The GDPR gives data subjects within the EU a variety of rights related to the collection and processing of their personal data. One of these rights is the right to access, which enables data subjects (like website users or customers) to request information on which of their data that companies possess. This request is called data subject access request (DSAR). We will show you exactly what a DSAR is, who can file a request and how you should handle requests.
What is a DSAR and what data can be requested?
The GDPR provides data subjects with the right to access any of their data that your company possesses. Data subjects can submit access requests at any time and as a controller you are generally obliged to respond to this request “without undue delay”, but at least within one month after receipt of request. If a DSAR contains very complex or numerous requests, this period can be extended to two months. In this case, you still have to respond within the one month period and explain the necessity for the extension to the data subject.
In your answer you have to provide the data subject with all the information that has been requested, including a copy of the data subject’s data that is processed. In particular, data subjects can request the following:
- A confirmation that you process their personal data;
- Access to the personal data you have on them;
- Your lawful basis for the processing;
- Information on the purposes of the processing;
- Information on the categories of personal data involved;
- The envisaged time period for which you will store their data or according to which criteria you determine that period (e.g. as long as they are a service user);
- Relevant information on how and from which source you obtained the data;
- Relevant information on automated decision-making and profiling, including information on the involved logic;
- The names or categories of third parties to whom you disclose their data.
It is important to react to the request as soon as possible and to provide the data subject with all the requested information in order to avoid fines and reputation damage. Non-compliance with the GDPR can result in fines up to 4 % of your annual global turnover or EUR 20 million, whatever is higher.
Who can submit a DSAR?
You may receive a DSAR from anyone. If you do not process any data of the requester, you still need to send an answer. Typically requests come from website users or customers, but also employees, job candidates, contractors etc. Moreover, a DSAR can be submitted on behalf of the data subject. This can be the case if the data subject is still a child, if the court appointed a person to look after the data subject’s affairs, or if data is requested on behalf of a client or employer or even a friend or relative (provided that the requester has been instructed to file a DSAR by the data subject). Before replying to such a request, you have to make sure that the requesting individual is genuinely requesting the information on behalf of the data subject.
Data subjects or their representatives do not need a reason to submit a DSAR. They can request to see their data at any time and you have to provide the information free of charge.
How to handle a DSAR?
There are a number of steps you may want to follow in order to handle a DSAR and to respond in compliance with the GDPR.
- Verification whether you are the data controller: First, you should verify whether you are the controller of the requested data. If you are acting as a data processor on behalf of a controller, inform the data subjects and refer them to the data controller. Remember, that you are contractually required to assist the controller to respond to DSARs they receive.
- Verification of the data subject’s identity: Before you send out any data, you need to identify the data subject. This enables you to ensure to only distribute data to the actual data subject (or a representative).
- Identify what is requested: In this step, you assess which right the data subject wants to exercise and how you should respond to it. You need to determine whether the data subject only requests access to their data or if they also invoke other privacy rights, like correction of their data. By assessing this, you should also determine whether you are able to respond without undue delay. If you need more than one month, you have to explain this to the data subject.
- Check the data for personal information of other data subjects: In the next step, you should carefully review the data to make sure that no personal data of other data subjects is included. If another person’s data is sent to the requester, you may commit a data breach.
- Collect and compile the data: The data subject’s information should be collected and provided in an electronic file, unless otherwise requested. The file type should be common and easily accessible. If possible, you should provide the data subjects access to a secure system (e.g. end-to-end encrypted) providing them with direct access to their personal data.
- Send the data to the data subject or the representative: Ultimately, the response, including the requested data, has to be submitted to the data subject (or the representative). You should document your DSAR communications to be able to demonstrate compliance with the accountability principle in Art. 5 GDPR.