What are Data Subject Access Requests?
Under the General Data Protection Regulation (GDPR), data subjects receive exercisable rights, giving them control over the processing of their personal data. These rights must be upheld by organizations that process personal data. For example, data subjects have a right to request rectification or erasure of their personal data. These types of requests are called Data Subject Right Requests (DSRR – see Chapter 3 GDPR).
DSRRs are typically confused with Data Subject Access Requests, which is, in turn, one of the 8 Rights granted to data subjects under the GDPR.
So, what is a DSAR? It is a request by a data subject to an organization to give access to the personal information they hold or process about the data subject.
Implications for you as a controller and what you need to do
An individual may exercise their rights from any organization that processes their personal data. They could, for example, ask to see their client file, rectify false information, or ask to delete certain details. However, this is not the only situation in which an individual may ask for access. An employee, for instance, can request to check the administrative file that is kept by the employer, to see which information is filed about them. An individual can exercise their right of access from their doctor who keeps their medical file, (although other Member State laws may restrict this access for the wellbeing of the patient.) And lastly, they can also request to receive confirmation that their data is being processed by a governmental body.
When making a DSAR, data subjects are entitled to receive the following information:
- The confirmation that their personal data are processed by you and any necessary information related to that processing: for what purposes, who is the controller, the legal basis for the processing,…
- A copy of the personal data processed by your organization. (Note that when the data subject submits the request electronically, the information must be provided in a commonly used electronic form, unless the data subject requests otherwise.)
Considering the short time to respond to the data subjects’ requests, your organization should have a dedicated framework to manage responses effectively and, therefore, implement a DSAR-response process. As DSARs can be very time-consuming, which is why more and more organizations choose to implement software solutions to manage these requests. Check out how RESPONSUM’s DSRR module saves organizations time whilst remaining completely compliant.
How do you get started?
1. Set formal rules on how the data subject can make DSARs
DSARs are usually made in writing (e-mail, letter) but can also be made verbally (phone call). It is up to the organization to establish the specific formal rules under which individuals can make an access request. We discourage verbal requests as these increase the risk of mistakes being made (e.g. phone number was already on file, the exact amount on the latest invoice,…)
- Create a specific mailbox for GDPR matters and DSARs;
- Or implement a DSAR management solution
- Create a DSAR-form accessible from your website
- Appoint one or more people in charge of checking the mailbox and responding to requests
Acknowledge receipt of the request by notifying the individual that their request is being reviewed and a response will be provided within 30 days.
Then you’ll need to execute some basic steps to answer the request.
2. Verify the identity of the person making the request
Disclosing personal information to the wrong person can result in a data breach. To avoid this, and especially in case of reasonable doubt, you’ll need to check the requestor’s identity. For example, by asking for additional information, such as a customer number, or by requesting a face-to-face meeting.
Note: It is up to the person wishing to access his or her personal data to contact you. However, this person can give a mandate by formal letter to a person of his choice to exercise his right of access. The verification of the validity of this mandate in itself can be cumbersome. Be very vigilant to prevent abuse via such letters.
3. Ask what data is being requested
If the request concerns a large amount of data, you can ask the data subject to specify which data or which processing activities the request concerns (Recital 63 of the GDPR).
4. Check that the request does not concern a third party
You must check that by complying with the access request of the data subject, you don’t affect the rights of third parties. For example, an employee of a company can’t obtain data that includes the personal data of a colleague. In the same way, the right of access may not violate business secrecy or intellectual property rights.
5. Respond to the request in a timely manner
Usually, you’ll have to respond within 30 days. However, in case of a complex request, such as a large amount of data, the response time can be extended to 3 months. You will have to inform the requester about this within 30 days.
What can Data Subjects expect when requesting access?
Firstly, it’s important to identify the person that makes the request. The means of identification should match the sensitivity of the personal data that is requested. Once the identification is completed, you’ll need to grant access to any personal data, i.e. data relating to- or that can be used to identify a person. Under Article 15 GDPR, you’ll also have to provide them with the following information:
- the purposes of the processing.
- the categories of personal data concerned.
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, especially, recipients established in third countries or international organizations where possible, the period of time for which the personal data will be kept or, where this is not possible, the criteria used to determine this period.
Data subjects have the right:
- to request rectification or erasure of personal data, a restriction on the processing of personal data relating to the data subject, or the right to object to such processing.
- the right to lodge a complaint with a supervisory authority.
- When personal data are not obtained directly from the data subject, any available information on the source ;
- The right to know of the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4). In case of profiling, the subject can request relevant information concerning the underlying logic, the significance and expected consequences of such processing for the data subject.
Even if rights are usually exercised free of charge (Article 12.5 GDPR), you may charge a reasonable fee based on administrative costs for any additional copies requested by the data subject. Note that this fee must not be an impediment to the exercise of the right of access.
You may have strong grounds to not comply with the DSAR, for example, you are facing an unfounded access request, or the requested data has been deleted (bear in mind that if this was done prior to the pre-defined retention period this might be a data breach in the sense of the GDPR). In all cases, you will need to be specific and clear about the reasons for denying the request. You’ll also need to inform the data subject of their right to lodge a complaint with the data protection authority and to seek judicial redress.
Lastly, you must respond to the DSAR within 30 days (some exceptions apply, e.g. receiving a lot of requests in a short time frame), whether you decide to proceed with the request or not.
To summarize, don’t forget to keep track of DSARs, as well as the details of the request, the action taken, and the length of time taken to respond (even in case of the “right to erasure” you have to keep track of this because of your GDPR accountability obligations). This good practice can be useful, for example, to assess the repetitive nature of a request (multiple requests close in time to a copy already provided). RESPONSUM offers a tool that organizes all requests and allows you to reply to them in a timely manner.
Liked reading this article? Spread the word!
Get the inside scoop on simplified privacy management
Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!
Privacy Consultant @ CRANIUM