DSAR means Data Subject Access Request, and this is one of the rights that a data subject or an individual under the General Data Protection Regulation (GDPR) enjoys.
- A data subject is anyone whose data is collected, shared and processed by a data controller.
- A data controller is a company, organization or anyone who deals with the personal data/information of the data subjects.
As per the GDPR, the data subject should be a resident living in the European Union.
Recital 63 of the GDPR states:
“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
- Reasons to have a DSAR process
| S.NO | Reason(s) for DSAR |
| 1. | For confirming whether your organization/business processes the personal data of an individual (referred to as Data subjects). |
| 2. | For accessing the personal data/information of a data subject. |
| 3. | For determining whether such processing of data of the subject is on a lawful basis or not. |
| 4. | For knowing the duration/period for such data which has been stored in your organization/business |
| 5. | For enquiring about how the data subject’s personal information/data was obtained by your organization/business. |
| 6. | For obtaining information about automated decision-making and profiling from the data subject’s personal information. |
| 7. | For obtaining the names and further details of the third-parties with whom your organization/business is sharing the personal information of the data subject(s). |
This isn’t an exhaustive list; a data subject has a right under the GDPR and can submit such a request (DSAR) without any given reason to the data controller and at any time. The data controller may only ask questions in order to verify the data subject’s identity.
- Principles for DSAR
GDPR in the entirety is based on the following principles and it is the data controller’s responsibility and obligation to process data in accordance to the principles laid down-
| Article 5 of the GDPR lays down the following principles- |
| Lawfulness, fairness and transparency |
| Purpose limitation |
| Data minimisation |
| Accuracy |
| Storage limitation |
| Integrity and Confidentiality |
| Accountability |
Whereas, the DSAR is based on the rights granted to the data subjects under the GDPR-
| Article(s) | Right of the data subject |
| Art.15 | This article grants the data subject the right to access his/her personal data held by the data controller. |
| Art.16 | This article grants the data subject the right to rectify his/her inaccurate personal data without any undue delay caused by the data controller while giving access. |
| Art.17 | This article grants the data subject with the right to be forgotten without causing any undue delay by the data controller. |
| Art.18 | This article grants the data subject the right to restrict the processing of his/her personal data. |
| Art.20 | This article grants the data subject the right to transmit his/her personal data to any other controller, and also to obtain his/her personal data in a machine-readable format. |
| Art.21 | This article grants the data subject the right to object to processing of his/her personal data. |
| Art.22 | This article grants the data subject the right not to be subjected to automated decision making and profiling. |
- Steps to perform as a Data Controller-
| S.No. | Steps to be taken |
| 1. | The first step should be to verify the data subject’s identity and record the DSAR in the system. |
| 2. | The next step is collecting and categorizing the personal data that you have stored. |
| 3. | The next step should be to review the data subject’s request in order to understand the DSAR’s requirement. The reply to such a request should be within 30 days as mandated by the GDPR and without causing any undue delay. |
| 4. | Before sharing the response to the data subject, it is better to gather all the personal data of the data subject into the response, as the GDPR also encourages remote access to such data. |
| 5. | The data controller needs to ensure that the delivery of the data to the data subject should be secure as data leaks and breaches are quite expensive, moreover, it affects the trust among its users and the reputation/goodwill. |
| 6. | Once you have followed all the required steps, you are ready to send the response to the data subject |
| 7. | It is essential to remind the data subjects about their privacy rights and you may do so by adding a fews lines at the end of your response. |
Yours truly, LawyerStrange 