What is a data subject access request?

By Justin Gold/ Published on March 7, 2019

A Data Subject Access Request (DSAR) refers to a petition by a data subject (an identifiable individual about whom personal data is held) to a data controller (e.g., an organization/institution which sets personal data processing standards) regarding their personal data. A data subject may request access to their personal data record, edits or corrections to their personal data record, or request that their some or all of their personal data record with the company be deleted. The organization receiving this request, whether it is a data controller or a data processor, is expected to oblige this request within 30 days unless an exemption is made.

Real World Examples

Through a DSAR, an individual has the right to receive confirmation that your company is or is not collecting his/her data, insight into how the data is being used, and the ability to request erasure, correction, or deletion of data collected. If your company is collecting his/her personal data, that company has an obligation to grant a data subject access to their personal data. Below are two examples that highlight when a data subject might invoke their right to access, amendment, or deletion of their personal data under GDPR.

Example 1
Amy is moving from her city flat into a bigger home in the countryside, so she needs to update her billing address for her monthly book club shipment. Amy can request that the company that manages her book club membership change her personal data record (Article 16 of GDPR) from her old address to her new address in every instance on her personal data record. The book club company has 30 days to complete this request under GDPR, which is incidentally the time frame of Anna’s monthly book club membership.

Example 2
Jonas has been a loyal customer of ACME Running’s custom running shoes for years. Until recently, when his running partner finally convinced him to try a new brand of running shoes, and now he’s hooked. He wants to erase his personal data record from ACME Running shoes, and calls to request that his personal data record (which includes identifiable information, his running shoe purchase history, shipping information and more) be deleted (Article 17 of GDPR). ACME Running has exactly one month to honor Jonas’ request that all his personal data be removed from their system.

DSARs are fundamental to GDPR compliance. Learn more about DSARs, record keeping and the other core components of the Regulation with our GDPR Guide. 

Download the GDPR Checklist


Latest Posts

Should Utah's Privacy Law Be on Your Radar?

A Cookie Banner Isn't Enough for CCPA Compliance

Why CCPA Compliance Matters to HR

Mailing List