What is a Data Subject Access Request (DSAR) under Various Data Privacy Laws?

Introduction to DSAR

The Data Subject Access Request (DSAR) forms a critical part of various data privacy regulations worldwide, including the General Data Protection Regulation (GDPR) in Europe, and the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) in the U.S.

Introduced in 2018, DSAR under GDPR has been designed to empower individuals with control over their personal data. As one of the eight rights provided by GDPR, the right of access, permits individuals to obtain information about the data that an organization holds about them, including details about its usage, reasons for data collection, and more.

This right has been expanded under GDPR and other privacy laws to include new mandatory information categories that organizations must provide. Furthermore, these regulations have simplified the process for individuals to make such requests and access their data.

Deciphering the Data Subject Access Request

DSARs are essentially requests made by individuals to organizations for information regarding their personal data. It enables them to exercise their right to know about the lawful processing of their data at reasonable intervals. Organizations are mandated to reveal the purpose behind the processing of personal data, amongst other things, under GDPR, CCPA/CPRA, and other similar laws.

Responsibilities of the Company/Organization

Upon receiving a DSAR, organizations are obligated to confirm the processing of personal data, provide a copy of it, and additional information such as:

• The purpose of data processing
• If data is shared with third-parties, who they are
• The categories of data being processed
• Data source (if not collected from the individual)
• The data retention period
• Information about automated decision-making and profiling
• The individual’s rights under respective privacy laws like GDPR, CCPA, CPRA, etc.

Who can File a DSAR?

Any individual whose personal data is being processed by an organization can file a DSAR, regardless of their relationship with the organization – be it employees, customers, partners, or contractors. DSARs can be filed on behalf of another individual, provided they have the necessary authorization.

Process of Submitting a DSAR

DSARs can be submitted in writing or verbally, such as over the phone or by filling out an online form. The request can come through any channel and need not specifically mention the GDPR, CCPA, CPRA, or any other specific right or regulation. The organization is obligated to recognize and promptly respond to such requests.

A Submission for may look like this:

Identity Verification

Under privacy laws such as GDPR, CCPA, CPRA, and others, organizations are to take reasonable measures to confirm the identity of the individual making the request. Importantly, excessive information should not be demanded during this process.

Company Response

Companies should have a designated person to oversee compliance with DSAR processes. Automation can aid in the efficient management of DSARs, especially for smaller teams.

Responding to DSARs: Timelines and Fees

DSAR responses should be provided within one month from the receipt of the request. Charging a fee for a DSAR is generally not permissible, except in cases of unfounded or excessive requests. Any fees charged should cover administrative costs only.

Refusal to Respond to DSARs

Organizations may refuse to respond to a DSAR if the request is deemed manifestly unfounded or excessive. Such decisions must be defensible to the supervisory authority.

Automating DSARs for Compliance

DSARs are just one of the rights conferred by privacy regulations like the GDPR, CCPA, CPRA, and others. As compliance, reputation, and customer transparency are major drivers for fulfilling DSARs, many organizations invest in privacy tools to manage DSARs, thereby ensuring transparency and compliance.

The Role of PieEye

PieEye serves as a leading solution for managing data subject rights. It automates the DSAR process, providing a centralized hub for overseeing requests and supplying necessary information for managing data subject requests within specified deadlines. This automation enhances transparency and compliance, providing organizations with a clearer insight into the preferences and requirements of data subjects.