Documentation

Table of Contents

DSAR: a comprehensive guide to Data Subject Access Request

What is a DSAR? How do you practically handle DSAR requests under the main privacy laws?

In this post we explain all you need to know about Data Subject Access Request (DSAR)!

DSAR

What is a Data Subject Access Request (DSAR)?

A DSAR, Data Subject Access Request, is the request that users send to exercise their right to access.

For example, Article 15 of the GDPR grants users the Right to Access:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

In other words, users can ask you to access the data you’ve collected about them and request information about the processing of this data, to make sure it’s carried out lawfully.

DSARs and privacy laws

GDPR isn’t the only law that grants users the right to access. Let’s take a look at how to handle DSAR requests under the main privacy laws.

DSAR and the GDPR 🇪🇺

Under the GDPR, the right to access is a fundamental principle. It allows individuals to obtain confirmation on whether their personal data is being processed and access to that data. The reply to a Data Subject Access Request should include:

  • an overview of the categories of data being processed;
  • a copy of the actual data;
  • details about the processing, more specifically, the purpose of the processing, how the data was collected and with whom it was shared.

This right also includes receiving information about data retention periods, the existence of automated decision-making or profiling, and how individuals can exercise other data protection rights. Organizations must provide this information free of charge and ensure the data is delivered in a clear and accessible format.

How quickly should you respond to a request to exercise a right granted by the GDPR?

The request should be fulfilled without undue delay and at latest, within one month of receiving it. This timeframe can be extended by two additional months if the request is complex or numerous, but the organization must inform the individual of the delay and reasons within the first month.

DSAR and CPRA (CCPA amendment) 🇺🇸

The new California Privacy Rights Act (the amendment to the CCPA) also grants users the right to access.

The reply to the request should include:

  • what personal information was gathered during the previous 12 months;
  • to which third parties the data was shared or sold.

An organization must fulfil a DSAR request at no cost to the consumer, within 45 days of receiving a verifiable request. If necessary, you can extend this period (only once) by a further 45 days, but you must inform the consumer of this.

DSAR and LGPD 🇧🇷

The Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD) grants users the right to access personal data and information about how it’s processed. This includes:

  • confirmation of whether the data is processed;
  • access to the personal data collected;
  • information about the processing purposes, data sharing, and data retention;
  • the origin of the data, if not collected directly from the data subject.

LGPD also requires organizations to provide clear and understandable information free of charge, helping individuals understand and control how their personal data is handled.

DSAR Process: How to handle Data Subject Access Requests

Receiving a DSAR is not so uncommon as you may think! That’s why you should have a structured process to handle Data Subject Access Requests and ensure a timely and clear response.

The first thing to do is to define what law (or laws) apply to you. This is important because each law has a timeframe in which you need to respond to the request. For example, it’s 30 days for the GDPR and 45 days for the CCPA.

Then, to fulfill the request quicker, it’s also a good practice to map all the data you’re collecting and processing. This helps you to have a clearer picture of your activity.

DSAR Process step by step

Now it’s time to address the request.

1. Identify the data subject

Identify the person who’s sending the request: you don’t want to send the data to the wrong person!

A DSAR can come from anyone whose data you’re processing. For example, customers, employees, partners, contractors, suppliers, etc. Moreover, it can also happen that someone is writing on behalf of another person, such as a parent for their child, or a legal representative for their clients.

2. Review the data

Make sure the data you’re sending to the user is accurate and contains all the necessary information.

A DSAR response should contain:

  • The purposes of processing.
  • Information about the categories of personal data being processed.
  • The source of the data, if it was not collected directly from the data subject.
  • The recipients or categories of recipients with whom the data has been shared or sold.
  • The data retention period or criteria used to determine how long the data will be kept.
  • Information about any automated decision-making or profiling involving the data.
  • An explanation of the data subject’s rights under relevant privacy laws, such as the right to rectification, erasure, restriction of processing, objection, and the right to lodge a complaint with a supervisory authority.

Moreover, you must ensure that you’re not disclosing any personal data belonging to a different subject, thus exposing their personal information.

3. Package the data

You can send back the data both in a physical copy or in an electronic form, it depends on the request made by the subject. If the initial DSAR was sent by an electronic mean, such as email, you can reply using the same mean.

4. Send the response to the data subject.

Please note: a data access request is just one of the requests you may receive

Since privacy laws grant users several rights, you may also receive requests to correct and delete the data, restrict the processing, or request for data portability.

Can you avoid responding to a DSAR?

Usually, it’s mandatory to respond to DSARs, but there are some exemptions. For example, you may refuse to respond to a data subject request if:

  • The request is manifestly unfounded: the data subject has no intention to exercise their right, but they’re using the request to get something else from your organization (e.g., a benefit); the data subject has malicious intent.
  • The request is manifestly excessive: the burden and cost to respond to the request are excessive to your organization.

How can I make DSARs easier?

Handling DSARs can be challenging, but there are online tools that can help you with making it easier.

For example, our Data Subject Rights Management Tool simplifies handling privacy rights requests in compliance with global regulations like GDPR. Our tool provides a comprehensive solution that simplifies the entire process from request intake to fulfilment, minimizing manual effort through automated data retrieval.

Moreover, it’s not just for data access requests, but it helps you manage all kinds of data subject requests, such as deletion, correction, data portability, etc.

Dsar

Establish a dedicated channel for receiving data subject requests and manage them from a centralized, intuitive platform.

About us

iubenda

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com