The UK and EU GDPR states that individuals have the right to access and receive a copy of the personal data and other supplementary information your organisation holds about them and how you use this data. This is called “Data Subject Access Request” (DSAR).

In this article we’re going to cover what you need to know about DSARs to help you be compliant with this part of the data protection regulation.

The right of access gives individuals the right to:

A. Confirm whether your organisation is processing any of their personal data, and, if that is the case,

B. They are entitled to a copy of their personal data, as well as other supplementary information.

The overall aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data.

This way your customers can be aware of and verify the lawfulness of the processing and the accuracy of the processed data. Also, it will make it easier - but is not a condition - for the individual to exercise other rights such as the right to erasure or rectification.

Anyone can submit a DSAR, at any time, for example, customers, employees, contractors, sales prospects and job candidates.

It is possible however to make a DSAR on behalf of someone else in two cases: (1) acting through a proxy or legal guardians on behalf of minors, or (2) acting through other entities via online portals.

Your organisation may ask questions to verify the data subject’s identity though, you are allowed to request supporting evidence of the relationship, such as a birth certificate that names parents, guardianship paperwork, or power of attorney documentation.

The right of access includes three different components:

1. Confirmation as to whether data about that individual is processed or not,

2. Copy of the personal data you hold about that person and

3. Additional information on:

• the purposes of the processing

• the categories of personal data processed

• who the personal data is shared with

• how long the personal data will be stored

• the existence of various data subject rights

• the right to lodge a complaint to the local data protection authority, which is the ICO in the UK

• information about where the data was collected from

• the existence of automated decision-making (such as ‘profiling’) and

• the safeguards in place if the personal data is transferred to a third country or international organisation

If you provide this information in your privacy notice, you can include a link to or a copy of your privacy notice.

You only need to provide the data subject’s personal data, there is no need to share confidential organisation data. Personal data of another data subject or anything that isn’t within the scope of the DSAR should not be shared as you would be potentially breaching privacy rights of others.

Yes, but only limited situations: When the request is manifestly unfounded or excessive. This is, however, a high threshold to meet, and you must be able to prove that the request is manifestly unfounded or excessive, for example if a request is sent in duplication at the same time.

If you refuse to comply with a request, you must inform the individual of:

• the reasons why

• their right to make a complaint to the ICO or another supervisory authority, and

• their ability to seek to enforce this right through the courts

The request must be fulfilled as soon as possible and in any event within one calendar month, or 30 calendar days from the day of the request.

This can be extended by two further months where necessary, considering the complexity or the number of requests, the individual then must be informed about the reason for the delay.

Charging fees for data requests is not permitted. Companies are not supposed to profit from DSARs.

However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data. The organisation must be able to demonstrate the manifestly unfounded or excessive character of a request.

The best person to handle the DSAR is your company’s Data Protection Officer (DPO) as the DPO is familiar with data flows in the company and the different data protection regulations. Responding to DSARs, therefore, requires a careful understanding of what personal information you store, where it’s located, and its purpose.

You may have to implement data governance policies to ensure you respond to DSARs appropriately and can defend yourself if your case is ever brought to the attention of the authorities.

Being compliant with the always changing data privacy laws and regulations around the world can be a challenge, but with Palqee’s specialised counselling and support that will not be a concern and you will be ahead of your competitors.

Palqee can help you manage your Data Subject Access Requests. Our tools can help you:

• Map your data and register your data processing operations so it’s easy to find them whenever you receive a DSAR to respond to

• Get instant insights on the status and progress of any Data Subject Access Request (DSAR) and prioritise next steps.

• Keep track of how well your company performs on data access requests over time and identify bottlenecks easily.

Our tools are automated to save your company’s time and budget and our platform will provide you and your collaborators an uncomplicated experience while going through the data privacy program we offer. Palqee’s platform is user friendly and accessible to everyone, you don’t have to worry about being an IT expert to operate it and manage the tasks.

At Palqee we keep it simple: with a guided and jargon-free compliance program we help you increase your efficiency while improving your security and protecting your business. You can book a demo here.