What is a Data Subject Access Request? New Privacy Laws
As data protection and personal privacy legislation such as the EU’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CCPA) continues to be enacted in countries around the world, many businesses and organizations are now required to provide consumers with access to the personal data they have collected from said consumers. This being said, Data Subject Access Requests (DSAR) are the primary means by which a business can both maintain transparency with the customers they serve, as well as adhere to the responsibilities that said businesses may have under applicable data privacy laws. To this point, the obligations that businesses have as it pertains to DSARs will undoubtedly be varied.
To illustrate this point further, the EU’s GDPR law explains the rights of data subjects to access their personal data in accordance with DSARs by stating that “a data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.” Alternatively, California’s CCPA states the following in relation to DSARs “it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: […] (4) The right of Californians to access their personal information.”
What information must be included in a DSAR?
Irrespective of any data privacy or protection laws that have been passed in a jurisdiction where a business or organization serves prospective customers, the vast majority of DSARs will provide said customers with certain forms of basic information. Likewise, common forms of information that can be provided to customers via a DSAR include but are not limited to:
- The lawful basis that supports the processing of a customer’s personal information.
- Confirmation that a business has processed a customer’s personal information.
- The steps that a customer must follow in order to access their personal information.
- The period of time under which a customer’s personal information will be retained by a business.
- Relevant information regarding online profiling and automated decision-making.
- Relevant information about the manner or circumstances under which a customer’s data was collected.
- The names of any third parties that a business has shared a customer’s personal information with.
Who is permitted to submit a DSAR to a business?
While DSARs are associated with a customer asking a business to provide them with further information with respect to the data collection and processing practices of the business in conjunction with a data privacy law, DSARs can also be requested under other circumstances. For instance, employees, contractors, and job candidates that submitted their personal data to an organization can also submit a DSAR to access said information. Moreover, an individual may also be permitted to submit a DSAR on behalf of another person, such as a parent or guardian that requests information in relation to one of their children, as well as a data subject that may request assistance from a friend or family member.
When can a business deny a DSAR?
On the other hand, businesses and organizations also retain the right to deny a DSAR under certain conditions. Most notably, an individual that submits a DSAR to a business must exercise their rights appropriately, as a business is not obligated to comply with such a request if a customer intends to use the information they are provided to slander or make unfounded claims about the business or organization. In addition to this, businesses and organizations are also not responsible for replying to a customer that makes excessive requests to access their personal information, such as a customer that makes repeated requests without giving a business enough time to respond to their initial request.
How quickly do businesses have to respond to a DSAR?
While the time period under which a business or organization must respond to a DSAR will be contingent upon the privacy laws that exist within a particular country, as well as the type of industry in which the business operates, businesses are generally advised to respond to such requests as soon as reasonably practicable, but no later than a month after receipt of a DSAR. For example, a business that serves customers within EU member states that fall under the jurisdiction of the GDPR is required to respond to a DSAR within one month, lest they be subject to monetary fines and regulatory punishments.
While Data Subject Acess Requests are by no means a new phenomenon, they have unquestionably become more frequent as businesses and organizations collect a wide range of personal data from their customers on a daily basis. As these businesses and organizations have a duty to protect this information, giving customers the opportunity to access any information a business has collected, processed, or stored relating to said customers is advantageous for all parties involved. In this way, businesses and organizations can hold themselves accountable in terms of their data collection activities and practices.