Data Subject Access Request (DSAR)

When the General Data Protection Regulation (GDPR) was enforced back in 2018, it was set out to give back individuals control over their data.

This is procured by granting individuals eight data subject rights and one of those rights- the right of access, allows them to get information about which data the organization holds about them, why, how it is used, and other information described in the GDPR.

Even though the right of access is not a novelty, the GDPR expands this right with new mandatory categories of information that the organization is obligated to provide and makes it easier for individuals to submit their requests, access their data, and get information.

The access request is one of the most common types of requests organizations receive, so sooner or later as an organization, you will have to deal with answering DSAR. Here is what you need to know.

What is a Data Subject Access Request?

A Data Subject Access Request (DSAR) is a request addressed to the organization that gives individuals a right to access information about personal data the organization is processing about them and to exercise that right easily, at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

Every individual has the right to know and obtain information about the purposes of personal data processing.

What information are you obligated to provide in a DSAR response?

The organization is obligated to provide confirmation that they are processing personal data, a copy of personal data and other information including:

➡️ Purpose of personal data processing
➡️ Third-parties with whom the organization is sharing personal data, if any
➡️ Categories of personal data the organization is processing
➡️ Source of data, (if the data is not collected from the individual)
➡️ Data retention period or for how long will organization keep data
➡️ Information about automated decision-making (including profiling)
➡️ Information about their GDPR rights (right to rectification, right to erasure, restriction of processing…). Find out more about data subject rights.

When responding to a DSAR, the organization is obligated to provide a copy of personal data and the information listed above.

Who Can Submit a DSAR?

DSAR can be submitted by anyone whose personal data the organization is processing. The individuals are not obligated to provide any reason for submitting a DSAR and can request a copy of their data at any time.

Contrary to some beliefs, DSAR is not applied only to employees, but also to customers, partners and contractors. According to the BigID and IAPP research on the state of data rights, the requests mostly originate from customers rather than employees.

This is especially true in the U.S. However, employees of companies headquartered in the EU request personal data at a significantly higher rate than employees of companies headquartered in other parts of the world.

DSAR can also be submitted on behalf of someone else if that person is authorized by the data subject. Examples would be:

➡️ Parent requesting on behalf of a child
➡️ Attorney requesting on behalf of the client
➡️ Relative or a friend 
➡️  Person appointed as a guardian

The organization has a right and an obligation to ask for a written authorization or other documents supporting the authorization.

How Can Data Subject Submit DSAR?

DSAR can be submitted in writing or verbally. For example, over the phone, or by filling out the form on the web, through any channel, including social media, and to any person inside the organization (for example to the marketing department).

Also, the request does not have to be addressed as a DSAR request, mention GDPR or any specific right. The person can simply ask to get insight into their data or to get information about the processing of their personal data and the organization is obligated to recognize the request and respond timely.

This is why it is extremely important that key personnel and departments are familiar with data subject rights and know how to recognize DSAR and which steps to take when they receive such a request.

Verifying the Identity of the Data Subject

According to the Recital 64 of the GDPR, The organization should use all reasonable measures to verify the identity of an individual who requests access, in particular in the context of online services and online identifiers.

The two most popular ways of verifying data subject’s identity are via email and via photo identification, while organizations also rely on login with email and password, challenge questions, and identity proofing platform.

The organization should not request more information than is necessary during the verification process. You should avoid requesting formal identification documents, and if possible try to use other reasonable ways of verification, like an identity proofing platform or email and password login.

Who should respond to a DSAR

Some organizations are obligated to appoint a Data Protection Officer (DPO), some are not. Whatever the case may be, there should be one person within the organization, in charge of the compliance who will have a high-level overview of DSAR processes and document all requests to ensure they are resolved in a timely manner.

This does not mean the DPO should respond to each and every request personally, however, the DPO should have control over the processes and assure compliance along the way.

Automation of the process can help you manage DSAR more efficiently and prevent requests from being accidentally overlooked or ignored. Automation can be especially important if your privacy department is comprised of smaller staff or even a one-person department.

Deadline for Responding to the DSAR

The organization should respond to a DSAR without undue delay and within one month from receiving the request.

That deadline may be extended by two further months where necessary if the request is complex or if the organization has received a number of requests from the individual (for example, the individual submitted DSAR and the right to be forgotten at the same time).

If that is the case, the organization should notify the individual of any such extension within one month of receipt of the request, together with the reasons for the delay.

The deadline is calculated from the day of the receipt of the request, fee, or other requested information until the corresponding calendar date in the next month.

Can You Charge a Fee for a DSAR?

The organizations are not allowed to charge a fee for a DSAR. However, there are a few situations where a reasonable fee can be charged for administrative costs if the request is unfounded or excessive.

A small fee can be applied to multiple or excessive requests to prevent an individual from repeatedly submitting unnecessary DSAR. However, organizations should never make a profit from the fee.

When charging a fee, you should develop a list of criteria for determining what would be a reasonable fee since this will help you if you should ever have to clarify it to the supervisory authority. The criteria should be clear and the organization should explain the costs to an individual.

However, relying on these exceptions has proven to be risky, since we have seen how Dutch DPA issued 830K euro GDPR fine for charging a fee to access information.

Can You Refuse to Respond to a DSAR?

There are situations where the organization can refuse to comply with DSAR if the exemption can be applied, or if:

➡️ The request is manifestly unfounded
This means an individual has no real intention to exercise the right of access or if the request has malicious intent and no other purpose then to cause a disruption

➡️ The request is manifestly excessive
The DSAR is obviously unreasonable and is unproportionate to the cost or other burdens involved with DSAR.

If you decide to refuse to comply with a request, be absolutely sure that you can defend your decision to the supervisory authority. You will also have to notify the individual of reasons why you are refusing the request, inform the individual of their right to make a complaint to the supervisory authority; and the option to enforce their right through the courts.

How to get compliant and automate the Data Subject Requests?

When we talk about the Data Subject Access Request, we are only referring to one out of 8 different rights granted by the GDPR, and organizations are obligated to comply with all of them.

Considering most organizations are still managing DSAR manually, combined with some sort of front-end submission form, and process requests via email or phone, it is doubtful if they are ready to effectively tackle DSAR.

On a larger scale, resolving data subject rights manually will almost certainly be accompanied by human errors in handling and potentially expose the organization to fines.

Top business drivers for fulfilling DSARs are GDPR compliance, the organization’s reputation, CCPA compliance, and customer transparency. Therefore, numerous organizations worldwide are investing in a privacy tool that will help them manage DSARs and stay compliant and transparent.

Get 14-days Free Data Privacy Manager Trial

As one of the top privacy solutions, Data Privacy Manager is a platform for orchestration and management of data subject’s rights. It automates the entire process so that the IT systems, on which the data is stored, can execute user requests timely and accurately.

The process becomes an automated workflow giving you clear insight every step of the way, from the registration of a user request, through the process of the request approval and data processing, to the notification of the user about the outcome of the request.

Most importantly, the Data Privacy Manager represents one central place for the supervision of requests and provides DPO with all necessary information for managing data subjects’ requests within the limits of the response date.

Combined with Privacy Portal as a customer-facing channel it gives your organization a flawless insight into the communication preferences of data subjects, their preferred language of communication, and the purpose of data processing, while data subjects can opt-out as easily as they opted-in.