Updated 8 November 2018. This blog was originally published before the GDPR took effect in May 2018.
The EU’s GDPR (General Data Protection Regulation) gives data subjects the right to access their personal data from data controllers that are processing it and “to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing”.
Controllers must respond to these access requests within a month of receiving them.
This blog explains how to write a GDPR-compliant DSAR (data subject access request) procedure to ensure you meet your obligations as a data controller.
What is a data subject access request?
Article 15 of the GDPR states that data controllers must confirm to data subjects whether their personal data is being processed, and, where it is, provide them with a copy of that personal data (providing it does not adversely affect the rights and freedoms of others).
They must also provide the following information:
- The purposes of the processing.
- The categories of personal data involved.
- The recipients (or categories of recipients) to whom the personal data has been or will be disclosed.
- The envisaged period for which the personal data will be stored (or, if this is not possible, the criteria used to determine that period).
- The existence of the right to request that the controller rectify or erase the personal data or restrict processing, or to object to processing.
- The right to lodge a complaint with a supervisory authority.
- Where the personal data has not been collected direct from the data subject, any available information about its source.
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.
It’s therefore essential to establish a procedure for responding to DSARs.
Data subject access request procedures under the GDPR
Your DSAR procedure should ensure you are able to meet the following requirements:
- In most circumstances, the information requested must be provided free of charge.
- Organisations are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive. This fee must be based on the administrative cost of providing the information.
- Information must be provided without delay and within a month.
- Where requests are complex or numerous, organisations are permitted to extend the deadline to three months. However, they must still respond to the request within a month to explain why the extension is necessary.
- Data subjects must be able to make requests electronicallyas well as physically, “especially where personal data are processed by electronic means”.
- DSARs can be made in any form, including through email, phone call or web contact forms.
And Recital 63 recommends that, where possible, “the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data”.
Help creating a data subject access request procedure
Below is an example of a customisable DSAR procedure template, taken from our market-leading EU GDPR Documentation Toolkit.
The EU GDPR Documentation Toolkit has been designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:
- A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the GDPR Staff Awareness E-learning Course.