Home » Blog » Data Privacy » What is a Data Subject Access Request (DSAR)? [Explained]

What is a Data Subject Access Request (DSAR)? [Explained]

Kiron Mullick ~ Modified: October 18th, 2023 ~ Data Privacy ~ 8 Minutes Reading

Data privacy is a fundamental right that protects the personal information of individuals from unauthorized access, use, and disclosure. Data privacy laws, such as the General Data Protection Regulation (GDPR) in the European Union, and the California Consumer Privacy Act (CCPA) in the United States, grant individuals various rights to control their personal data and hold organizations accountable for how they handle it.

One of the most common and important rights that individuals have under data privacy laws is the right of access, also known as the Data Subject Access Request (DSAR). A DSAR is a request addressed to an organization that gives individuals the right to access information about the personal data that the organization is processing about them and to verify the lawfulness of the processing. A DSAR can also include other rights, such as the right to delete, correct, or port personal data, depending on the law.

 Why does DSAR matter?

 DSARs, or Data Subject Access Requests, matter because they give individuals control over their personal data. Under data protection laws, individuals have the right to access the personal data that organizations hold about them, and to have that data corrected or deleted if it is inaccurate or incomplete.

Here are some specific examples of why DSARs matter:

  1. An individual may want to request a DSAR to check if an organization has been collecting their personal data without their knowledge or consent.
  2. An individual may want to request a DSAR to correct inaccurate or incomplete personal data that an organization has about them.
  3. An individual may want to request a Data Subject Access Request to delete their personal data from an organization’s records if they no longer want the organization to have it.
  4. An individual may want to request a DSAR to object to an organization’s use of their personal data for certain purposes, such as marketing.
  5. An individual may want to request a DSAR to port their personal data to another organization.

DSARs can also help to protect individuals’ privacy and security. By giving individuals the right to access their personal data, Data Subject Access Requests can help prevent organizations from misusing or mishandling personal data. Additionally, DSARs can help to identify and address data breaches, as individuals can use them to request information about the personal data that has been compromised.

How to Request for a Data Subject Access Request?

 To make a DSAR, an individual must identify themselves to the data controller and provide enough information to allow the data controller to identify their data. The DSAR must also specify the information that the individual wants to access. The data controller must respond to the DSAR within one month of receipt, or within three months if the request is complex.

The data controller may refuse to comply with a DSAR in certain circumstances, such as if the request is manifestly unfounded or excessive, or if it would disclose information that could harm the privacy of others. However, the data controller must still explain its reasons for refusing to comply.

Here are some information that an individual can request under a Data Subject Access Request:

  1. The categories of personal data that the data controller has collected about them.
  2. The specific pieces of personal data that the data controller has collected about them.
  3. The purposes for which the data controller has collected and processed their personal data.
  4. The recipients to whom the data controller has disclosed their personal data.
  5. The period for which the data controller will retain their personal data.
  6. The right to request that the data controller correct or delete their personal data.
  7. The right to object to the processing of their personal data.
  8. The right to withdraw consent to the processing of their personal data.

DSARs are an important tool for individuals to protect their privacy. By making a Data Subject Access Request, individuals can learn more about how their personal data is being collected and used, and they can take steps to ensure that their data is being handled in a way that is consistent with their rights.

data subject access request

 Steps on How to Respond to a DSAR:

  1. Acknowledging the request: Upon receipt of the request, the organization should send an acknowledgment email to the requester within 7 days, confirming that the request has been received. This communication should also include pertinent details such as the name of the data controller, contact information for the responsible party overseeing the request, the designated deadline for response, and a clear outline of the information that will be provided in accordance with legal requirements.
  1. Validating the request: To be deemed valid, a Data Subject Access Request must be submitted by the data subject in writing and should explicitly state the information sought. If the request does not meet these criteria, the organization must inform the requester of the specific reasons for its invalidation and afford them the opportunity to submit a revised request.
  1. Compiling the requested information: Once the validity of the request is established, the organization should initiate the process of gathering the specified information. This may involve thorough searches of records, communication with relevant third parties, and the careful redaction of any data that does not fall within the scope of disclosure.
  1. Providing the requested information: Data Subject Access Request is imperative to furnish the requested information within the timeframe specified in the acknowledgment email. The data should be presented in a format that is easily comprehensible to the data subject. In instances where the information is extensive or intricate, the organization may opt to disseminate it in stages.
  1. Fee considerations: While the organization has the option to levy a reasonable fee to cover the expenses incurred in providing the requested information, it is important to note that such charges are not applicable when the request is made by a data subject exercising their rights under the law.
  1. Explaining refusals: In cases where the organization is unable to fulfill the entire request or a portion thereof, it is incumbent upon them to communicate the reasons for refusal in writing to the data subject. Additionally, the data subject should be informed of their right to lodge a complaint with the pertinent data protection authority.
Also Read: What is Privacy Impact Assessment in detail?

Challenges in Conducting Data Subject Access Request:

  • Identifying and locating the personal data: The data controller may hold personal data about the data subject in a variety of different systems and formats. It can be time-consuming and challenging to identify and locate all of the relevant data.
  • Determining the scope of the request: The data subject may not be clear about what personal data they are requesting. The data controller may need to clarify the scope of the request in order to conduct an effective search.
  • Processing the request within the legal timeframe: Data controllers are required to respond to DSARs within one month. This can be a challenge, particularly if the request is complex or the data controller is dealing with a large volume of requests.
  • Deciding whether to withhold or redact any data: There are a number of reasons why data controllers may need to withhold or redact some of the data requested by the data subject. For example, the data may be confidential, or it may be necessary to protect the rights of others.
  • Communicating with the data subject: The data controller must keep the data subject informed about the progress of their request and any decisions that are made. This can be challenging, particularly if the data controller is dealing with a large volume of requests.

In addition to these challenges, data controllers may also face challenges related to:

  • Lack of resources: Conducting a Data Subject Access Request can be a resource-intensive process, particularly if the request is complex or the data controller is dealing with a large volume of requests.
  • Lack of expertise: Data controllers may not have the expertise or resources to conduct a DSAR effectively.
  • Malicious DSARs: There has been an increase in malicious DSARs, which are designed to disrupt or harm the data controller.

 Overall, DSARs are an important tool for individuals to exercise their rights over their personal data. By understanding their rights and how to exercise them, individuals can help to protect their privacy and security.

  1.  DSARs are a right under data protection laws, but not all organizations are subject to these laws.
  2.  Data Subject Access Requests must be made in writing and must be addressed to the organization that holds the personal data.
  3.  Organizations must respond to DSARs within a reasonable time frame, typically 30 days.
  4.  Organizations may charge a reasonable fee for processing a DSAR, but only if the request is manifestly unfounded or excessive.
  5.  Organizations may refuse to comply with a DSAR if it is too broad or burdensome, but they must explain their reasons for doing so.

By understanding the purpose of Data Subject Access Request and the legal requirements that apply, individuals can make informed decisions about how to use this tool to protect their privacy and security.