listed above.
Who Can Submit a DSAR?
DSAR can be submitted by anyone whose personal data the organization is processing. The individuals are not obligated to provide any reason for submitting it and can request a copy of their data.
Contrary to some beliefs, DSAR is not applied only to employees but also to customers, partners, and contractors. According to some research, the requests mostly originate from customers rather than employees.
This is especially true in the U.S. However, employees of EU companies request personal data at a significantly higher rate than in other parts of the world.
DSAR can also be submitted on behalf of someone else if the data subject authorizes that person. Examples would be:
- A parent requesting on behalf of a child
- Legal representative requesting on behalf of the client
- A relative or a friend
- A person appointed as a guardian
The organization has a right and an obligation to ask for written authorization or other documents supporting the authorization.
How Can an Individual Submit a DSAR?
DSAR can be submitted in writing or verbally, for example, over the phone or by filling out the form online.
Through any channel, including social media, and to any person inside the organization (for example, to the marketing department).
Also, the request does not have to be addressed as a DSAR request, mention GDPR, or any specific right.
The person can simply ask to get insight into their data or to get information about processing their personal data, and the organization is obligated to recognize the request and respond timely.
This is why it is extremely important that key personnel and departments are familiar with data subject rights, know how to recognize DSAR, and know which steps to take when they receive such a request.
Verifying the Identity of the individual
According to Recital 64 of the GDPR, the organization should use all reasonable measures to verify the identity of an individual who requests access, in particular in the context of online services and online identifiers.
The two most popular ways of verifying the data subject’s identity are via email and via photo identification, while organizations also rely on login with email and password, challenge questions, and identity proofing platforms.
The organization should not request more information than necessary during the verification process.
You should avoid requesting formal identification documents, and if possible, try to use other reasonable ways of verification, like an identity proofing platform or email and password login.
Who should respond to a DSAR
Some organizations are obligated to appoint a Data Protection Officer (DPO), and some are not.
Whatever the case, there should be one person within the organization in charge of compliance who will have a high-level overview of DSAR processes and document all requests to ensure they are resolved in a timely manner.
This does not mean the DPO should respond to each and every request personally. However, the DPO should have control over the processes and assure compliance along the way.
Automation of the process can help you manage DSAR more efficiently and prevent requests from being accidentally overlooked or ignored. Automation can be especially important if your privacy department is comprised of smaller staff or even a one-person department.
Deadline for Responding to the DSAR
The organization should respond to a DSAR without undue delay and within one month of receiving the request.
That deadline may be extended by two months if the request is complex or if the organization has received several requests from the same individual. For example, the individual submitted DSAR and the right to be forgotten at the same time.
If that is the case, the organization should notify the individual of any such extension within one month of receipt of the request and the reasons for the delay.
The deadline is calculated from the day of the receipt of the request, fee, or other requested information until the corresponding calendar date in the next month.
Can You Charge a Fee for a DSAR?
The organizations are not allowed to charge a fee for a DSAR. However, there are a few situations where a reasonable fee can be charged for administrative costs if the request is unfounded or excessive.
A small fee can be applied to multiple or excessive requests to prevent an individual from repeatedly submitting unnecessary DSAR. However, organizations should never make a profit from the fee.
When charging a fee, you should develop a list of criteria for determining a reasonable fee since this will help you if you have to clarify it to the supervisory authority.
The criteria should be clear, and the organization should explain the costs to an individual.
However, relying on these exceptions has proven risky since we have seen how the Dutch DPA issued 830K euro GDPR fine for charging a fee to access information.
Can You Refuse to Respond to a DSAR?
There are situations where the organization can refuse to comply with DSAR if the exemption can be applied or if:
➡️ The request is manifestly unfounded
This means an individual has no real intention to exercise the right or if the request has malicious intent and no other purpose than to cause a disruption
➡️ The request is manifestly excessive
The DSAR is unreasonable and is disproportionate to the cost or other burdens involved with DSAR.
If you refuse to comply with a request, be sure that you can defend your decision to the supervisory authority.
You will also have to notify the individual of why you are refusing the request, inform the individual of their right to make a complaint to the supervisory authority, and have the option to enforce their right through the courts.
How to Automate the Data Subject Requests?
When we talk about the Data Subject Access Request, we only refer to one of the eight rights granted by the GDPR, and organizations are obligated to comply with all of them.
Considering most organizations are still managing DSAR manually, combined with some sort of front-end submission form and processing requests via email or phone, it is doubtful if they are ready to tackle DSAR effectively.
On a larger scale, resolving data subject rights manually will almost certainly be accompanied by human errors in handling and potentially expose organizations to huge risks.
The top business drivers for fulfilling DSARs are GDPR compliance, the organization’s reputation, CCPA compliance, and customer transparency. Therefore, numerous organizations worldwide are investing in a privacy tool to help them manage DSARs and stay compliant.
Data Privacy Manager as a solution
As one of the top privacy solutions, Data Privacy Manager is a platform for orchestrating and managing data subject rights.
It automates the entire process so that the IT systems on which the data is stored can execute user requests timely and accurately.
The process becomes an automated workflow giving you clear insight every step of the way, from the registration of a user request, through the process of the request approval and data processing, to the notification of the user about the outcome of the request.
Most importantly, the Data Privacy Manager represents one central place for the supervision of requests and provides DPO with all necessary information for managing data subjects’ requests within the limits of the response date.
Combined with Privacy Portal as a customer-facing channel, it gives your organization flawless insight into the communication preferences of data subjects, their preferred language of communication, and the purpose of data processing, while data subjects can opt-out as easily as they opt-in.