What is a Data Subject Access Request

Data Subject Access Requests are an important part of complying with Data Privacy Laws. But what are they and how do you follow them? We make it clear in this post.

What Is A Data Subject Access Request

For those wondering what a data subject access request (DSAR) is, it’s actually you or another individual that is requesting to see their information that a company has on them. Anyone can  submit a data access request. The GDPR made it so that when requesting your personal information, the Data Subject (you) has that right to ask about what the organization will be doing with their data and who would be getting their data. The general idea is that the Data Subject can inquire:

-What is the purpose of the processing

-What are the categories of processed personal data (including recipients of recipients in third countries or international organizations)

-Who are the recipients to whom the personal data have been or will be disclosed

-For what period of time will data be stored

Just to let you--the one reading this article --that submitting a DSAR doesn’t automatically reply with what information they have on you. The company will want to verify that you are the same individual that you are wanting them to pull the data on and not some random person that doesn’t have that right to access someone else’s personal data unless they have proof of consent that the person, whose data they are trying to obtain, has given their approval to represent them.

A Data Subject Has The Right To

-Obtain a copy of their personal information that the organization has on the data subject

-File a complaint

-Right to erasure (Meaning they can tell the company they are reaching out to to erase all their data on that person)

-The right to ask for restriction of the processing of his or her personal data (Meaning they can say what they can or cannot use in regards to how their personal data is used)

-Right to request rectification (that they want something changed)

-Affirmation that the organization is processing individuals’ personal data

-Right to know the source of collected data

-The existence of automated decision-making and information about the consequences and effects of the processing for the data subject

-Have information about safeguards for data transfer to third countries

This set of rights are clearly defined for the Data Subject to understand the usage of his/her data and check the lawfulness of the company’s data processing.

For Companies Receiving the DSAR

When answering the data subject request, the company’s Data Protection Officer (DPO) will need to respond and verify that the requester is who they say they are in requesting their personal data. As the DPO, you must enclose the copy of personal data you have on the data subject, as well as deliver information regarding processing (described above) or provide a link to your privacy policy, where you have elaborated that information in detail. As a reminder, officially, you will have to make sure it’s done within one month or more depending on which law is in play (i.e. CCPA gives you 45 days) from the day you confirmed the data subject's identity.

If for some reason you are providing information that relates to one or more other data subjects you can deny the access if it would result in disclosure of information about another data subject.

Another situation is if the data subject’s DSAR’s are numerous or complex, you can extend the deadline by two months (Extension varies by the law that’s in effect), but you are still expected to respond to the request within the first month and explain why the extension is necessary.

Breakdown on How DSAR’s are Handled Amongst Different Laws

This can be a major headache for many who are the Data Subject and are wondering how this all fits with their right on their data. Thankfully we’ve researched and collected enough information to try to lessen that struggle. 

GDPR

Verification

It states “the controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.” In other words, it’s up to the controller/organization on what the most reasonable way to identify the individual requesting the information that he or she says is his/hers that they want to get access to.

Right to Erasure/Deletion/Correction/Restriction

Deletion right applies to all data concerning a data subject.

Right to Access/Disclosure

Requires businesses inform consumers of their rights at the point of collection. Data subjects have the right to request access to their personal data.

Portability Requirement

If the request was made by electronic means, and unless otherwise requested by the data subject, the information should be provided in a commonly used electronic form. Remember that you as the business are required to respond within one month from when the request was made and are only allowed an extension of the request happens to be a rather large one, which requires more time to gather. Still, you have to reply within 30 days to the request to say you need an extension and provide a reason why.

CCPA

Verification

The CCPA states that a business shall establish, document, and comply with a reasonable method for verifying that the person making a request is the consumer about whom the business has collected information. This is pretty identical to what we just mentioned for GDPR.

Right to Erasure/Deletion/Correction/Restriction

The deletion right applies only to data collected from the consumer (not data about the consumer collected from third parties). Consumers have the right to deletion of their PI, except when it is necessary to to complete a transaction, needed for security purposes, and/or for legal obligation.

Right to Access/Disclosure

Requires businesses to inform consumers at or before the point of collection as to the categories of PI to be collected and the purposes for which the PI will be used. Consumers (Data Subjects) have the right to request information about what personal information is collected, how it is processed, for what purposes, and with whom it is shared. Businesses must disclose within 45 days of the verifiable request. Businesses may exercise one 45-day extension when reasonably necessary if they notify the consumer within the first 45-day period. Disclosure includes data covered 12 months before request.

Portability Requirement

The CCPA does not enumerate an explicit right to data portability, in those terms, but if a consumer makes a request, they have the right to receive their information delivered by mail or electronically. If delivered electronically, information must be portable and in a readily usable format and you, the company, must provide the information using secure means to avoid the data subject’s PI from being exposed or stolen.

CPRA

Verification

See Verification under CCPA.

Right to Erasure/Deletion/Correction/Restriction

CPRA modifies the right to delete. Businesses are required to notify third parties to delete any consumer PI bought or received, subject to some exceptions. Also, adds the right to correction. Consumers may request any correction of their PI held by a business if that information isn’t accurate. Adds right to restrict sensitive PI. Consumers may limit the use and disclosure of sensitive PI for certain “secondary” purposes, including prohibiting businesses from disclosing sensitive PI to third parties--though is this subject to exceptions.

Right to Access/Disclosure

The CPRA introduces “access” terminology, which helps distinguish a request for specific information from a general request for categories of personal information. Adds right to access information about automated decision-making. Allows consumers to make access requests seeking meaningful information about the logic involved in the decision making processes and a description of the likely outcome based on that process.

Portability Requirement

Expands right to data portability. Consumers may request that the business transmit specific pieces of PI to another entity, to the extent it is technically feasible for the business to provide the PI in a structured, commonly used and machine-readable format.


Need HIPAA help?

Accountable can help you achieve HIPAA compliance for your company.

Schedule a Call

More Articles