GDPR: What the Regulation says about Data Subject Access Requests (DSARs)
Under GDPR, the data subject has rights over how their personal data is processed and stored by organizations. The following explanations are adapted from The Complete GDPR Guide.
Article 15: Data Subject’s Right to Access
Article 15 states that a data subject has the right to request information about whether your company is storing their personal data, and your company is obligated to respond. If you are storing their data, the data subject is entitled to request and receive a copy of the data you hold related to their data subject profile, as well the following information:
- The purpose(s) of the processing.
- The categories of personal data held.
- Who else (if anyone) the data will be transferred to.
- If you plan to transfer the data to a non-EU country or an international organization, you must also include the grounds relied upon to justify this transfer.
- The period for which the data will be stored (or how this period will be determined).
- The data subject’s rights to have their data rectified, erased or transferred, or restrict or object to processing.
- The data subject’s right to complain about processing to a supervisory authority.
- The source of the data (where it was not received from the data subject).
- Whether the data will be used for any automated processing (including profiling) and if so, the logic of the processing and its significance and consequences for the data subject.
- If the personal data of another data subject is included in the data copy, your company must redact that personal data from the data subject file.
The Regulation recommends companies provide data subjects with secure access to their data through a remote self-service system. If your company processes a large amount of information about the data subject, you are entitled to ask them to be more specific about what type of data they are requesting to access.
Article 16: Data Subject’s Right to Rectification
Article 16 states that a data subject has the right to have their personal data amended where it is inaccurate or added to where it is incomplete using a supplementary statement.
In some cases it may be appropriate to ask for evidence before amending data. For example, if a data subject does not have the right to have their data erased on request (see Article 17), they could seek to achieve the same end by providing inaccurate “updated” data. At the same time, there should not be unnecessary obstacles to a data subject exercising their rights to access, amend, or erase their personal data as recorded by your company. This is a situation where companies ought to “use their best judgment” while not infringing on a data subject’s right to rectification.
Article 17: Data Subject’s Right to Erasure (“The Right to be Forgotten”)
Article 17 states that a data subject has the right to request that you erase some or all of the personal data your company holds about them. You are then obliged to do so, if one or more of the following circumstances applies:
- The data is no longer needed for the purposes for which it was received or processed.
- The processing was based on consent, and the data subject withdraws that consent.
- The data subject successfully exercises the right to object (see Article 21)
- The data has been unlawfully processed.
- EU or national law requires that the data be erased.
- The data was collected in circumstances where granting consent would require parental consent authorization.
These grounds will cover many circumstances, although notably it will usually not affect data processed as necessary for the performance of a contract with the data subject. In addition, even if one of the above applies, you are not obliged to erase the data if:
- The processing is necessary for exercising freedom of expression or information.
- The processing is necessary for compliance with a legal obligation.
- The processing is necessary to perform a task in the public interest or in exercise of official authority.
- The processing is necessary for medical or public health purposes.
- The processing is necessary for archiving in the public interest, for historical or scientific research or statistical purposes.
- The processing is necessary to establish or exercise legal claims or defenses.
Where the data controller has made the data public and this right applies, they must also take reasonable steps to inform other controllers working on the data that they should also delete it.