Data Subject Access Requests (DSAR) Guide & How-To

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

October 6, 2022

Handle DSARs with Termly
Data-Subject-Access-Requests-(DSAR)-Explained
Table of Contents
  1. What Is a DSAR?
  2. Who Can Submit a DSAR?
  3. What Is Included In a DSAR?
  4. How Long Do You Have To Respond To a DSAR?
  5. How To Respond to a DSAR
  6. DSAR FAQs

What Is a DSAR?

A Data Subject Access Request (DSAR) is a way for data subjects to request access to the personal information that an organization has stored on them.

Individuals can submit requests for access to data, deletion of data, changes to incorrect data, or transfer of data. They can also submit requests to opt out of data collection and sharing.

What Laws Govern DSARs?

Both the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require that companies and websites give users the ability to access their personal data.

The GDPR is an EU law that gives users more control over their personal information, including rights over how their data is collected and used. It applies to any business that collects data from EU data subjects, no matter where the business is located.

The CCPA is a similar privacy law in the United States. It gives Californians rights regarding how their personal information is used and processed. The CCPA applies to any business that collects consumer data from Californians and meets revenue or consumer number thresholds.

DSAR requirements under the GDPR and CCPA are broadly similar.

Both laws give consumers the ability to access and delete personal information. In addition, both laws have fines and other penalties if you fail to respond to requests. However, some of the details, such as response time, differ between the laws.

Some upcoming US state laws, like the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (CDPA), will also require companies to give users data access rights.

Who Can Submit a DSAR?

Any individual — or a third party acting on behalf of an individual — can submit a DSAR.

For example, a legal guardian could submit a DSAR on behalf of their dependent, or a third-party company could submit requests on behalf of individuals who use their data removal services.

In addition, submissions could be from users, employees, customers, or other individuals who have had their personal data collected.

In all cases, you must verify the requestor’s identity and ensure the request is valid.

How Can Someone Submit A DSAR?

A DSAR can get submitted through any communication channel.

If you want to be prepared to receive DSARs, you should have a form, or dedicated email set up for these requests. However, under some laws, consumers can submit requests more informally.

For example, a consumer could email, call, post on social media, or even mail you a letter as a DSAR.

The request could contain detailed information or be as simple as “I would like you to delete the personal information you have about me.”

You should monitor all communication channels to ensure no requests get overlooked.

Can You Submit A DSAR On Behalf Of Someone Else?

Yes, under the GDPR and CCPA, a DSAR can be submitted on behalf of someone else. For example, a parent or guardian could submit a request on behalf of a child.

An individual could also ask a relative or close friend to submit their request.

Third parties can also submit DSARs on behalf of individuals. Some companies send automated DSARs on behalf of their clients.

In these cases, it is still critical to follow all the appropriate response steps, including properly verifying the data subject’s identity.

What Is Included In a DSAR?

A data subject access request is not required to be formatted a certain way or include specific information.

An individual could submit a DSAR simply by emailing and saying, “I would like to know all the personal information you have stored on me.”

By verifying the requestor’s identity and clarifying the request, you will be able to learn more about what law the requestor is submitting under, as well as the exact nature of their request.

If you have a specific DSAR form on your site, or if the requestor is using a template, they may also include information about the law that applies to the request and whether the request is for access, deletion, transfer, or editing.

A DSAR software such as Termly can help you gather and track this necessary information so that you can properly handle any DSARs.

With a Termly account, you’ll have the ability put a DSAR form like this on your site:

termly-dsar-form-sample

How Long Do You Have To Respond To a DSAR?

The timeline for responding to DSARs varies based on the applicable law.

GDPR

Under the GDPR, you must respond within a calendar month. However, you may be able to request an extension of up to two months if the request is complicated or there are other extenuating circumstances.

You should inform the individual that the extension is occurring and why it is occurring.

CCPA

Under the CCPA, you have 45 days to respond. However, you may be able to request an additional 45-day extension if necessary. Like the GDPR, if you request an extension, you must notify the individual of the extension.

Can You Refuse To Respond To A DSAR?

Yes, under certain circumstances, you may refuse to respond to a DSAR. However, this is limited to specific situations.

GDPR

Under the GDPR, you can refuse to respond if you believe the request is malicious in nature. However, you still need to take steps to confirm that this is the case. You cannot claim that a normal request is malicious to avoid responding to it.

You can also refuse to respond to a DSAR if there is a legal reason that would prevent you from doing so. For example, if a legal obligation prevents the DSAR from being completed, such as a legal proceeding that requires the use of that data.

You must still notify the requestor if you refuse to respond to a DSAR. You need to inform the requestor why you are denying the request. In addition, you need to inform them of their rights to make a formal complaint or seek legal action.

CCPA

The CCPA also allows for specific circumstances where you can refuse to respond to a request. For example, you can refuse if the personal information is needed to fulfill a contractual obligation between the business and the requestor or if there is a legal obligation to retain the data.

If you are refusing a DSAR under the CCPA, you must still notify the consumer that you are doing so and give the reasons for the refusal.

Penalties For Not Responding To A DSAR

If you do not respond to a DSAR, you could be subject to fines, legal action, or other penalties depending on which data privacy regulation is applicable to you.

GDPR

Under the GDPR, data subjects can file complaints to supervisory authorities if their requests are ignored or inadequately addressed. These complaints can lead to an investigation, which could result in significant GDPR fines.

CCPA

Not responding to a DSAR can also be considered a violation of the CCPA.

CCPA penalties can cost businesses up to $7,500 for each intentional violation and up to $2,500 for each unintentional violation.

Beyond the potential for fines or legal action, you may wish to consider the reputational risk of not responding to requests.

Individuals worldwide are increasingly aware of data privacy and concerned about how their personal data gets used. As a result, consumers may avoid using a website or a business’s services if they do not comply with laws like the GDPR and CCPA.

How To Respond to a DSAR

Your exact process for responding to requests may be different based on your company or website’s specific circumstances. You should also document your DSAR response process to ensure requests are handled accurately and fairly.

The process outlined below is a good starting point for how to respond to a data subject access request for many organizations:

  1. Determine which law is applicable: Requirements for response time vary by law. You may not be legally obligated to fulfill the request if the individual is not protected by applicable law, like the GDPR or CCPA. However, you may still wish to respond to these requests to promote good customer relations.
  2. Verify the requestor’s identity: You must be satisfied that you know the identity of the requestor. No specific way of verifying identity will work for everyone, as various businesses process and retain different types and amounts of personal data. When confirming an individual’s identity, you should stick to using the personal information you already have. You should not request additional personal information. For example, you may ask the request submitter to verify user login information. A popular method is to ask the requestor to contact you using the original method of signing up. The GDPR says that it should be as easy for an individual to withdraw consent as it is to give consent. This means it should not be unnecessarily burdensome for an individual to verify their identity.
  3. Clarify the request: DSARs can be submitted for access, deletion, transfer, or editing. Users can also submit requests to stop the sale of their data. Ask the request submitter to clarify the exact nature of the request.
  4. Verify the validity of the request: Is the request valid? Can you complete the request on time? If you are declining the request you will still need to contact the requestor to explain why.
  5. Conduct a data search: You will need to find all of the requestor’s personal information. This means you’ll need to search hard copies, digital files, user accounts, payment services, and more. This step may involve reaching out to multiple teams in your organization.
  6. Respond to the request in the correct format: Some of the information you should include in your response includes:

    1. Confirmation that the request has been completed
    2. Instructions if the user needs to manually complete any portion of the request
    3. Who the data has been disclosed to, such as third parties
    4. The timeframe for any additional steps to be completed
    5. An explanation of the user’s right to complain to a regulatory authority
    6. An explanation of the user’s right to request edits to or deletion of their data, or the restriction of data processing
  7. Create an audit log: A record of your completed DSARs is essential in case of a user complaint or regulatory investigation. Consider including the following information in your log:

    1. Request type and date
    2. Completion status and data
    3. Data subject category, such as “user” or “employee”
    4. Individual responsible for completing the request

A DSAR form or request template can help you manage some of these steps. For example, Termly’s DSAR form includes much of the necessary information, such as:

  • Whether the request is being made by the data subject or another individual acting on behalf of the data subject
  • The law under which the user is making the request
  • Whether the request is for access to information, deletion, opting out of the sale of data, or opting out of the sale of data to third parties
  • Additional comments from the requestor

Remember — DSARs can be submitted through any channel, such as social media, phone, or email. But it can still be helpful for you and your users to have a dedicated way to submit requests.

Get started with Termly’s DSAR form by signing up for free!

DSAR FAQs

Can you charge a fee for a DSAR?

In most cases, you cannot charge a fee for a DSAR. Under some laws, you can charge a fee if the request is excessive or unfounded. However, you should be able to prove that is the case. In addition, the fee itself must be reasonable.

Can you redact information from a DSAR response?

Yes, you can redact information from a DSAR response if it does not apply to the request or if it is another individual’s or third party’s information. You should not share any personal information from a different individual or third party with the requestor.

Who in your organization should respond to DSARs?

If you have a data protection officer (DPO), they will likely be the one to respond to any DSARs. If you do not have a DPO, the individual who deals with data protection and privacy in your organization may be the best person to respond to DSARs. Whoever responds to DSARs may also need assistance from various members of your organization to complete the request.

What are some issues you can run into with DSARs?

You may run into several issues with DSARs, including:

  • Difficulty locating all the personal information: If you haven’t audited your data collection and storage, you may not know where all the personal information that someone is requesting is located.
  • Verifying requestor identity: The first step in responding to a DSAR is verifying a requestor’s identity. The verification process should not involve collecting more personal information than you already have.
  • DSAR documentation: Simply responding to DSARs is not always sufficient. You should also keep an audit log in case of a complaint or external review.
  • Time to respond: You may find that completing DSARs takes longer than expected, especially if you receive a large number of requests. Creating a standardized DSAR process and a detailed list of your data collection and storage processes can help simplify the response process.

Can employees submit a DSAR to their employers?

Yes, current and former employees can submit DSARs to their employers. However, if there is a legitimate reason that you cannot fulfill the request, it is possible to refuse. For example, you may need an employee’s personal information to pay them, making it impossible to delete all their personal information entirely.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author

Related Articles

Explore more resources