January 24, 2022

What is a Data Subject Access Request (DSAR)?

An individual can make a Data Subject Access Request (DSAR) to find out which info a company holds on them. Try a demo for free with Secure Privacy.

Data subject access request is the request that your user submits to get access to their own personal data in your records.

If you collect and process users’ personal data, then you are the controller of their data. You have it in some of your records but that data belongs to your users. It is not yours.

That’s why they have data subject rights. One of those rights is the right to access their personal information. They can exercise that right, i.e. access the data by submitting a data subject access request to you.

In your response to the DSAR, you need to provide them with access to their data.

What is a data subject?

The data subject is the user from whom you have collected personal data and/or processed it. Every internet user and every offline user can be a data subject as long as you collect some personal data from them.

If you have a website that does not collect any personal information, then your website visitors are not your data subjects. The moment you collect at least one piece of information that could identify them, they become your data subjects and you owe them all the data subject rights included with the applicable data protection law.

What does the right to access mean?

The right to access grants your user the right to get access to their personal data in your records.

The GDPR, CCPA, LGPD, and other data privacy laws require businesses to be transparent to the users about their personal data. In practice, this means that you need to let your users know what you know about them.

Every internet user from whom you have collected personal data has the right to access the data you have in your records about them.

Who can submit a DSAR?

Anyone can submit a DSAR. This includes both your data subjects and internet users who have nothing to do with your business.

Your data subjects can submit a request at any time and you have to provide them with access to their personal information. An authorized agent can submit the request on their behalf in accordance with the law.

A person whose personal data you do not process can submit a DSAR as well. They can submit it, but you’ll have nothing to give them access to.

Is there any prescribed form for the DSAR?

No, there is no data protection law that prescribes the request form.

Data protection laws aim to empower internet users to protect their online privacy rights, therefore they do not impose barriers such as specific request forms. This means that whatever form you receive a DSAR, you need to respond. You cannot refuse a DSAR due to the form it has been submitted.

What to do when I receive a DSAR?

Data protection laws do not prescribe a specific procedure for responding to DSARs. They oblige you just to respond within the timeframe specified in the law and to make sure that you provide access to personal data to the right person.

Having that in mind, you can handle a DSAR easily by following these steps:

  1. Verify the identity of the data subject. You are about to provide access to someone’s personal data, so you need to ensure that you present the information to the right person.
  2. Clarify the request. Make sure that you have received a DSAR. Data subjects can also submit requests to know, to be forgotten, for data transfer, or another type of request, so first you need to clarify what the request is about. If you need further clarifications from the data subject, reach out to them and ask questions.
  3. Check out if the data of the requester is processed at all. If the result is negative, you’ll inform them that you have not processed any of their data. If the result is positive, proceed to the next step.
  4. Inspect, collect, and package the data. Make sure that it is in a format that is easily accessible and readable for the user. 
  5. Provide the data subject with access to their personal data. It is best to provide the user with direct and/or remote access to their personal data, but if that’s not possible in your case or for the specific categories of personal data, then send a copy of the data to the requester.

In addition, you can inform the data subject on other data subject rights in relation to the right to access, such as the right to correct data, transfer data, object to the processing, and so on. This is not obligatory, but it can help in building trust.

How to respond to a GDPR DSAR or to a CCPA DSAR?

GDPR DSARs and CCPA DSARs require the steps described in the answer to the previous question about what to do when you receive one.

The differences between the two is that:

  • CCPA has prescribed verification methods for password-protected account holders and non-account holders, and GDPR has not, and
  • Under the GDPR you have to receive the request no matter the method of submission, while under the CCPA you can put it on hold and guide the user on how to submit it properly.

What to include in a DSAR response?

In general, you’ll need to let your user know about:

  • Whether you process their data or not
  • The categories of personal data about them that you control
  • The purposes of processing
  • How you collect the data
  • With whom you share their personal data

The data subject may request only a portion of this information. 

If they specify in the request what exactly they want to get access to, then provide them access only to such information. For example, if they request access to the categories of personal data you process, that’s all you are required to provide access to.

It is a best practice to provide the data subject with remote access to your records or to a portal where they can easily access their data, as Facebook has done.

If the resources do not allow that, provide the data subject with a copy of the data in a readable and easily accessible format.

How to verify the identity of the data subject?

Most data protection laws do not prescribe a method to verify the identity of the requester. The method of choice is left to you.

You should do what is reasonably possible to verify the identity of the data subject. You can opt for methods such as two-step verification of the email address used for the user account, confirm the identity by sending a code to the phone number you have collected from the data subject previously, require them to log into the membership portal if you have one, and so on. The best identity verification method depends on the methods you use to collect personal data.

The only law that prescribes a way to verify the requester’s identity so far is the CCPA. If you receive a CCPA DSAR, there are separate processes for password-protected accounts and non-account holders that you need to take into regard.

How can data subjects submit DSARs?

It is up to you to decide on the methods the users could submit their DSARs to you.

You can provide them with a DSAR portal, a dedicated email address, a toll-free phone number, or just your email address for general inquiries.

Also, do not forget to include the methods for submitting requests in your privacy policy. It is required by whatever law you need to comply with.

Can I refuse to respond to a DSAR?

You can refuse to respond to a DSAR in some cases, but that’s an exception to the rule.

In general, you should respond to all DSARs. You can refuse them only in the following cases:

  • You cannot identify the requester in a reasonable way, or
  • The request is unfounded and/or excessive.

In the case of refusing a DSAR, inform the data subject about the reasons why and the option to complain about the refusal.

How soon do I have to respond to a DSAR request?

Every data protection law prescribes a deadline for responding to a DSAR.

GDPR allows 30 days for a response. LGPD has no specific deadline and requires a response as quickly as reasonably possible.

CCPA, on the other hand, requires you to acknowledge the receipt within 10 days of receiving the DSAR and then responding to it within 45 days of the receipt.

The deadline depends on the laws that apply to your relationship with the user. If two laws apply at the same time, comply with the shortest deadline.

What happens if I don’t respond to a DSAR request?

Responding to a DSAR is your duty under the data protection laws, therefore not responding to one or not responding within the deadline is a violation of the law.

Violations of the law lead to penalties. GDPR prescribes fines of up to 4% of the annual turnover or 20 Million EUR, whichever is bigger. LGPD prescribes fines of up to 2% of the annual turnover or 50 Million Reales, whichever is bigger. CCPA prescribes a fine of $7500 per consumer whose rights have been violated.

Fines for failing to respond to a DSAR properly would usually not incur the maximum penalty, but if you do it consistently with many users or on a large scale, then you can expect the fines to be higher.

Who should respond to a DSAR?

In general, data protection laws require the data controller to respond to the DSAR, but it doesn’t matter who actually responds. It could be anyone from the company. If you are a solo entrepreneur, it would be you. If you are a big company and you have a Data Protection Officer then it could be that person.

However, if the resources allow it, it is better to have a designated person to respond to DSARs. 

Can I charge a fee for a DSAR response?

DSAR responses should be free of charge.

The only exception is when you respond to an excessive DSAR that incurs high costs for you to respond. Keep in mind however, that this is an exception to the rule that the response should be free of charge for the data subject.

What’s the hardest part of responding to a DSAR?

It seems simple and easy to respond to a DSAR, but many businesses are not ready to respond to these requests quickly because they cannot find the required data easily.

A user submits a DSAR and they have to figure out how to find the data of that user and provide access to it. Responding to a DSAR requires a good understanding of what data you collect and process, where you store it, how you process it, and for what purposes. Deadlines provide you with enough time to gather the necessary information and respond but you have to be prepared in advance and, if necessary, have some DSAR policies in place.

How to comply with the GDPR, CCPA, and LGPD DSAR requirements with Secure Privacy?

Secure Privacy DSAR portal helps you receive DSARs and manage the process of responding to the request.

Only one failure to respond to a DSAR properly leads to a violation of the laws and possibly a fine. You need to prepare yourself for responding to DSARs long before you receive the first one.

Secure Privacy dashboard

Want to try
Secure Privacy?

Get your free cookie banner up and running today!