In this article, we\u2019ll explain what DSARs are, how to prepare to receive and respond to them compliantly, and how to proceed whenever your business receives one.<\/p>\n\n\n
What is a data subject access request (DSAR)?<\/h2>\n\n\n
A DSAR is a request from a member of the public, often a company\u2019s users or customers, but depending on the regulatory jurisdiction, can include business partners or employees, among others \u2014 regarding the personal data that a company has collected about them.<\/p>\n
This can be a request to see specific categories of information collected, or all of it, within a specified time frame. Data collected in the last 12 months is a common parameter. As this is a consumer privacy right conferred by regulation, companies are required to respond within a set time frame, or to notify the person making the request if they are unable to respond within the prescribed time period.<\/p>\n
Consumers can make requests beyond just seeing their data, however. They can request that the company stop collecting and processing their data and delete what they have. They can request information about the company\u2019s use of automated decision-making. They can often ask for a portable copy of their data that they can use elsewhere, possibly with a competitor\u2019s product or service.<\/p>\n\n
Opt-in and opt-out consent models<\/h3>\n
The right to submit a DSAR is included in modern and comprehensive privacy laws passed to date, including laws that use both opt-in and opt-out models for obtaining consumer consent.<\/p>\n
Opt-in consent requires you to obtain explicit consent before collecting consumers\u2019 personal information. It\u2019s the more common consent model and the one used in regulations like the European Union\u2019s General Data Protection Regulation (GDPR)<\/a>, which has been influential around the world.<\/p>\n Opt-out models only require consumer consent in some cases, but require data subjects (mainly consumers) to be able to opt out of data collection and processing at any time. Consent does need to be obtained in advance in some cases, depending on the law, e.g. if personal data is categorized as sensitive or belongs to known children, or in some cases if it is to be sold or shared. Though under the California Consumer Privacy Act (CCPA)<\/a> consumers only have to be able to opt out of sale, sharing, targeted advertising, or profiling. The Digital Markets Act (DMA)<\/a> bans targeted advertising without consent.<\/p>\n Learn more:<\/strong> Review our explanation of how U.S. data privacy regulations vary state by state<\/a>.<\/p>\n The terms data subject request (DSR) and data subject access request (DSAR) are commonly used interchangeably, as we have largely done in this article. However, you may see the terms used to refer to slightly different things.<\/p>\n DSRs can be used to describe a broader category that includes any request a person might make to exercise their rights regarding their personal data held by an organization.<\/p>\n DSARs, on the other hand, more often specifically refer to requests to access the personal data an organization holds about someone. As noted, however, there are various ways a consumer can request access to their data, and then request what is done with it. As such, a DSAR can be seen as a kind of DSR.<\/p>\n \u00a0<\/p>\n Organizations can receive DSARs from a variety of sources. They can be submitted by:<\/p>\n As long as the requester can prove their identity and legal right to make the request, a company is required to release whatever personal data is held about the individual subject. Companies must provide a reasonable mechanism to enable people to verify their identities when making a request. However, they can also deny a request if the requester\u2019s identity cannot be reasonably verified.<\/p>\n Each law specifies a time frame for both the data included and the response to such requests. For example, under the CCPA, a data subject can request data collected about them in the preceding 12 months. A person can\u2019t, for example, demand data going back 10 years. Commonly, a person also can\u2019t make more than one DSAR per calendar year. If they do, the company can either charge them a reasonable fee to fulfill it, or deny the request.<\/p>\n Under various regulations, companies typically have a specified amount of time to respond to DSARs. Under the CCPA, it\u2019s 45 days, with the possibility of an extension for special circumstances. If a company cannot fulfill a request within the prescribed 45 days, it has to notify the requester with a reason before that 45-day period ends. Typically the extension is only for another period of the same amount of time, e.g. another 45 days.<\/p>\n\n\n Read next: Data privacy regulation in 2024: what we\u2019re watching<\/a><\/p>\n<\/div><\/div>\n\n\n Companies are required to make it relatively easy for consumers to submit a DSAR. Here are a few ways to make the process user-friendly and compliant:<\/p>\n Companies need to be familiar with the privacy laws relevant to them. As noted, the CCPA allows 45 days for a DSAR response, though under the GDPR they are expected to respond within one month. The phrase \u201cwithout undue delay\u201d comes up regularly in regulations and should be followed as closely as possible.<\/p>\n As privacy laws generally apply to residents of a particular jurisdiction, e.g. California or the EU, companies may need to comply with multiple privacy laws, or laws for regions where the company is not physically located, as it only matters if their customers are there and those people\u2019s data is being processed.<\/p>\n After receiving a DSAR and verifying the requester’s identity, a company has to respond by supplying the requested data or otherwise acting on the request, like making corrections or deleting it. Or the company must provide a specific reason why more time is needed to fulfill the request, e.g. they have a high volume of requests.<\/p>\n Under the GDPR, for example, companies can extend their deadline by 60 days if it proves challenging to track down all the necessary information, but this must be clearly explained in their initial response, which must be sent within the initial 60 days.<\/p>\n Companies can\u2019t ask for repeated extensions before supplying the requested data. If a company takes too long to respond to a request, it is a type of violation and risks fines, penalties, and reputational damage.<\/p>\n\n DSAR responses must include the personal information of the subject requesting it, which has been collected\/processed in the prescribed time frame, e.g. the last 12 months. This is for access or portability requests. For other requests, the company needs to confirm fulfillment, e.g. corrections or deletion. A company is not required to provide:<\/p>\n In other words, the DSAR is always for only an individual\u2019s personal data (or the person they legally represent), as defined by applicable regulations, e.g. addresses, browser activities, dates of birth, medical records, credit ratings, etc.<\/p>\n Anything that can identify an individual alone or combined with other data points could count as personal data. However, the definition of personal data<\/a> varies depending on the law.<\/p>\n Regulations can also delineate between personal data and personally identifiable data, or specify what is considered sensitive personal data, and definitions can be different across laws.<\/p>\n Some laws provide specific examples of types of such data, but others are more general. Companies can redact data in supplied documentation if it\u2019s not relevant or not legal to supply it, for instance, if it references another person\u2019s personal information.<\/p>\n\n There are only two legal grounds for refusing a DSAR: if the request is excessive, or if it\u2019s manifestly unfounded. Excessive does not mean onerous or large in scale. Rather, it means that the request overlaps with another request(s) and is therefore resource-intensive without providing the requester with any additional information.<\/p>\n For example, requesting personal data from a local library every month could be deemed excessive. Under some laws, a person requesting their data from a company more than once in 12 months is not allowed for this reason. Companies can still choose to fulfill excessive requests, but under some laws can charge a reasonable fee to do so.<\/p>\n However, this frequency may not be deemed excessive for large ecommerce platforms, where data changes regularly. Always err on the side of compliance and stay familiar with relevant privacy laws. Large platforms likely have automated processes for DSARs, so there would be less manual work involved, potentially, than at the local library.<\/p>\n \u201cManifestly unfounded\u201d can be harder to prove. This would apply if a company doesn\u2019t hold any data on the subject, or the data is all very old and does not fall within the required time frame, so the DSAR is in error.<\/p>\n Or if the person is specifically requesting data that the company is not permitted to release\u2014such as the medical records of a relative they do not have custodial responsibility for, or a request to delete data a company is legally required to retain\u2014a company could also argue that the request is unfounded. A request for which the individual can\u2019t be reasonably verified could also fall under this category.<\/p>\n Companies can\u2019t break one part of the law to comply with another, so this is an area where it\u2019s recommended to consult legal counsel.<\/p>\n\n\nDSRs vs DSARs<\/h3>\n
![\"Infographic](\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2024\/05\/uc_blog_DSAR-infographic.svg\")
<\/a><\/p>\n\n\nWho can submit data subject access requests?<\/h2>\n\n\n
\n
How do DSARs take place?<\/h2>\n\n\n
\n
How can a DSAR be submitted?<\/h3>\n
\n
When and how does a company have to respond to a DSAR?<\/h2>\n\n\n
What does not have to be included in a DSAR response?<\/h3>\n
\n
Grounds for refusing a DSAR<\/h3>\n
What is the process for fulfilling a DSAR?<\/h2>\n\n\n
![\"DSAR](\"https:\/\/usercentrics.com\/wp-content\/uploads\/sites\/7\/2021\/08\/DSR-Admin-Usercentrics.png\")
<\/p>\n\n