Data subject access requests for the GDPR

Learn about data subject access requests (DSARs) for the GDPR and individuals’ rights to access their personal data.

Icon depicting a lock near a globe
Last updated:
Read time:
Share this post
Table of contents
⚡ Key takeaways
  • Individuals in a growing number of jurisdictions have a right to privacy as well as a right to access personal data about themselves. 
  • The GDPR requires that companies and organizations subject to it establish a process for receiving and responding to requests from users and customers seeking to know what information about them is kept on file and how it is used.  
  • Companies have a responsibility to take requests seriously or risk hefty fines, business impacts, and reputational risk.

Personal data is precious in Europe, and under the General Data Protection Regulation (GDPR) privacy law, all personal information relating to an individual — even fingerprints — are protected like one-of-a-kind pieces of art.

Since the GDPR was enacted in May 2018, billions of dollars in fines have been levied against companies large and small for breaching privacy and misusing information. Some of the largest targets of GDPR enforcement have been the technology companies Meta and Google, making data protection an equally large business.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a strict set of data privacy laws for businesses that collect data on EU residents. Under the GDPR, businesses are responsible for safeguarding numerous types of personal information, including the customer's IP address, cookie data, home address, and identification number. It was adopted by the EU in 2016 and officially enacted on May 25, 2018.

The GDPR applies to any company that does business in the EU and/or the European Economic Area (EEA) or collects data or information about individuals in those jurisdictions. Each country’s respective data protection authority polices the regulation. The UK also has a similar regulation called the Data Protection Act 2018

The GDPR covers personal data (any information which is related to an identified or identifiable natural person), including but not limited to:

  1. Personally identifiable information (PII), such as names, addresses, contact numbers, or email addresses of users, visitors, customers, or members.
  2. Other personal information, such as political opinions or parties, ethnic origins, sexual orientation, and religious ideologies.
  3. Health data, such as genetic history, name, test results, emails, and audio recordings or physician notes about a patient.
  4. Biometric data, such as fingerprints, facial patterns, voice, or even the typing cadence of users.
  5. Web data, such as IP addresses, browsing activity, names, emails, and credit card information.

The GDPR has served as the model for several other jurisdictional privacy laws, including Japan, Turkey, Brazil, Argentina, South Africa, Kenya, and the UK, and influenced the California Consumer Privacy Act that was approved in early 2018 as well as the more recent privacy laws in 11 other U.S. states to-date.

Punishments and fines for GDPR violations

For general violations, including data security breaches, companies risk being fined up to €20 million, or 4% of the company’s annual profits, whichever is higher. For specific violations, such as those caused by a design flaw or affecting a specific group, such as children, fines can be up to €10 million, or 2% of the company’s annual profits, whichever is higher.

Companies also risk non-financial penalties such as audits, cease-and-desist orders, prosecution, negative news coverage, and reputational risk.

What is a data subject access request (DSAR)?

Under the GDPR, individuals have the right at any time to request that a company share the information that is kept on file about them. A data subject access request (DSAR or SAR) is a request via a physical letter, email or social media, or even an informal verbal solicitation. Anyone over age 16 or as young as 13, depending on country-specific law, can obtain confirmation of digital and physical evidence and even recordings and photographs that captured their protected data. DSARs offer individuals a way to check that their data isn’t being mishandled or misused. It helps companies maintain strict legal compliance and assure their reputation with customers and the public that they are responsible data stewards. 

DSARs made on behalf of others

Data subject access requests can be filed on behalf of others, such as an attorney for a client, a parent or guardian for a child, or a friend on behalf of another. However, the organization or company receiving the DSAR can also request additional proof of the relationship between the requestor and the beneficiary of the information. This can add additional time to the request.

GDPR compliance

The GDPR offers eight rights to a requestor:

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure.
  5. The right to restrict processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights related to automated decision making, including profiling.

The GDPR outlines specific methods for companies to be compliant when it comes to public requests for access to information. Starting on the day of receipt of the DSAR, a company has one month — that is, the same date on the next month’s calendar — to respond. No delays are allowed unless the request is complex or accompanied by several other requests from the same individual. Companies also have the right, within reason, to refuse certain requests.

Best practices for handling DSARs 

Set up a form for intake processing

The EU offers a data deletion request template applicable for some companies, but enterprises with a higher volume of requests will want to build out an automated and more robust process. Those with highly sensitive information, such as medical records, may want to build in identity verification (IDV) and two-factor authentication.

Free white paper
See how experts evaluate IDV solutions

Create an internal process

It may be helpful to route all requests via a single channel that your team can monitor to ensure that responses are provided within the one-month mandated timeline. All relevant company staff should be fully trained in the DSAR process so that verbal or misrouted requests are escalated properly.

DSARs should include verification of the requestor in situations where the controller has reasonable doubts concerning the identity of the natural person making the request. The request should be clarified if it is unclear and the requested data should be inspected, properly formatted, and finally, accompanied by clearly articulated rights of the requestor to follow up with further requests, such as deletion or a complaint. Requests and applicable responses should also be cataloged and a quality control process should be implemented. 

Responses may require redaction if they have the potential to include information on other parties or internal information not related to the original request. Companies should be prepared to handle these specialized responses. Likewise, there will be requests that are time consuming, taking into account the complexity and number of requests and even requiring up to two months’ extension. Requests that are “manifestly unfounded” may be rejected or deemed “excessive” for the organization and are therefore eligible for fees to be passed along to the requestor.

Build a streamlined process for data deletion

Like the other DSAR requests, data deletion is also likely to require human intervention at some stage, though automation is possible, such as via guidance that can be sent to requestors to walk them through the manual deletion process. Some companies automate data deletion upon receipt of specific DSARs. 

Handle DSARs for GDPR with Persona

With the size of GDPR fines, remaining compliant with regulatory directives is a top priority that organizations can sometimes struggle to balance against revenue-driving initiatives. Persona puts regulations, responsiveness, and reputation first so you can focus on your core mission and strengths. 

Our Cases product can be fully customized to serve as the central dashboard for your team to track, sort, and escalate complex DSAR requests to ensure that your organization responds within the mandatory guidelines of the GDPR. 

With our Verifications solution, you can quickly and easily complete initial verification or IDV reviews when requests involve sensitive information. You can also verify the relationship of a requestor to the end user for subject access requests, only gathering the minimum amount of data required under GDPR to comply with data minimization requirements. Our variety of reports allows you to build out a fuller picture of your requestors if required via various database queries. Via the Persona dashboard, you can quickly delete any information that is no longer needed once the verification is complete.

If you use Persona as the repository for your users’ personal information, you may also use our deletion features to comply with a deletion request and provide a report back to the requestor.

All of this can be done with assurance that data continues to remain safe and secure and even deleted as per the GDPR. Interested in learning more? Start for free or get a demo today.

Published on:

Frequently asked questions

Who can make a data subject access request (DSAR)?

Anyone can file a DSAR (or SAR) relating to their own personal data if they have a need or desire to determine if their information has been captured and/or retained by an organization — no reason needs to be provided with the request. Individuals can also submit requests on behalf of others for whom they are authorized to do so.

How is a DSAR submitted?

A DSAR can be filed in various manners, including in writing, either electronically or physically, as well as over social media, and even via a conversation with an employee. The request does not have to formally state that it is a DSAR. For example, an individual can simply ask to understand how or why a company is using their information. However, the more formal the request, the better it can be tracked by both parties.

What is the time frame to respond to a DSAR?

The GDPR mandates that individuals receive a response to their DSAR within a month to the day of the original request. In other words, if a request is submitted on March 5, that is considered Day 1; a response should be in the hands or inbox of the requestor by April 5. If a company receives an especially complex or batched request, they are allowed an extension of up to two additional months.

Continue reading

Continue reading

Minimizing referral fraud while growing your online marketplace
Minimizing referral fraud while growing your online marketplace

Minimizing referral fraud while growing your online marketplace

Learn about common referral fraud schemes and how they can impact your marketplace. Discover strategies for protecting your buyers, sellers, and business.

From fraud to fairness: Leveraging KYC and age verification for online gaming
From fraud to fairness: Leveraging KYC and age verification for online gaming

From fraud to fairness: Leveraging KYC and age verification for online gaming

KYC can help keep online gamers of all ages safe and reduce fraud. Learn how KYC and age verification can benefit your gaming platform.

How to fight ID fraud in a world of generative AI
How to fight ID fraud in a world of generative AI

How to fight ID fraud in a world of generative AI

Learn how generative AI is changing the game when it comes to fake IDs and what you should be mindful of when enhancing your fraud strategy.

Top GDPR statistics businesses must know

Top GDPR statistics businesses must know

GDPR is one of the most extensive regulations governing data collection. Learn who it affects, the types of data it covers, and more.

A safe place for all your PII

A safe place for all your PII

PII storage to suit all your compliance needs, enabled by Accounts.

New age of data privacy regulation: How businesses can prepare

New age of data privacy regulation: How businesses can prepare

It’s only a matter of time before new data privacy regulation is passed, so it’s pertinent that businesses prepare before it’s too late.

Ready to get started?

Get in touch or start exploring Persona today.