Data Subject Access Requests

A Data Subject Access Request (DSAR) is a specific type of request made by an individual whose personal data is processed – the data subject – which is based on the right of access data subjects benefit from the General Data Protection Regulation (GDPR).
We will explain this right of access data subjects can exercise, what this request consists of, and how to respond to it.

1. The right of access

The GDPR provides several rights to data subjects regarding the processing of their personal data – they are called Data Subject Rights. One of these rights is the right of access (Article 15, GDPR).
It is probably one of the most famous rights from the GDPR – with the right to be forgotten – since it gives data subjects direct power and control over their own personal data. The aim of this right is to make them able to know what is done with their data and decide if they agree or not with the processing. It will also help data subjects to exercise their other rights.
The GDPR determined three aspects for this right:

1.1. Ask confirmation

From their right of access, data subjects can ask to the organization who decided on the processing of their personal data – the controller – if their personal data are indeed processed or not. If the controller does not have any personal data on the data subject, they must simply inform them that none of their personal data is processed.

1.2. Access personal data

People often think of this aspect as the sole action possible from this right: data subject can ask for an access to their personal data. A description of the personal data or the categories of personal data will not be sufficient to fulfil this request; an access to personal data means that the data subject can access the actual data the controller has on him. It is usually done through a copy of the personal data – in a commonly used electronic form – sent to the data subject.

1.3. Ask information on the processing

Data subjects can also ask information on the processing of their personal data. It is linked to another right from the GDPR – the right to be informed – but the right of access allows data subjects to directly ask for information.

As set out by the GDPR (article 15 §1 and §2), data subjects can ask for:

  1. The purpose of the processing.
  2. The categories of personal data concerned.
  3. The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations.
  4. Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
  5. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
  6. The right to lodge a complaint with a supervisory authority.
  7. Where the personal data are not collected from the data subject, any available information as to their source.
  8. The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  9. The appropriate safeguards taken by the controller when transferring personal data to third countries – countries outside the European Economic Area (EEA) – or to international organizations.

2. The Data Subject Access Request (DSAR)

Data Subject Access Requests (DSARs) are thus the exercise of data subjects’ right of access. The data subject usually contacts the controller, or sometimes the processor – the organization working on behalf of the controller – and ask for confirmation, access, and/or information.
Be aware that the request might not be as explicit as “I want to exercise my right of access”; it is the duty of the controller to assess data subjects’ request and determine with which right(s) it corresponds.
The term Data Subject Access Request (DSAR) is often mistaken with Data Subject Rights Request (DSRR) or Data Subject Request (DSR) – to be noted that the acronym “DSR” can also be used for Data Subject Rights. While DSAR is about the right of access, DSRR is about any of the data subjects’ rights; a DSAR is a DSRR, but a DSRR is not necessarily a DSAR.
To make DSARs possible, the controller must be reachable. The organization has to implement solutions to allow data subjects to submit requests; it can be done through an email address communicated to data subjects, a DSRR-form accessible on the organization’s website, etc.

Related Article

A Complete Guide to Data Subject Access Requests

3. How to handle a DSAR

Now that we explained the right of access and the DSAR, we can describe the best way to handle those DSARs.
The first step would be the identification (and authentication) of the data subject. The divulgation of personal data to a wrong or unauthorized person would constitute a data breach! If the request comes from the same email address as the one registered in the controller’s database, it is legitimate to conclude that the data subject is indeed who he is.
Secondly, organizations must ensure that the request does not infringe other individuals’ rights and freedoms; access must relate to the data subject’s own data.
The organization must respond to the request within a period of one month. They can decline a request if it is unfounded or excessive, but they still need to justify their choice to the data subject, plus inform the data subject that he can lodge a complaint with the supervisory authority if he contests the controller’s decision. The controller can also decide on charging a reasonable fee if the request is excessive or, for further copies, because of administrative costs. However, a legitimate request must be accepted and free of charge.
For the different aspects of the right of access, here are the required actions:

3.1. When the data subject asks for confirmation

The controller must verify in his processes if personal data from the data subject in question is currently processed – including storing – or not.
The controller must then inform the data subject of his findings, by affirming or refuting the processing of personal data.

3.2. When the data subject asks for a copy

As explained earlier, the controller has to give access to the actual and current processed personal data. The usual method is to copy or download all the personal data in a commonly used and adequate electronic form and share it with the data subject. The data subject can also specify another form (e.g., printed and sent by mail, orally, etc.).
If the volume of personal data is too important, the controller can ask to the data subject to specify which data he actually requests.
Even if the personal data was directly provided from the data subject, the right of access still applies. The data subject might use this right of access to verify the accuracy of his personal data.
In the guidelines from the European Data Protection Board (EDPB) about the right of access, they address the possibility for the controller to provide the personal data through a self-service tool where all the personal data processed would be available, making the handling of the DSAR more efficient. Even with this self-service tool, the controller has to reply to data subject requests coming from other communication channels. If all the personal data is not accessible through the self-service tool, data subjects must be informed of it.
This aspect of the right of access is a bit like the right to data portability where the data subject can ask for a copy of his personal data in a “structured, commonly used and machine-readable format” allowing the data subject to easily change between different providers.

3.3. When the data subject requests information

In this final aspect of the right of access, the controller must “simply” provide the information requested by the data subject. The information can usually be found in the Register of Processing Activities (RoPA) or in the privacy notice. It might not be that simple if the ROPA is not well managed or if the privacy notice is not complete. Fortunately, solutions and experts exist to help you with this issue.

Handle Data Subject Access Requests with ease

Manage your Data Subject Access Requests effortlessly with RESPONSUM’s, automated, and structured approach.

The controller could simply redirect the data subject to the relevant documents data subjects already have or have access to, but these documents must be up to date and, if the requested information is not available, the reply must be tailored to the data subject’s request.

Conclusion

When handling DSARs, or any DSRRs, the controller must ensure that everything is recorded: data subject information, verification details, actions taken, timeline, etc. This is necessary to comply with the “accountability” principle of the GDPR.
Security must also be part of the handling of DSRRs, especially when sensitive data is at stake. The identification and authentication of the data subject is a first step, but the access to and the communication of personal data must also be secure.
To conclude, this right of access, which has several aspects, provides to the data subjects control over their own personal data. Moreover, controllers have several obligations regarding this right, from keeping processing information up to date to providing copies of personal data. The ability of the controller to handle correctly and in time Data Subject Access Requests (DSARs) is crucial since it is a requirement from the GDPR, but also because organizations can show to their data subjects that they are trustworthy and that they care about their data subjects’ privacy.

Sources

Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Amaury André

Consultant @ CRANIUM