What is a DSAR? How do you practically handle DSAR requests under the main privacy laws?
In this post we explain all you need to know about Data Subject Access Request (DSAR)!
Article 15 of the GDPR grants users the Right to Access:
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
In other words, users can ask you to access the data you’ve collected about them and request information about the processing of this data, to make sure it’s carried out lawfully.
A DSAR is the request that users send to exercise their right to access.
Let’s have a look at how to handle DSAR requests under the main privacy laws.
Under the GDPR, the reply to a Data Subject Access Request should include:
The organization must provide the person making the request with a copy of their personal data free of charge.
The request should be fulfilled without undue delay and at latest, within one month of receiving it.
The new California Privacy Rights Act (the amendment to the CCPA) also grants users the right to access.
The reply to the request should include:
An organization must fulfil a DSAR request at no cost to the consumer, within 45 days of receiving a verifiable request. If necessary, you can extend this period (only once) by a further 45 days, but you must inform the consumer of this.
The Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD) grants users the same right to access.
Users should have easy access to any information about the processing of their personal data, free of charge.
It’s important to handle a Data Subject Access Request within the time frame that your law of reference has identified.
To fulfill the request quicker, the first step would be to map all the data you’re collecting and processing. Once you’ve done that, it’s easier to send a response to users, also by following these 4 steps:
There are online tools that can help you keep track of your data collection and processing activities.
For example, our Data Subject Rights Management Tool simplifies handling privacy rights requests in compliance with global regulations like GDPR. Establish a dedicated channel for receiving data subject requests and manage them from a centralized, intuitive platform. This tool provides a comprehensive solution that simplifies the entire process from request intake to fulfilment, minimizing manual effort through automated data retrieval.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.