If you're wondering "What is a DSAR?", you've come to the right place.
The General Data Protection Regulation (GDPR) established key rights for individuals regarding their personal data. One of the most important rights is the ability to make a Data Subject Access Request (DSAR) to obtain copies of personal data from controllers. This article provides an in-depth look at DSARs under GDPR including the process, requirements, and best practices for compliance.
In this article, we've broken down the topic of DSARs into ten sections:
- What is a DSAR?
- Data subject rights to access personal data
- Process for submitting a DSAR
- What information is provided for a DSAR
- Reasons to make a DSAR
- Who is responsible for complying with DSARs
- Timeframe to respond to a DSAR
- Format for providing data for a DSAR
- Exceptions for not providing data for a DSAR
- Penalties for non-compliance with DSARs
I. What is a DSAR?
DSAR, or data subject access request, is a request made by a data subject for the personal data that a controller holds about them. DSARs allow individuals to ask organizations for copies of their personal data under the General Data Protection Regulation (GDPR). DSAR is often used interchangeably with data subject requests (DSR).
Under the GDPR, data subjects have the right to:
- Know what personal data is being processed
- Access their personal data
- Verify the lawfulness of the processing
A valid DSAR must be made in writing (email is acceptable) and include:
- Name and contact information of data subject
- Details to help verify their identity
- Specification of the personal data being requested
The GDPR requirements for responding to DSARs include:
Controllers must provide the data in a commonly used electronic format. They should focus on making the data easy to access and understand.
DSARs can apply to many types of personal data including:
|Type of Organization||Examples|
|Companies||Retailers, technology firms, banks|
|Government agencies||Tax authority, law enforcement|
|Healthcare providers||Hospitals, insurance companies, GP|
|Educational institutions||Schools, colleges, universities|
DSARs are a key right of data subjects under GDPR to understand what personal data is held about them by controllers and how it is used.
II. Data subject rights to access personal data
The GDPR provides specific rights to data subjects regarding their personal data. The key right related to DSARs is the right to access and receive a copy of the personal data that a controller has about the data subject.
This right allows data subjects to understand what personal data is held, why it is processed, who it is shared with, where it originated from, and more. Under Article 15 of the GDPR, the data subject has the right to obtain the following from the controller:
- Confirmation that their personal data is being processed
- Access to their personal data
- Purposes of the processing
- Categories of personal data concerned
- Recipients or categories of recipients the data has been disclosed to
- How long the data will be stored or criteria used to determine retention
- Info about other rights including correction, erasure, restriction of processing
- Right to lodge a complaint with the supervisory authority
- Info about sources of data if not collected directly from data subject
- Automated decision making, profiling, and related logic
The controller must provide this info in a commonly used electronic form such as email. They cannot refuse to act on data subject requests or charge a fee unless the requests are manifestly unfounded, excessive, or repetitive.
Data subjects have the right to access both automated and manual processed personal data held in systems like:
- CRM databases
- Email servers
- Backup systems
- Document management systems
- HR databases
- Marketing databases
|Identity Data||Name, address, phone number, email address, IP address, identifiers|
|Financial Data||Bank account details, payment card details, income, purchases|
|Tracking Data||Website history, location data, online identifiers|
|Technical Data||Device information, connection data, software use|
|Profiling Data||Inferences drawn from data to analyze or predict aspects like performance at work, economic situation, etc|
Controllers must provide the info in a commonly used electronic form. They should focus on making the data provided easy to access and understand for the data subject.
Overall, DSARs empower data subjects with transparency into how their personal data is used. Controllers are obligated to provide the detailed info listed above when a valid DSAR is made under the GDPR.
III. Process for submitting a DSAR
When a data subject wants to exercise their right to access their personal data from a controller, they need to submit a valid DSAR. Here is an overview of the key steps in the DSAR process:
Identify the controller(s) that processes your personal data. This could be a company, government agency, healthcare provider, etc. You can submit a DSAR to any controller.
Make the request in writing via email or postal mail. Include your name, contact details, and requested info. Provide details to verify your identity.
The controller will confirm receipt of the DSAR and may ask for more details to verify your identity before disclosing personal data.
Verify your identity. The controller must confirm your identity before sending your personal data. They may ask for info like passport, driver's license, address, date of birth, etc.
The controller searches databases and systems that hold personal data to find all data related to the data subject. This includes structured databases as well as emails and documents.
The controller reviews, redacts, and prepares the personal data for disclosure to make sure it doesn't reveal information about other data subjects.
The controller provides the personal data to the data subject electronically in a commonly used format like PDF within 30 days.
If there is a backlog of DSARs, the controller can extend the response timeframe by two additional months but must inform the data subject within one month and provide reasons.
If the controller cannot provide certain personal data, they must inform the data subject and explain the reasons why (such as exemptions).
If the data subject is not satisfied with the controller's response, they can complain to the supervisory authority. This allows the appropriate oversight body to review compliance with DSAR obligations.
When handled properly, DSARs allow data subjects to receive their personal information in a timely manner. The GDPR sets requirements for controllers to make the process smooth and accessible for individuals exercising their privacy rights.
IV. What information is provided for a DSAR
When a controller receives a valid DSAR, they must provide the data subject with their personal data in a concise, transparent, and easily accessible way. Here are key types of information that should be provided:
Categories of personal data collected and processed including names, addresses, dates of birth, location data, online identifiers, etc.
Purposes for processing the personal data, such as provision of goods and services, recruitment, marketing, security, etc.
Any recipients or categories of recipients the personal data has been disclosed to, such as vendors, advertising partners, or third party apps.
Details on where the controller sourced the personal data if it wasn't collected directly from the data subject.
Time periods that the personal data will be stored or criteria used to determine retention periods.
Confirmation that the controller uses automated decision making, profiling, or targeting related to the personal data and how those techniques work.
Other supplementary information that would help explain how and why the controller processes the data subject's personal data.
The key is that the controller should provide full visibility into how they use the individual's information beyond just providing copies of the raw data. Details must include:
- Who has access
- Why it is processed
- What it is used for
- How decisions are made using it
|Contact data||Where it's stored, sources, sharing, retention policy|
|Financial info||Processing purposes, who it's shared with, security controls, retention|
|Health records||Sources, retention policy, details of automated decision systems using the data|
|Social media posts||Sources, how it relates to targeting/profiling, analysis performed, who has access|
The GDPR requires transparency around sharing, security, and retention. The controller should explain the protection, risk mitigation, governance, and accountability measures related to the personal data.
Overall, the DSAR response should provide a full picture of what personal data the controller has, why they have it, what they do with it, and who has access. This allows the data subject to understand their digital footprint.
V. Reasons to make a DSAR
There are many valid reasons why a data subject may want to exercise their right to make a DSAR to a controller. Here are some of the key motivators:
Gain transparency into what personal data a controller holds, why they have it, how they use it, and who they disclose it to. This insight helps data subjects understand their digital footprint.
Verify data accuracy. Reviewing provided data can help individuals identify any mistakes in their personal data so they can request corrections to ensure it is accurate and up to date.
Check compliance. DSARs allow data subjects to validate that a controller is processing their personal data in a legal, ethical, and compliant manner according to regulations.
Close account or object to processing. After reviewing their personal data, the data subject may wish to deactivate accounts, object to types of processing, or request erasure of data.
Detect fraud or misuse. Checking personal data can uncover suspicious activity or potential misuse of information that requires investigation and remediation.
Monitor data sharing. The DSAR response provides visibility into who personal data is shared with which may reveal unexpected or unauthorized disclosures.
Recover lost data. In some cases, users may have lost access to their personal data held by a service and can recover it via a DSAR.
Migration to new service. Obtaining personal data via a DSAR can make it easier to migrate accounts and data to another service or provider.
|Online platform use||Identify how data is tracked, shared, or monetized|
|Data breach incident||Understand impact of breach on your personal data|
|Leaving a service||Retrieve data to close account or switch platforms|
|Suspicious activity||Check for misuse or compromised account/data|
Overall, DSARs empower data subjects with information, choice, and control over their digital footprint. Organizations should make DSARs accessible and easy to exercise without placing unnecessary burdens on the data subject. The proper use of DSARs builds trust and accountability.
VI. Who is responsible for complying with DSARs
Under the GDPR, the controller is the entity that is responsible for meeting DSAR requirements and providing the personal data to the data subject.
The controller is the person or organization that controls and is responsible for the processing of personal data. Key obligations include:
- Verifying the identity of the data subject making the DSAR
- Locating all relevant personal data across databases and systems
- Assessing what data can be provided and any redactions needed
- Preparing the response and transmitting the personal data
Even if the controller has third party processors or vendors that handle the personal data, the controller remains ultimately accountable for the DSAR response.
Some guidelines on identifying the responsible controller:
- For online services, the website owner or service provider is the controller
- For employment records, the employer is the controller
- For medical records, the healthcare provider is the controller
- For financial records, the bank or lender is the controller
- For retail transactions, the business is the controller
If a processor handles the DSAR instead of the controller, they must meet the 30 day timeframe for response. The GDPR does not allow contracted processing agreements to interfere with a data subject's access rights.
|Type of Controller||Responsibilities|
|Retail company||Provide transaction data, purchase history, website/app usage|
|University||Provide student records, course enrollment, campus usage data|
|Hospital||Provide patient treatment records, lab tests, medical images|
|Smartphone manufacturer||Provide device data, usage statistics, location history|
|Advertising network||Provide ad targeting data, clickstream data, analytics on conversions|
Any controllers and processors that handle the personal data must assist in preparing the DSAR response, even if they are not the main point of contact. All organizations in the data processing chain need to comply.
Overall, the controller is legally obligated to provide data subjects access to personal data when a valid DSAR is made. They cannot avoid responsibility by contracting it out to a third party.
VII. Timeframe to respond to a DSAR
Under the GDPR, the controller must respond to a DSAR without undue delay and within one month of receiving the request. The timeframe for response is:
- 30 calendar days from the date the controller receives the DSAR
- This can be extended by two additional months if complex or multiple requests are made
- The controller must inform the data subject within one month if an extension is needed
The 30 day response window ensures timely access within a reasonable period.
Steps the controller can take within the initial 30 day timeframe:
- Validate the DSAR is sufficient and identity is verified
- Search all relevant systems and databases for the personal data
- Assess what data can be provided and prepare response
- Provide the personal data in a commonly used electronic format
Exceptions where the controller can extend the response time:
- Large quantities of diverse personal data are requested
- Multiple DSARs have been made by the data subject
Even with an extension, the personal data must be provided within 3 months total from the initial DSAR date.
If the controller needs clarification on what personal data is being requested, they can initiate a dialogue with the data subject within the first month. This pause does not extend the 30 day timeframe.
|DSAR for past 6 months of account data||30 days|
|DSAR for all account data ever collected||Can extend up to 90 days total|
|DSAR for data from 5 different systems||Can extend up to 90 days total|
If the controller fails to meet the response deadline, they are violating GDPR and data subjects can file a complaint with the supervisory authority.
In summary, the 30 day DSAR response timeframe ensures data subjects can access their personal data in a timely manner. Extensions for complex requests should still result in delivery within 3 months total to respect individual rights.
VIII. Format for providing data for a DSAR
When responding to a DSAR, the GDPR requires the controller to provide the personal data in a commonly used electronic format. The main guidelines include:
- Use a structured, commonly used format like CSV, JSON, XML, etc. Avoid proprietary formats.
- Ensure the file is machine readable and structured for easy analysis
- Provide metadata descriptions for columns and data fields
- Use standard encoding like UTF-8 and provide data dictionary
- Encrypt sensitive data like financial info or healthcare data
- Format data exports per system rather than combined files
Recommended practices for controller to optimize DSAR response format:
- Consult with data subject on preferred file formats if possible
- Use secure online portal for delivery instead of email attachments
- Separate exempt data from disclosed data into different files
- Label all files appropriately for easy identification
- Provide an index file listing contents of all data exports
When assessing format, consider data subject's ability to:
- Access - easily open and read the files
- Comprehend - understand what each data field means
- Interpret - make sense of the personal data provided
Table view of common file formats, pros and cons:
|CSV||.csv||Simple, compact||No relationships between tables|
|JSON||.json||Good for web APIs||Verbose|
|XML||.xml||Flexible structure||Verbose, hard to parse manually|
|XLSX||.xslx||Familiar for most users||Not as portable across platforms|
The controller should ensure filenames, headers, and documentation enable clear understanding. The aim should be usability and transparency versus just delivering raw files.
When formatting the response, the controller needs to consult the preferences and capabilities of the specific data subject. There are many acceptable options, as long as the personal data is provided in an accessible electronic format.
IX. Exceptions for not providing data for a DSAR
While the GDPR establishes a data subject's general right to obtain a copy of their personal data through a DSAR, there are certain exceptions where the controller can refuse to provide all or some of the requested data.
The main exceptions include:
Even when exempting certain data, the controller should still provide as much of the requested personal data as possible.
Examples where exemptions may apply:
- Redacting data about other individuals
- Withholding trade secrets like source code or recipes
- Not providing information subject to legal professional privilege
- Following laws that prohibit providing certain classified data
If the controller refuses to provide data, they must explain their reasoning and inform the data subject of their right to complain to the supervisory authority.
|Exception||When it might apply|
|Rights of others||Withholding third party data or minors' data that requires parental consent|
|Legal privilege||Excluding attorney-client communications|
|IP protection||Withholding trade secrets or patented information|
|Legal obligations||Blocked from providing data by security laws|
Controllers should narrowly interpret and apply exceptions based on the specifics of each DSAR. They need to assess exemptions in good faith without overreaching just to avoid disclosing data.
The data subject must be provided clear explanations if any personal data is redacted or withheld when responding to their DSAR. They need transparency into exemptions claimed by the controller.
Overall, exceptions should be limited and well justified. Controllers must take care not to abuse exemptions to withhold more data than is necessary under the specific DSAR circumstances.
Here is a 500 word section on penalties for non-compliance with DSARs using markdown formatting and LSI keywords:
X. Penalties for non-compliance with DSARs
Under the GDPR, there are significant penalties that can be imposed on controllers and processors for not complying properly with DSARs. This motivates response accountability.
The two tiers of administrative fines under the GDPR are:
- Up to €10 million or 2% of annual global turnover for less severe violations
- Up to €20 million or 4% of annual global turnover for more severe violations
Examples of violations related to DSAR non-compliance:
- Failing to respond to a DSAR within the 30 day timeframe
- Charging excessive fees for responding to DSARs
- Failing to verify the data subject's identity
- Withholding or destroying requested personal data
- Providing incomplete, inaccessible, or unusable data
Other consequences like reputational damage, lawsuits, injunctions, and criminal liability may also stem from DSAR non-compliance.
|Violation Severity||Potential Fines|
|Minor||Failure to meet 30 day response time, unreasonable fees, not verifying identity properly|
|Major||Destruction of requested data, incomplete or unreadable responses, repeated DSAR failures|
Any data subjects who believe a controller improperly handled their DSAR can lodge a complaint with the supervisory authority for investigation.
If found non-compliant, the supervisory authority will decide on a fine amount based on factors like intent, negligence, transparency, accountability, previous issues, cooperation with authorities, etc.
Process if a DSAR complaint is filed with the supervisory authority:
- Complaint filed and case opened
- Investigation into controller's DSAR practices
- Assessment of compliance with obligations
- Determination of any penalties like fines
- Ongoing monitoring and remediation
Fines and sanctions act as an incentive for controllers to prioritize DSAR compliance. Proper DSAR handling demonstrates accountability and helps mitigate potential enforcement actions.
DSARs are a critical data subject right that provide individuals transparency and control over their personal data. Organizations must have proper procedures and tools in place to handle DSARs efficiently and comply with GDPR obligations. Using GDPR management software like ComplyDog can streamline the DSAR fulfillment process and reduce the risk of penalties. With the right solutions, companies can respond to access requests in a timely manner while also gaining insights into their data processing activities. Handling DSARs properly demonstrates accountability and trustworthiness.
With ComplyDog, take the complexity out of handling and fulfilling requests with an automated data subject request mechanism that works out-of-the-box. Easily manage and fulfill requests from an admin dashboard. We offer a 14-day free trial, no credit card required. Sign up today.