DSAR software — Automate your Data Subject Access Requests.

The phrase “data subject access request” might sound complicated and technical, but when you strip it back, a DSAR is simply a request from an individual that you hold personal data on. The individual requesting data is known as the data subject. Consumers often want to access their data, hence the term data subject access request.

Read more in our ultimate guide to DSARs.

In 2004, the Court of Justice of the European Union (ECJ) ruled on the process and timescales for responding to a personal data subject access request (DSAR) in Maatschap Toeters and M.C. Verbeck v. Productshcap Vee en Vlees (Case C-171/03). The legal ruling declared what time periods should be considered when determining how long a DSAR response should take. Article 12 of the General Data Protection Regulation (GDPR) stipulates that a personal data controller or data privacy manager must process and respond to a DSAR without unnecessary delay and, in any case, within one month after receiving the data request.

While the GDPR applies to EU residents and anyone who does business with EU organizations, the California Consumer Privacy Act (CCPA) has also established similar data privacy regulations, clearly outlining the procedures and processes that should be followed when processing and responding to personal data access requests. The CCPA stipulates that a business responding to a DSAR that has been verified and passed must disclose the personal information gathered about the consumer in the 12-month period prior to the receipt of the access request.

If the data access requests are too many or complex, your organization can formally request the data subject for more time to process and respond to each of the requests. But you need to explain why you want an extension of time for responding to them. Keep in mind that you are still expected to process the information requests and offer a full response within the one-month period of receiving the requests. Failure to offer a complete response within 40 days makes you liable for a significant fine and other legal penalties related to the breach in data subject privacy and lack of compliance with the law. Failing to respond to DSARs can also tarnish your organization’s reputation.

In most cases, you’ll find that the person making a data subject access request is the data subject themselves. Sometimes, they may appoint someone to make the request on their behalf.

A data subject (or someone making the request on their behalf) doesn’t need to be a customer of your eCommerce store for their request to be valid. They may be a current or ex-employee, corporate partner or sponsor, supplier, contractor, or anyone else that believes you may hold personal data on them.

A data subject access request (DSAR) is a request sent by a data subject to a data controller asking to be provided with a copy of their personal data being collected by the controller and a detailed description of how, and for what purposes, the data is being collected. However, a general complaint or query by the data subject about the usage of their personal data isn’t considered a DSAR.

For instance, if an individual data subject asks you why they are receiving marketing messages or where you got their name from, it’s not a DSAR. But if they specifically ask for a copy of the personal data you hold for them and proof of how you are using it, then it’s considered a DSAR. Please note that DSAR doesn’t necessarily have to be formally titled a “data subject access request” or "data subject request" for it to be considered a DSAR.

It can come from any source and be sent to any department within your organization and still be valid. So, don’t always expect it to be officially addressed to your Data Protection Department. It can even be sent through email or social media. In short, there isn't a formal DSAR process that the subject should follow when submitting a request. 

There’s no uniform way for someone to submit a data subject access request. There’s a deliberately low barrier to making one, so that there’s no burden on someone to use a specific system or make their information request via a medium that they’re uncomfortable with. 

Your data subject access requests could come via email, phone, live chat, social media DMs, letter, and more. It’s up to the individual or their representative to choose a medium that makes sense for them when making a  request for personal, sensitive information.

In line with guidance shared from the Information Commissioner’s Office (ICO) about the GDPR and DSARs, you’re within your rights to not respond if the data request is:

• Manifestly unfounded — for example, the request is malicious, part of a targeted campaign of disruption, or made with a suggestion that it’ll be redacted in exchange for a discount or product.
• Manifestly excessive — for example, there’s a series of overlapping requests, multiple requests for the same thing over a short period of time, or resource reasons why your team can’t manage a large scale response.

Failure to respond to a subject access request within the time frame could lead to legal action and fines. Companies can experience serious legal consequences if they fail to comply with GDPR law.

According to article 12(5) of the GDPR, the process of requesting access to personal data is supposed to be free. However, you are allowed to charge a small amount for the DSAR if the subject makes excessive requests that are repetitive or unfounded. Even then, you, as the data controller, bear the largest burden of proof and legal responsibility. The small DSAR charge is meant to deter subjects who want to frustrate you or delay your normal business operations by submitting annoying information requests. 

Making a DSAR is a simple process because the subjects can use any format accepted by the data controller, including emails, direct messages, letters, phone calls, and social media messages. Subject rights include requesting to see and update their personal information that has been collected by companies. Individuals can also request that their information be removed from the company's data inventory. 

However, the request needs to be clearly labeled as a personal data request and have the date of submission, the subject’s name, including an alias if available, and any other data used by the organization to identify the individual.

The data request also needs to have the subject’s latest contact details and a full list of the personal data they want to access. The individual must also indicate how they would like to receive the response. 

After the data request has been received, companies need to ensure that they respond to the individuals within 40 days to stay in compliance with data privacy laws. Using DSAR management software can help automate the process and ensure that your organization doesn't breach personal privacy laws or infringe on data subject rights.