What is a Data Subject Access Request (DSAR)?
A Data Subject Access Request, also known as a ‘SAR’, is one of the fundamental rights implemented under Article 15 of the General Data Protection Protection Regulation, by which a data subject reserves the right to obtain confirmation of processing of their data, and, if the data subject’s personal data is being processed, access to the personal data through secure means.
Bonus Content: Download this blogpost!
The definition of a DSAR under Article 15
The purpose of Article 15 is to provide data subjects power over their data, through several statutory provisions which give data subjects the right of access to their data undergoing processing, to obtain such a copy that does not infringe on the rights and freedoms of others, as well as several other rights. The article itself is worded as follows:
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information…”
Most of the information below should be included within your organisation’s privacy policy:
- The categories and purposes of processing the data
- The recipients or categories of recipients of the data
- The period for which the data will be stored by the controller or processor and, if not possible to determine the period, the criteria is used to determine that period
- The existence of the right to request from the controller rectification or erasure of personal data
- The existence of the right to object to processing
- The right to lodge a complaint with a supervisory authority
- If personal data is not collected from the data subject themselves, any information as to the source of the data
- Th existence of automated decision making, including profiling, referred to in Article 22
- The right to be informed on appropriate safeguards relating to a data transfer to a third country
What does this mean for data controllers?
Data controllers, when conducting data processing, must employ privacy by design as outlined by Article 25 of the GDPR. This also supports the organisation-data subject interaction, putting transparency and data privacy at the forefront. If a data controller engages with privacy by design in as much as he can considering his resources and the state-of-the-art, the controller will be aware of the rights data subjects have on DSARs.
A data controller must be aware of these rights and must be aware that if they receive a DSAR, they must respond within one month of receiving the request. If the request is particularly complex, or there is a substantial number of requests from the individual, the response may be extended 30 days, including the weekend, which can be extended by a further 60 days provided the controller or processor informs the data subject of the delay and its cause.
Recognising DSARs
A data subject access request can be made to anybody working within a company, verbally or in writing, and does not need to mention the term ‘data subject access request,’ or ‘DSAR ’. While the right of access is embodied within Recital 63, the GDPR as well as the recitals do not make any reference as to limitations placed on the data subject when requesting their own information. As long as the request is recognisable. This makes recognising DSARs potentially challenging.
It is therefore important to monitor all communications of a company or organisation, as a DSAR may even come through social media, such as Twitter or LinkedIn. A DSAR for example, could entail a very simple ‘I want all my data’ within an email, but it can also be a highly detailed message citing the GDPR.
Organisation wide training is therefore of the upmost importance. Regardless of what your organisation does, it will, within its lifetime, receive a DSAR. Preparation is key to success. If your employees can identify a potential DSAR and are familiar with the procedure of responding to it, the process of fulfilment may become easier. Furthermore, it can begin to embed privacy by design into your organisational structure, a statutory necessity as per Article 25 of the GDPR.
Fulfilling DSARs
A DSAR will be fulfilled by a DPO with support from the rest of the organisation as necessary, however, if an organisation does not have a DPO, nonetheless. it will have to fulfil the DSAR. A data controllers first task is acknowledging the DSAR by confirming it with the requester.
When acknowledging the DSAR you will have to verify the data subject’s identity. For example, to ensure that the person who is requesting their data is indeed the requester otherwise you may cause an accidental data breach, if the data is handed over to someone else.
The controller can use all ‘reasonable measures’ to verify the identity of the data subject, particularly if this request is made online. However, if you, as a controller, make it particularly difficult for data subjects to exercise their right, they may issue a valid complaint to the Data Protection Commission (DPC) for your unjustifiable infringement of their rights.
The DPC can issue a fine of twenty million euros, or up to 4% of the global worldwide annual turnover of the preceding fiscal year, depending on which is higher. Therefore, in verifying the data subject’s identity, you should avoid seeking sensitive or harmful data, keeping in mind proportionality.
Download this blogpost!
Identification of Third Parties
A controller may use “all reasonable measures” to verify the identity of the requester. After the identity of the person in question is confirmed, the data should be collected and analysed for an sensitive data which should be redacted, as well as personal data which can lead to reidentification or identification of a person, such
as trade secrets or information whose publishing would infringe on the rights of other persons, and transferred into common system files, such as the pdf format.
The way data is presented will depend on the DSAR, as every DSAR is different. While the right of access is quite far-reaching, it is nonetheless not absolute and subject to statutory exemptions and restrictions, which can be found within Article 12(5), Article 15 (4) and Article 23 of the GDPR. This should be considered when responding to a request, as it may be that the request is manifestly unfounded, or there have been several requests in a short period of time which would make the requests considered excessive. This will be discussed in more detail in the next part of this article.
Exemptions
There are several exemptions, under which a controller may refuse to comply with a DSAR as outlined in Article 23, also as outlined in Article 12(5) on two grounds: either if the DSAR is “manifestly unfounded” or “manifestly excessive”. A manifestly unfound DSAR request is deemed so if the individual has no intention to exercise their right of access – for example, if a person makes a request, and then provides to withdraw it in exchange for a benefit, such as financial compensation or otherwise, or if the request itself is
malicious.
An excessive request, on the other hand, an excessive request may be one that is burdensome to the controller to an extreme, or the person is requesting another copy of the information, in which case the controller may charge a fee to provide the copy. It should be noted nonetheless a controller should approach these exemptions with care, and not instantly deny a DSAR based on these exemptions, as supervisory
authorities have shown that quite a high bar must be cleared, and evidence must be documented to prove that the requests were indeed excessive or unfounded.
Transferring the Data
To ensure safety of the data, the controller should ensure to send the data to the data subject in a secure way – for example, sending over all data by email would be an insecure way of providing personal information. The controller must also ensure that they are not infringing on the rights of other persons, when providing the requester with information.
For example, there may be documentation which mentions other persons data, which for the purposes of a DSAR, can be blocked out so that only the details referencing the requesting data subject are observable. Doing otherwise will constitute a breach. A controller may also block out any information in respect to trade secrets or intellectual property, or copyright information which protects software, as outlined in Recital 63.
If the controller processes a large amount of data, the controller may be able to request the data subject to specify the information or processing activities of the request, prior to delivering the data. Furthermore, if a data subject only requests a particular set of data, the controller is free to provide only that set of data which the request relates to. After the DSAR has been complete, the controller should ensure they have not duplicated any data.
Conclusion
DSARs may be confusing and difficult to deal both due to statutory underpinnings but also due to a limited timeframe for data extraction and transfers. A controller should nonetheless remember that they must fulfil a DSAR, barring in two exceptive situations, ensuring that the data they are transferring is to an identified data subject and that the data is transferred in a secure manner in a timely manner to the data subject.
How can PrivacyEngine help your organisation with a DSAR?
Due to the strenuous process outlined above, DSARs can be a bureaucratic nightmare to fulfil; manual fulfilment can lead to errors and can take up a large amount of time. The completion of a DSAR can be costly both in terms of internal resources and finance. If your organisation does not have a structured approach to the completion of a DSAR, collecting all information may also prove to be a difficult and painstaking process.
This is where PrivacyEngine can help. While PrivacyEngine can provide your organisation with on demand expert resourcing, advice, and support in fulfilling a DSAR, our industry leading platform also provides features which can aid you in fulfilling your obligations: from DSAR logs which you can manage and fulfil DSARs on from the beginning of their lifecycle to automated risk assessment, to policy drafting and advice, as well as DSAR training for your organisation. Just schedule a call with us today.