Alessandra NisticoThere is a moment in every company when an email is received from a data subject asking for access to personal data. This happens because one of the aims of the European Union General Data Protection Regulation EU GDPR is to make individuals aware of their data and to give them the capability to protect their rights.
- Record the DSAR
- Identify the data subject
- Contact the relevant department
- Verify if any exception applies
- Prepare the response
Learning how to deal with a data subject access request is crucial to remain compliant with the GDPR.
What is a data subject access request in the GDPR?
A data subject access request (DSAR) is a request from a data subject for access to personal data processed by the controller in order to exercise one of the data subject rights listed in articles 15-22 of the GDPR.
Article 15 of the GDPR defines the Right of Access as follows: “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.” The purpose of the article is to allow the data subject to be aware of and verify the lawfulness of processing.
How long does a company have to process a data subject access request?
Once the DSAR is received, the controller needs to schedule operations in order to reply. The GDPR does not prescribe a fixed term, requiring that the request is handled without undue delay and in any event within one month of receipt of the request (Article 12). That period may be extended by two additional months where necessary, taking into account the complexity and number of requests.
This is because the time required to respond to a DSAR may vary depending on the size and the complexity of the organisation and, of course, the request. Is the data subject an old client of a law firm that stores information about all his/her legal actions of the past 10 years in paper-based and electronic formats? Is the data subject a patient of a hospital? Or is the data subject a subscriber to the newsletter of an online course? Each of these DSARs would require different amounts of time to comply.
How to handle the GDPR data subject access request
After the scheduling process for responding to a DSAR, we should see how to correctly handle it. In fact, we need to harmonise the DSAR response with all of the data protection processes of our organisation. We must be sure that the data subject is the person who has the right to access the data, or, if the request is made on behalf of another individual, that he/she has the power to present such request. We also need to verify that the request is handled by staff who can have access to those data, so a DSAR handling process is highly recommended as an organisational security measure and an accountability tracking system.
1) Record the DSAR: From an accountability perspective, when you receive a DSAR, you should record it. It may happen that the data subject presents his/her request orally (i.e., in person or by telephone); in such a case, the controller must invite the data subject to present the DSAR in the prescribed form and add an identity document in order to identify the data subject (Article 12 of the GDPR).
2) Identify the data subject: If the data subject cannot be identified, the controller must demonstrate its inability to identify the data subject and close the DSAR with a negative response. Once the data subject is identified, the request can be processed, and the one-month timeframe must begin.
3) Contact the relevant department: A data disclosure form can be transmitted to the relevant department of your organisation. Does it come from a customer? If so, customer service will handle it. Is the DSAR from an employee? If so, the HR department will be able to access the data and handle it. You should determine a period in which the data disclosure request must be completed by the department in order to respect the one-month term for replying to the data subject. The department must transmit back the data disclosure form with all personal information stored and, if the organisation has a Data Protection Officer, the DPO must be involved.
4) Verify if any exception applies: Article 12 of the GDPR requires that the right of access is granted to the data subject free of charge. However, this can be an expensive and time-consuming activity for any organisation, so the GDPR states also that if the requests are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
- charge a fee (it must be reasonable considering the costs for providing the information or taking the action requested by the data subject), or
- refuse to act on the request.
Please note that the controller must demonstrate the reasons why any action was taken (i.e., the request is absurd or repetitive). This is a precaution to avoid data subjects abusing their rights presenting repetitive DSARs. Registering the DSAR helps controllers to give evidence of the repetitive aspect of the request. All the procedures of collecting personal data and verifying the condition of disclosure happen inside the organisation, within the 30-day timeframe.
5) Prepare the response: Once all personal data are collected and verified, it is time to reply to the data subject.
How to reply to a data subject access request
There are two kinds of answers to be provided: positive or negative. It depends on the specific situation.
A negative answer will be given when the data subject cannot be identified, when the request involves personal data of a third party, or if the GDPR allows the controller to refuse access. Often, a DSAR demands not only that the controller provide access, but that the controller take some action on the personal data processed, on the basis of other data subject rights (such as modification, erasure, opposition, limitation of processing, etc.).
When another right is exercised by the data subject, the controller must verify that the conditions for access and the exercise of other rights both apply. For example, Article 17 of the GDPR states that the controller must not accept a request of erasure from the data subject if the data are needed to exercise the right to freedom of expression, or to comply with a legal requirement, or for reasons of public interest, for archiving purposes, or for the establishment, exercise or defence of legal claims.
The presence of exemptions is one of the reasons why a DSAR should always be processed by the DPO (if the company has one) or by the person in charge of GDPR compliance. If there is not an exemption, the reply will be positive and the controller will inform the data subject about the personal data processed, the reasons for processing, the means of processing, the data retention period, if data transfer is involved, whether an automated decision-making process is involved, and the right to lodge a complaint with the Supervisory Authority.
The response, whether positive or negative, should be forwarded to the data subject through secure means respecting data privacy, and recorded in the company systems in order to be able to demonstrate the compliance of the controller with the obligations contained in the GDPR (respect of the accountability principle). If the data subject demanded that action be taken on their personal data (i.e., erasure), the controller will confirm to the data subject that the personal data has been deleted.
Use data subject access requests as a tool to increase the company’s reputation
We have seen how handling a data subject access request may be challenging and time consuming; however, implementing a procedure that is compliant with GDPR requirements can save time for your organisation, and help you avoid the risks of infringing data subject rights (or of being exposed to an abusive exercise of rights).
To help you better understand how to deal with data subject access requests, download this free EU GDPR Data Subject Access Request Flowchart.