Table of Contents

DSAR: a comprehensive guide to Data Subject Access Request

What is a DSAR? How do you practically handle DSAR requests under the main privacy laws?

In this post we explain all you need to know about Data Subject Access Request (DSAR)!

What is a Data Subject Access Request (DSAR)?

Article 15 of the GDPR grants users the Right to Access:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

In other words, users can ask you to access the data you’ve collected about them and request information about the processing of this data, to make sure it’s carried out lawfully.

A DSAR is the request that users send to exercise their right to access.

DSARs and privacy laws

Let’s have a look at how to handle DSAR requests under the main privacy laws.

DSAR and the GDPR 🇪🇺

Under the GDPR, the reply to a Data Subject Access Request should include:

an overview of the categories of data being processed;
a copy of the actual data;
details about the processing, more specifically, the purpose of the processing, how the data was collected and with whom it was shared.

The organization must provide the person making the request with a copy of their personal data free of charge.

How long to respond to a DSAR request under the GDPR

The request should be fulfilled without undue delay and at latest, within one month of receiving it.

DSAR and CPRA (CCPA amendment) 🇺🇸

The new California Privacy Rights Act (the amendment to the CCPA) also grants users the right to access.

The reply to the request should include:

what personal information was gathered during the previous 12 months;
to which third parties the data was shared or sold.

An organization must fulfil a DSAR request at no cost to the consumer, within 45 days of receiving a verifiable request. If necessary, you can extend this period (only once) by a further 45 days, but you must inform the consumer of this.

DSAR and LGPD 🇧🇷

The Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD) grants users the same right to access.

Users should have easy access to any information about the processing of their personal data, free of charge.

How to handle DSARs

It’s important to handle a Data Subject Access Request within the time frame that your law of reference has identified.

To fulfill the request quicker, the first step would be to map all the data you’re collecting and processing. Once you’ve done that, it’s easier to send a response to users, also by following these 4 steps:

Identify the data subject who sent the request: you don’t want to send the data to the wrong person!
Review the data: make sure the data you’re sending to the user is accurate and contains all the necessary information, as we outlined in the paragraph above. Moreover, you must ensure that you’re not disclosing any personal data belonging to a different subject, thus exposing their personal information.
Package the data: you can send back the data both in a physical copy or in an electronic form, it depends on the request made by the subject. If the initial DSAR was sent by an electronic mean, such as email, you can reply using the same mean.
Send the response to the data subject.

How can I make DSARs easier?

There are online tools that can help you keep track of your data collection and processing activities.

For example, iubenda’s Internal Privacy Management helps you create extensive records, that make it a lot easier to recover the data to reply to a DSAR or any other kind of user’s request.

Try it risk free