A data subject access request (DSAR) is a request made by an individual to an organization for access to a copy of their personal information or related materials, and should be observed as an expression of the individual’s “right of access” as described in the General Data Protection Regulation (GDPR). Such requests may be communicated to an organization by written or verbal means, via all verifiable platforms, and may also be made by a third-party on the individual’s behalf. Unless a valid exemption or restriction applies, or a request is demonstrably incoherent or unreasonable, the organization must provide the information requested in the DSAR within a specified timeframe in order to remain in compliance with the GDPR.
The purpose of a DSAR, in most cases, is to satisfy an individual’s right to access their personal data. There are a variety of specific reasons an individual might file the request, but it is generally in the interest of transparency, and a means of understanding and keeping track of how, and for what purposes, an organization is using their information. The request can be made in any terms, and individuals are not required to use any specific language or formal references, as long as it is an obvious request for their personal data. While it is possible a DSAR might be made by a third-party on behalf of an individual, it is the responsibility of the third-party to prove their entitlement to do so, and the organization should feel confident about the evidence provided before giving access to personal data. Even children have the right to request a copy of their data, and can be responded to directly if an organization has reason to believe they are competent enough to understand their rights.
It is important that an organization is always prepared to respond to a DSAR, provided it is lawful and reasonable, and to be able to do so in a timely manner, typically no more than one month after receiving the request. Extensions may be allowed in cases where a request is complicated or contains various items. If a DSAR is unspecific, an organization can ask for the individual to specify the request, and will not be obligated to provide information until clarification is received. Formal identification can, and should, be asked for by the organization upon receiving a DSAR, and all usual security precautions related to personal data should be applied. Data may be supplied to the requester in whatever format they prefer, wherever it can be done securely, and the organization should verify the requester’s preference upon receiving a request.
It is possible for an organization to refuse, or partially refuse, to comply with a DSAR where legal restrictions may apply. Roadblocks to compliance might include criminal liability, confidentiality preservation, and a number of other regulatory exemptions as detailed in the GDPR. If an organization has any legitimate reason to refuse to provide personal data in response to a DSAR, it must inform the individual of the specific exemption, as well as of their right to seek legal or disciplinary recourse. Organizations should consult all relevant legal resources regarding exemptions and restrictions before responding to a request.