Individuals protected by data privacy laws have the right to submit requests to follow through on their rights — in the data privacy world, this is called a data subject access request (DSAR).
Today, you’ll find DSAR forms on websites so users can easily submit one of these requests.
In this guide, I’ll describe the entire DSAR process, including what laws impact them, how users can submit them, and how businesses should respond to them in a legally compliant way.
What Is a DSAR?
A Data Subject Access Request (DSAR) is a way for data subjects to request access to the personal information that an organization has stored on them.
Individuals can submit requests to access, delete, correct, or transfer their data and opt out of data collection and sharing.
What Laws Govern DSARs?
The original data privacy laws that required companies and websites to give users the ability to access their personal data were the:
- General Data Protection Regulation (GDPR): A European Union (EU) law that gives users rights over how their data is collected and used and applies to any business that collects data from EU data subjects regardless of where the business is located.
- California Consumer Privacy Act (CCPA): A U.S. privacy law that gives Californians rights regarding how their personal information is used and processed and applies to businesses that collect California consumer data and meet revenue or consumer thresholds.
Today, additional laws, like the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA), also require companies to give users data access rights.
DSAR requirements under all data privacy laws are broadly similar.
Most of these laws allow consumers to access, correct, or delete personal information and impose fines or penalties if businesses fail to respond to requests.
However, some details, such as response time, differ between the laws.
Who Can Submit a DSAR?
Any individual — or a third party acting on behalf of an individual — can submit a DSAR.
For example, a legal guardian could submit a DSAR on behalf of their dependent, or a third-party company could submit requests on behalf of individuals who use their data removal services.
In addition, submissions could be from users, employees, customers, or other individuals who have had their personal data collected.
In all cases, you must verify the requestor’s identity and ensure the request is valid.
How Can Someone Submit a DSAR?
Consumers can submit a DSAR through any communication channel.
To prepare your business to receive DSARs, set up a form or email on your website for receiving these requests.
But understand that, under some laws, consumers can submit requests more informally.
For example, a consumer could email, call, post on social media, or mail a letter as a DSAR.
The request could contain detailed information or simply say, “I would like you to delete the personal information you have about me.”
Monitor all communication channels to ensure no requests get overlooked and avoid fines for legal non-compliance.
Can You Submit a DSAR on Behalf of Someone Else?
Yes, under laws like the GDPR and CCPA, a DSAR can be submitted on behalf of someone else, including all of the following:
- A parent or guardian submitting a request on behalf of a child
- A relative, loved one, or close friend submitting a request on behalf of an individual
- Third-party services submitting a request on behalf of individuals
- Automated DSARs sent by companies on behalf of their clients
- User browser settings, like global privacy controls or universal opt-out-mechanisms
In all of these cases, your business must follow the appropriate response steps, including verifying the data subject’s identity and responding in a timely manner.
What Is Included in a DSAR?
Technically, a data subject access request is not required to be formatted in a certain way or include specific information.
An individual could submit a DSAR simply by emailing and saying, “I would like to know all the personal information you have stored on me.”
However, your business must verify the requestor’s identity and clarify the request as necessary so you can learn more about what law they’re submitting under and the nature of their request.
If you have a specific DSAR form on your site or the requestor uses a template, it may include information about the law that applies to the request and whether it is for access, deletion, transfer, or editing.
You can access DSAR software by signing up for Termly, which helps you gather and track necessary information to handle consumer requests properly.
With a Termly account, you can link a DSAR form like the one pictured below on your site.
How Long Do You Have To Respond to a DSAR?
The timeline for responding to DSARs varies based on the applicable law:
- GDPR: You must respond within a calendar month but may request an extension of up to two months and should inform the individual if and why an extension occurs.
- CCPA: You have 45 days to respond and may request an additional 45-day extension if necessary and must notify the individual if one is requested.
- CPA: You must respond within 45 days and can request a 45-day extension, but you must notify the individual about the extension.
- VCDPA: Like the CCPA and CPA, you have 45 days to respond to requests and may get a 45-day extension, but must notify the individual if one is requested.
Can You Refuse To Respond to a DSAR?
Yes, depending on the law, you may refuse to respond to a DSAR under certain circumstances and in specific situations.
GDPR
Under the GDPR, you can refuse to respond to a DSAR if you believe the request is malicious in nature or for legal reasons.
For example, sometimes legal proceedings require the use of personal data, in which case, it prevents the DSAR from being completed.
However, you cannot claim a normal request is malicious simply to avoid responding to it and must take steps to confirm the validity of the DSAR.
To deny a request under the GDPR, you must:
- Notify the requestor that you refuse to respond to their DSAR
- Inform them about why you’re denying it
- Explain their rights to make a formal complaint
- Describe how they can appeal your decision
- Explain their right to seek legal action
CCPA
The CCPA also allows for specific circumstances where you can refuse to respond to a request.
You can refuse a DSAR if the personal information is needed to fulfill a contractual obligation between your business and the requestor or if you’re legally obligated to retain the data.
If you are refusing a DSAR under the CCPA, you must:
- Notify the consumer that you’re denying their DSAR
- Give the reasons for the refusal
- Describe how the individual can appeal your decision
Other Data Privacy Laws
Additional data privacy laws, like the VCDPA and CPA, also allow you to deny DSARs for the same reasons as the GDPR and the CCPA.
You must inform the individual of your decision, give your reasons for the denial, and explain your appeal process.
Penalties for Not Responding to a DSAR
If you do not respond to a DSAR, you could be subject to fines, legal action, or other penalties depending on which data privacy regulation applies to you.
GDPR
Under the GDPR, data subjects can file complaints to supervisory authorities if their requests are ignored or inadequately addressed.
These complaints can lead to an investigation, which could result in significant GDPR fines:
- For unintentional violations: Up to 2% of your gross annual turnover or €10 million ($12 million), whichever is higher
- For intentional violations: Up to 4% of your gross annual turnover or €20 million ($21 million), whichever is higher
CCPA
Not responding to a DSAR can also be considered a violation of the CCPA, which can cost businesses:
- For unintentional violations: Up to $2,500 per violation
- For intentional violations: Up to $7,500 per violation
Other Data Privacy Laws
Other laws also penalize businesses that don’t adequately respond to DSARs from consumers, which include the following:
- CPA: $2,000 to $20,000 per violation, as fines fall under the Colorado Consumer Protection Act
- VCDPA: Up to $7,500 per violation
Beyond the potential for fines or legal action, you should also consider the reputational risks of not responding to consumer requests.
Consumers today are increasingly aware of data privacy and feel concerned about how their personal data gets used.
As a result, consumers may avoid using a website or business’s services if they don’t comply with data privacy laws.
How To Respond to a DSAR
Your exact process for responding to requests may vary based on your company or website’s specific circumstances, but remember to document your DSAR response process to ensure you handle requests accurately and fairly.
For many organizations, the process below is a good starting point for how to respond to a data subject access requests:
- Determine which law is applicable: Requirements for response times vary by law, and you may not be legally obligated to fulfill the request if the individual is not protected by legislation like the GDPR or CCPA — you may still wish to respond to these requests to promote good customer relations.
- Verify the requestor’s identity: Legally, you must verify the identity of the requestor. When confirming an individual’s identity, use personal information you already have, as some laws prohibit you from asking for additional information. Consider asking the request submitter to verify user login information or ask them to contact you using the original method of signing up.
- Clarify the request: Ask the request submitter to clarify the exact nature of the request, as they can submit DSARs for access, deletion, transfer, editing, or to stop the sale of their data.
- Verify the validity of the request: When you receive a DSAR, as yourself, is the request valid? Can you complete the request on time? Remember, if you decline the request, you must still contact the requestor and explain why.
- Conduct a data search: You must find all of the requestor’s personal information, which means searching through hard copies, digital files, user accounts, payment services, and more. This data inventory step may involve reaching out to multiple teams in your organization.
-
Respond to the request in the correct format: Some of the information you should include in your response includes:
- Confirmation that the request has been completed
- Instructions if the user must complete parts of the request manually
- Who the data has been disclosed to, such as third parties
- The timeframe for any additional steps to be completed
- An explanation of the user’s right to complain to a regulatory authority
- An explanation of the user’s right to request edits to or deletion of their data or the restriction of data processing
-
Create an audit log: Keep a record of your completed DSARs in case of a user complaint or regulatory investigation. Consider including the following information in your log:
- Request type and date
- Completion status and data
- Data subject category, such as “user” or “employee”
- Individual responsible for completing the request
A DSAR form or request template can help you manage some of these steps. For example, Termly’s DSAR form includes necessary information, such as:
- Whether the request is from the data subject or another individual acting on behalf of the data subject
- The law under which the user is making the request
- Whether the request is for access to information, deletion, opting out of the sale of data, or opting out of the sale of data to third parties
- Additional comments from the requestor
Remember, even though most data privacy laws require you to provide a means for consumers to follow through on their privacy rights, users can submit DSARs through any channel, such as social media, phone, or email.
However, it helps to have a dedicated way for your consumer to submit their requests, so get started with Termly’s DSAR form by signing up for free.
DSAR FAQs
Check out some of the most frequently asked questions we get about DSARs below.
Can you charge a fee for a DSAR?
Under most data privacy laws, you can’t charge a fee for a DSAR unless the request is excessive or unfounded.
You must prove that the request is excessive and the fee itself must be reasonable.
Can you redact information from a DSAR response?
Yes, you can redact information from a DSAR response if it doesn’t apply to the request or if it risks revealing another individual’s or third party’s information.
Never share any personal information about a different individual with the requestor.
Who in your organization should respond to DSARs?
If you have a data protection officer (DPO), they’ll likely respond to any DSARs. If you do not have a DPO, whoever manages your organization’s data protection and privacy is the best person to respond to DSARs.
The person responsible for responding to DSARs may need assistance from various members of your organization to complete the requests.
What are some issues you can run into with DSARs?
You may run into several issues with DSARs, including:
- Difficulty locating all the personal information: If you haven’t audited your data collection and storage, you may not know where all the personal information that someone is requesting is located.
- Verifying requestor identity: The first step in responding to a DSAR is verifying a requestor’s identity which should not involve collecting more personal information than you already have.
- DSAR documentation: Simply responding to DSARs is not enough — keep an audit log in case of a complaint or external review.
- Time to respond: You may find that completing DSARs takes longer than expected, especially if you receive a large number of requests. Creating a standardized DSAR process and a detailed list of your data collection and storage processes can help simplify the response process.
Can employees submit a DSAR to their employers?
Yes, current and former employees can submit DSARs to their employers. If there is a legitimate reason that you cannot fulfill the request, it’s possible to refuse.
For example, you may need an employee’s personal information to pay them, making it impossible to delete all their personal information entirely.
Summary
Depending on the data privacy laws that affect your business, some users have the right to submit requests regarding how their personal information gets collected, processed, and used.
Establishing a process for responding to DSARs is essential, as it helps with everything from legal compliance to ensuring you can find all data about the requester to minimizing your DSAR response time.
Make it easy on your business by accessing Termly’s suite of compliance solutions, and get a comprehensive DSAR form you can easily embed on your website.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
