DSAR: Data Subject Access Requests and other Rights


Introduction: Defining DSAR 

Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR). It forms part of a group of data subject rights that gives data subjects greater control of their data which is established under Chapter 3 of GDPR.

DSAR, itself is defined under Article 15 of GDPR, which is the right to obtain from the controller confirmation on whether they are processing personal data of the person making the request and provide access to that data along with disclosing certain information in relation to the processing. This information that has to be disclosed includes; the categories of data that are being processed, the purpose of the processing, whether the data has been passed onto third parties.

The “Right to Access data” is just one element of the bundle of data subject rights, which includes the right of deletion, rectification, the right to restrict and object to processing. The expectations of these rights and common issues that sit across them will be outlined below.


The other data subject rights 

The Right to Rectification, is defined under Article 16 of GDPR, is the right to have any incorrect data corrected by the Data Controller, along with also depending on the type of processing, a request can be made to ensure that the record held on the data subject is complete.

The other major right is the right of erasure, defined under Article 17. This enables the data subject to request that the data controller deletes any record of the personal data. The controller, however, can reject the request, if there is a good enough reason such as the processing of the data has been done in the course of exercising freedom of expression, or compliance with other legal obligations requires the data to still be stored and processed.

It has also been subject to various cases at the European Court of Justice, with the most recent one outlining an important restriction regarding the boundaries of the right to delete. In the judgement, it outlined that the right was limited to Europe and couldn’t be enforced outside unless the jurisdiction had similar protections in place.

Along with the right to access these from the main enforceable rights of data subjects, however, there are two more notable rights. There is first the right to restrict processing under Article 18 of the GDPR, in which they can restrict the processing, so long as one of the grounds listed, if the accuracy of the data is questionable, the processing is unlawful, or the controller no longer needs the data for processing.

Then there is the right to object to processing, which is different from the right to restriction, it provides the data subject with absolute rights to prevent processing for purposes such as direct marketing.


Common elements 

These rights are all exercisable through making a request to the Data Controller, and they should as a matter of good practice to confirm receipt of the request and that they are looking into it.

Also, these requests need to be responded to with undue delay, which the ICO has provided guidance on, in which they outline the adequate response time is within one calendar month. If circumstances mean they have to delay the response to the request, the data subject should be informed of any delay and explaining why it is necessary.

The other thing that is common across the regulation, and reiterated in the guidance from the national regulators, is that the data subjects need to be informed of their rights by the data controller.


Simplifying the process 

Putting policies in place and having members of staff trained to handle these requests is the first step in helping operationalise it for your organisation. However, some enterprises have complicated database setups, which will also include legacy systems that are also storing information, which raises issues in terms of finding the information for requests.

This modern problem requires a modern solution, which would ideally be a full-service solution, providing tools for mapping the data held within the organisation coupled with an online request system handling the requests outlined in the above. This would help mitigate the issues that many businesses currently face when trying to respond to requests made under any of the rights outlined in Chapter 3 of the GDPR. It would also provide assistance in ensuring compliance with the timeframes that are required for the response under the law.


Importance of complying with Requests: 

These requests are an important part of data protection, and in the legislation passed in other countries, they have been adopting similar rights, such as under the California Consumer Privacy Act in states incorporates some of the requests. The General Data Protection Law for Brazil also confers similar rights under Article 18.

As these requests become a more significant element of data protection globally, ensuring that there is a streamlined approach to verifying and responding to the request within an adequate time frame. These rights also highlight the importance of knowing what data you have as an organisation, and where it is held on databases in order to be able to react swiftly and reduce any risks.

Seers can help you with your DSAR requirements so contact us at: info@seersco.com