A Data Subject Access Request (DSAR) or Subject Access Request (SAR) is a form of a right provided to a data subject to exercise. They can request to know what personal data an organisation or a data controller holds on them, how it is processed, with whom the data is shared and the period for which the data will be stored. A data subject can place his request before the entity i.e. organisation which either collects, processes or stores personal information. The DSAR emanates from the rights granted under various global laws like GDPR, CCPA, LGPD etc.
Key Definitions
A Data Subject is any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. In other words, a data subject is an end user whose personal data can be collected.
A Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
What are the rights provided to an individual under Data Protection laws such as GDPR, CCPA and LGPD
Under GDPR
- Right of access / Right to know
- Right to Rectification/ Right to correction of incomplete, inaccurate or out-of-date data
- Right to Erasure/ Right to be Forgotten
- Right to Restriction of Processing
- Right to data portability
- Right to object automated individual decision making, including profiling
Under CCPA
- Right to delete
- Right to opt-out of the sale of their personal information
- Right to non-discrimination
- Right to confirmation of the existence of the processing
Under LGPD
- Anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance
- Portability of the data to another service provider or product provider
- Deletion of personal data processed with the consent of the data subject information about public and private entities with which the controller has shared data
- Information about the possibility of denying consent and the consequences of such denial
- Revocation of consent
Who can submit DSAR?
A DSAR can be submitted by any natural person whose personal data has been processed by the organisation. This includes customers, employees, contractors, and suppliers. Individuals can also authorise someone else to submit a request on their behalf. Thus, a parent, a legal representative, a relative, friend or a guardian can also submit a DSAR on behalf of an individual whose personal data has been processed by the organisation/ data controller.
How to access DSAR?
DSAR is accessible through the website of the company or through forms made available by the company online or offline on request. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail. Organisations are also required to maintain a toll fee number, under CCPA, as a method for submitting requests. A fee on the DSAR can be charged if the request is manifestly unfounded or excessive and the organization is obligated to recognize the request and respond timely. A proper channel for submissions of DSAR is to be devised by the company.
EU, Brazil and US – Key differences?
| GDPR | CCPA | LGPD | |
| Name | Data Subject Access Requests (DSAR) | Verifiable Consumer Request (VCR) | Data Subject Access Requests (DSAR) |
| Employees | Includes Employees | Does not include employees | Includes Employees |
| Time Period | Data controllers must respond to a DSAR without undue delay and within one month (30 days) of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. | The business can respond to a VCR within 45 days. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary. | The requested details should be provided to the data subject within fifteen days from the date of their request. |
| Application | The right applies to all the personal data collected and processed about the data subject making the request. | The right applies only to personal information collected in the preceding 12 months to the request. | The right applies to all the personal data collected and processed about the data subject making the request. |
| Refusal | Data controllers can refuse to act on a request when it is manifestly unfounded, excessive or has a repetitive character. | Under the CCPA the request can be refused if manifestly unfounded, excessive or has a repetitive character. Along with this, businesses are not required to provide access to personal information more than twice in 12 months. | The request can be refused in which this action is proven impossible or involves disproportionate effort, indicating the reasons of fact or of law that prevent the immediate adoption of the measure |
Data Subject rights makeup to one of the most important aspects of data protection. These rights should be accessible and completed in a given time frame by way of effective implementation of appropriate policies, procedures and controls. With our privacy programs, we can help you to incorporate a stringent, practical and flexible compliance program for your organization. Read more about the compliances under different privacy programs as per the regional data protection laws in USA, GCC, India and EU.