Under the General Data Protection Regulation (GDPR), protected individuals are allowed to submit requests to follow through on their privacy rights, which include the right to access, correct, delete, or transfer their personal data.
They can do this by submitting something called a data subject access request (DSAR).
In this guide, I describe what a DSAR is and how the GDPR and other laws impact the process, and explain how businesses should respond when users submit one of these requests.
DSAR Definied
A data subject access request (DSAR) refers to when individuals submit requests to follow through on their privacy rights granted to them by the General Data Protection Regulation (GDPR), the privacy law that protects people in Europe.
You might also see it referred to as a subject access request or SAR.
Even though the ‘A’ in DSAR specifically refers to when a user requests to access the personal information an organization collected about them, DSARs can be submitted to follow through on any privacy right outlined by the GDPR.
Advantages of DSARs
The special thing about DSARs is their versatility — they help simplify compliance with the GDPR and privacy laws in general, making them ideal for businesses.
While laws in other regions use different terms and rules, a DSAR can technically be submitted by protected individuals to follow through on those legal rights, as well.
Your businesses should have an adaptable DSAR process in place so when a user makes a privacy rights request, your team knows how to respond in a timely, compliant manner.
What Laws Govern DSARs?
The original data privacy law that governs DSARs is the GDPR, which applies to any business in Europe and anyone that collects data from EU data subjects, regardless of location.
However, several other laws also require companies to give users data access and other rights, and implementing a single DSAR process can help your business meet these legal guidelines in an efficient, straightforward manner.
Those additional privacy laws include the following:
- Brazil’s General Data Protection Law (LGPD)
- California Consumer Privacy Act (CCPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Oregon Consumer Privacy Act (OCPA)
- South Africa’s Protection of Personal Information Act (POPIA)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
While some details differ between the laws, such as response time, most allow consumers to access, correct, or delete personal information and impose fines or penalties if businesses fail to respond to requests.
DSAR requirements under all data privacy laws are broadly similar.
Because of this, you can use a single DSAR form and add it to your site to help users under all privacy laws submit requests to act on their given rights.
What Rights Can Users Submit DSARs For?
Users can a DSAR to follow through on any of their privacy rights, which may include:
- Access
- Correct or amend
- Delete/the right to be forgotten
- Transfer
- Opt out of profiling
- Opt out of data selling or sharing
- Opt out of targeted advertising
They are also permitted to request to follow through on multiple rights in a single DSAR.
Who Can Submit a DSAR?
Under the GDPR — and most existing privacy laws — any individual or a third party acting on behalf of an individual can submit a DSAR, for example:
- A parent or guardian can submit a request on behalf of a child
- A relative, loved one, or close friend can submit a request on behalf of an individual
- Third-party services can submit a request on behalf of individuals
- Automated DSARs can be sent by companies on behalf of their clients
- User browser settings, like global privacy controls or universal opt-out-mechanisms
Submissions could also be from users, employees, customers, or other individuals who have had their personal data collected.
In all cases, you must verify the requestor’s identity and ensure the request is valid.
How Can Someone Submit a DSAR?
Consumers can submit a DSAR through any communication channel — this includes through email, social media channels, and even snail mail.
Under many privacy laws, consumers can submit data subject access requests informally.
The request could contain detailed information or simply say, “I would like you to delete the personal information you have about me.”
To prevent your business from receiving random DSARs in unpredictable formats, I recommend setting up a specific DSAR form and/or email on your website for receiving these requests.
You can easily access DSAR software by signing up for Termly, which helps you gather and track necessary information to handle consumer requests properly.
It also includes a DSAR form like the one pictured below, which you can embed on your site.
I suggest you still monitor all communication channels to ensure no requests get overlooked to avoid fines for legal noncompliance.
What Is Included in a DSAR?
Technically, a data subject access request is not required to be formatted in a certain way or include specific information.
An individual could submit a DSAR simply by emailing and saying, “I would like to know all the personal information you have stored on me.”
However, it makes the process easier for your business and consumers if you present them with a DSAR form on your website that includes specific questions so they can provide you with the following details:
- What website or app the requester is referencing
- The name of the requester
- An email address or other means for sending a response to the requester
- If the requester is submitting the request for themselves or a third party
- What law the request applies to
- Which right(s) the requester is submitting to follow through on
- A space for the requester to leave additional information and details
Once you receive a DSAR, your business must then verify the requestor’s identity and clarify the request as necessary.
How To Respond to a DSAR
For many organizations, the process below is a good starting point for responding to a data subject access requests:
- Determine which law is applicable: Requirements for response times vary by law, and you may not be legally obligated to fulfill the request if the individual is not protected by legislation like the GDPR or CCPA — you may still wish to respond to these requests to promote good customer relations.
- Verify the requestor’s identity: Legally, you must verify the identity of the requestor using personal information you already have, as some laws prohibit you from asking for additional information. Consider asking the request submitter to verify login information or ask them to contact you using the original method of signing up.
- Clarify the request: Ask the request submitter to clarify the exact nature of the request, as they can submit DSARs for access, deletion, transfer, editing, to stop the sale of their data, and more.
- Verify the validity of the request: When you receive a DSAR, as yourself, is the request valid? Can you complete the request on time? Remember, if you decline the request, you must still contact the requestor and explain why.
- Conduct a data search: You must find all of the requestor’s personal information, which means searching through hard copies, digital files, user accounts, payment services, and more. This data inventory step may involve reaching out to multiple teams in your organization.
-
Respond to the request in the correct format: Some of the information you should include in your response includes:
- Confirmation that the request has been completed
- Instructions if the user must complete parts of the request manually
- Who the data has been disclosed to, such as third parties
- The timeframe for any additional steps to be completed
- An explanation of the user’s right to complain to a regulatory authority
- An explanation of the user’s right to request edits to or deletion of their data or the restriction of data processing
-
Create an audit log: Keep a record of your completed DSARs in case of a user complaint or regulatory investigation. Consider including the following information in your log:
- Request type and date
- Completion status and data
- Data subject category, such as “user” or “employee”
- Individual responsible for completing the request
Your exact process for responding to a DSAR may vary depending on your company’s specific circumstances, but remember to document your response process to ensure you handle requests accurately and fairly.
Verifying an Individual’s Identity
Businesses are legally responsible for verifying the identity of consumers who submit requests to follow through on their privacy rights.
Doing so helps ensure that personal data is only ever released to authorized individuals.
The GDPR requires this under Recital 64, which states that businesses must use “reasonable measures” to verify the data subject’s identity, but cannot retain information for the sole purpose of reacting to potential DSARs.
Otherwise, it’s up to the business to implement a process for confirming the identity of consumers who submit DSARs.
Common identity verification methods include:
- Photo identification
- Knowledge-based authentication questions
- User login credentials (if they already exist)
- Multi-factor authentication
That said, you cannot ask for more personal information than you already have access to when confirming a user’s identity unless it’s absolutely necessary.
Who Should Respond to DSARs?
The businesses I’ve worked with have successfully responded to DSARs by designating a single person on their team who is responsible for all oversight of the process.
You might choose a member of your data privacy team or your Data Protection Officer (DPO) if your organization has one.
Whoever you appoint should understand the legal aspects of responding to DSARs so they can ensure they respond to them and track them in a compliant manner.
Can You Charge a Fee for a DSAR?
Typically, privacy laws state that businesses cannot charge a fee for responding to a DSAR.
However, some laws make exceptions for requests that are considered excessive or unfounded — in these circumstances, a reasonable fee is permitted.
The responsibility is on your business to prove that the request is excessive.
Can You Refuse To Respond to a DSAR?
Yes, depending on the law, you may refuse to respond to a DSAR under certain circumstances and in specific situations, but you must always do the following:
- Inform the individual of your choice
- Explain why you’re denying their request
- Provide them with a way to appeal your decision
For example, you can refuse to honor a DSAR if it’s malicious in nature, for legal reasons, to fulfill a contract, or if the request breaches another individual’s privacy.
Additional data privacy laws, like the VCDPA and CPA, follow very similar guidelines as the GDPR and the CCPA when it comes to denying a DSAR from an individual.
How Long Do You Have To Respond to a DSAR?
The timeline for responding to DSARs varies based on the applicable law, but typically you have between 30 and 45 days to respond.
Under the GDPR, you must respond within one calendar month but can extend that to up to two months so long as you inform the individual about if and why the extension is necessary.
Under U.S. privacy laws, including the CCPA, CPA, CTDPA, and VCDPA, you must respond within 45 days and can extend that by another 45 days so long as you inform the individual ahead of time.
Penalties for Not Responding to a DSAR
If you don’t respond to a DSAR on time, you could be subject to fines, legal action, or other penalties depending on which data privacy regulations apply.
I compiled a list of penalties for all privacy laws mentioned in this guide, which you can find in the table below.
| Data Privacy Law | Penalties for Noncompliance |
| GDPR |
|
| CCPA/CPRA |
|
| CPA |
|
| CTDPA |
|
| OCPA |
|
| UCPA |
|
| VCDPA |
|
| Brazil’s LGPD |
|
| South Africa’s POPIA |
|
DSAR FAQs
Below, I answer some of the most frequently asked questions we get about DSARs.
Can you redact information from a DSAR response?
Yes, you can (and sometimes should) redact information from a DSAR response if it doesn’t apply to the request or if it risks revealing another individual’s or third party’s information.
What are some issues you can run into with DSARs?
You may run into several issues with DSARs, including:
- Difficulty locating all the personal information if you haven’t audited your data collection.
- Verifying the requestor’s identity, which is the first step in responding to a DSAR, and shouldn’t involve collecting more data than you already have.
- DSAR documentation, keep an audit log in case of a complaint or external review.
- Timing, you may find completing DSARs takes longer than expected. Implement a standardized DSAR process to help simplify the response process.
Can employees submit a DSAR to their employers?
Yes, current and former employees can submit DSARs to their employers, but if there is a legitimate reason that you cannot fulfill the request, it’s possible to refuse.
Summary
Depending on the data privacy laws that affect your business, some users have the right to submit requests regarding how their personal information gets collected, processed, and used.
Establishing a process for responding to DSARs is essential, as it helps with everything from legal compliance to ensuring you can find all data about the requester to minimizing your DSAR response time.
Make it easy on your business by accessing Termly’s suite of compliance solutions, and get a comprehensive DSAR form you can easily embed on your website.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
