What is a DSAR? How do you practically handle DSAR requests under the main privacy laws?
In this post we explain all you need to know about Data Subject Access Request (DSAR)!
A DSAR, Data Subject Access Request, is the request that users send to exercise their right to access.
For example, Article 15 of the GDPR grants users the Right to Access:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
In other words, users can ask you to access the data you’ve collected about them and request information about the processing of this data, to make sure it’s carried out lawfully.
GDPR isn’t the only law that grants users the right to access. Let’s take a look at how to handle DSAR requests under the main privacy laws.
Under the GDPR, the right to access is a fundamental principle. It allows individuals to obtain confirmation on whether their personal data is being processed and access to that data. The reply to a Data Subject Access Request should include:
This right also includes receiving information about data retention periods, the existence of automated decision-making or profiling, and how individuals can exercise other data protection rights. Organizations must provide this information free of charge and ensure the data is delivered in a clear and accessible format.
The request should be fulfilled without undue delay and at latest, within one month of receiving it. This timeframe can be extended by two additional months if the request is complex or numerous, but the organization must inform the individual of the delay and reasons within the first month.
The new California Privacy Rights Act (the amendment to the CCPA) also grants users the right to access.
The reply to the request should include:
An organization must fulfil a DSAR request at no cost to the consumer, within 45 days of receiving a verifiable request. If necessary, you can extend this period (only once) by a further 45 days, but you must inform the consumer of this.
The Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD) grants users the right to access personal data and information about how it’s processed. This includes:
LGPD also requires organizations to provide clear and understandable information free of charge, helping individuals understand and control how their personal data is handled.
Receiving a DSAR is not so uncommon as you may think! That’s why you should have a structured process to handle Data Subject Access Requests and ensure a timely and clear response.
The first thing to do is to define what law (or laws) apply to you. This is important because each law has a timeframe in which you need to respond to the request. For example, it’s 30 days for the GDPR and 45 days for the CCPA.
Then, to fulfill the request quicker, it’s also a good practice to map all the data you’re collecting and processing. This helps you to have a clearer picture of your activity.
Now it’s time to address the request.
Identify the person who’s sending the request: you don’t want to send the data to the wrong person!
A DSAR can come from anyone whose data you’re processing. For example, customers, employees, partners, contractors, suppliers, etc. Moreover, it can also happen that someone is writing on behalf of another person, such as a parent for their child, or a legal representative for their clients.
Make sure the data you’re sending to the user is accurate and contains all the necessary information.
A DSAR response should contain:
Moreover, you must ensure that you’re not disclosing any personal data belonging to a different subject, thus exposing their personal information.
You can send back the data both in a physical copy or in an electronic form, it depends on the request made by the subject. If the initial DSAR was sent by an electronic mean, such as email, you can reply using the same mean.
Since privacy laws grant users several rights, you may also receive requests to correct and delete the data, restrict the processing, or request for data portability.
Usually, it’s mandatory to respond to DSARs, but there are some exemptions. For example, you may refuse to respond to a data subject request if:
Handling DSARs can be challenging, but there are online tools that can help you with making it easier.
For example, our Data Subject Rights Management Tool simplifies handling privacy rights requests in compliance with global regulations like GDPR. Our tool provides a comprehensive solution that simplifies the entire process from request intake to fulfilment, minimizing manual effort through automated data retrieval.
Moreover, it’s not just for data access requests, but it helps you manage all kinds of data subject requests, such as deletion, correction, data portability, etc.
Establish a dedicated channel for receiving data subject requests and manage them from a centralized, intuitive platform.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.