One of the most notable features of the General Data Protection Regulation (GDPR) is its creation of enforceable privacy rights for individuals. Chief among these rights is the Right to Access. This gives individuals the right to contact an organization to ask it to confirm whether it is processing personal data about them and, if so, provide them with access to that data. Such a request is called a Data Subject Access Request (DSAR), or sometimes just a Subject Access Request (SAR).
Before delving into how DSARs work, it will be helpful to go over some basic GDPR terminology:
The first step in responding to a DSAR is to check whether your organization actually processes any personal data about the person making the request. If not, you must respond and tell them so. If you do process personal data about them, you’ll need to provide the requester with a copy of all the personal data you have. This includes personal data that is held by your processors.
Along with a copy of the personal data, you must provide the requester with the following information:
In most cases, the above information will be the same for all requesters and need not be personalized.
Two more things to keep in mind when responding to a DSAR. First, the controller must verify the requester’s identity in order to protect their personal data. Most commonly this is done through an email confirmation, but if the personal data is particularly sensitive or the controller has reasonable doubts about the requestor’s identity, it may be appropriate to require further proof of identity. Second, the controller has one calendar month to respond to the request. This may be extended by two further months when necessary, but the controller must tell the requester of this extension within the first month and explain why it needs more time.
As a general rule, it is solely the controller’s responsibility to respond to a DSAR, while the processor has an obligation to assist the controller by providing any relevant data. If a data subject makes an access request directly to a processor, the processor at a minimum must inform the requester that they cannot respond to the DSAR and direct them to the controller. However there may be cases where, depending on the contractual arrangements between controller and processor, the processor is obligated to respond in other ways, including responding directly to the request.
It is often the case that a requester’s personal data is scattered across numerous vendors and consists primarily of contact information that is likely of little interest to the requester. It is permissible to contact a requester and ask them if there is any particular personal data they are looking for. If the requester confirms that they are only seeking a specific set of personal data (e.g., a history of their purchases), the controller may narrow its search and provide only that information. It’s important to remember, however, that the requester has the right to access all of their personal data. If they don’t respond to the query or they indicate they would like a copy of everything, the controller must provide the full set of personal data.
GDPR compliance can’t be accomplished by simply posting a privacy notice and forgetting about it—it requires an ongoing effort to stay up-to-date and respond to privacy requests such as DSARs. For larger organizations, this means either hiring full-time privacy personnel or retaining a specialist law firm, but these options may not be practical or even possible for small and medium-sized businesses.
TrueVault Polaris gives SMBs the advantage of in-house expertise without the expense. Not only does Polaris guide you step-by-step through the process of becoming GDPR compliant, it includes important tools like automated workflows for DSARs to help your business stay compliant with minimal effort. Contact us today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.