Data Subject Access Requests (DSARs)

Give people fast and accurate insight into the personal data your organization processes about them.

What you need to know about data subject requests

The GDPR, with the so-called “right to transparency“, gives people the right to know what your organization knows about them and how you use that information. The data subject rights you need to facilitate are:

Right of access;
Right to rectification;
Right to deletion;
Right to restriction of processing (e.g. in the case of incorrect information which has not yet been corrected);
Right to information regarding exercised rights;
Right to transfer;
Right to object;
Right to information about automated decision-making.

These rights are collectively referred to as the “subject rights” or “rights of the data subject“. By submitting a DSAR (Data Subject Access Request), the data subject can exercise their rights.

You are required to provide all requested information and the requester does not have to provide a reason for doing so. You should also be able to present the status of current and previously exercised rights.

Avoid time wasted on Data Requests with structured information management

In order to comply with data subject requests, you must be able to provide information about your use of personal data quickly and efficiently. Data subjects may request, among other things:

Confirmation that you are processing their personal data.
Access to their personal data.
Your lawful basis for processing their data.
The period for which you will retain their data (or the criteria you will use to determine that period, e.g. “as long as you are a customer”).
Any relevant information about how the data was obtained.
Any relevant information about automated decision-making and profiling.
The names of third parties with whom you share their data.

DSR management can become an intensive task that takes up a lot of time. Especially if you do not keep all personal information in one convenient place. You also need to keep an up-to-date overview of how, where and by whom these data are used. Responding efficiently to a DSAR therefore requires a well-considered and structured approach.

Prompt and correct responses to data subject requests

Any organization can receive a DSAR. It doesn’t matter if you are a large or a small organization. Also realize that a single action such as a payment can quickly trigger ten underlying processing operations that all keep track of data. Think sales data, banking transactions, marketing, warehouse management, delivery or support.

Responding correctly to a DSAR requires an organized process. You need to know which systems store personal data, in what way and for what purpose. You also need to be able to search these systems quickly to find and modify personal data.

GDPR compliant management of personal data

Co-Dex.eu helps you to link data points intelligently. Building on the central register of personal data and linked processing agreements, you get an easily accessible data management to adequately respond to a data subject’s request. Well-managed personal data makes all the difference. Especially if you should ever have to defend yourself if challenged by regulators around your personal data procedures.

Do data subjects want to have their data amended? Co-Dex.eu allows you to find out where their data is being used so that you can quickly adapt it to make sure it is used correctly everywhere.

Need efficient data management to respond quickly to Data Subject Access Requests?

Start now for free!

How to respond to a Data Subject Access Requests?

Is someone asking what personal data you process or why you do that? Then follow the following steps to answer GDPR compliant.

Verify the identity of the person in question to determine if you have the requested information and can share it safely, without risking a data breach.
Clarify the nature of the request. Does the requester just want to know what information you are keeping, a change, objection, or does the question go further?
Review the data and make sure the data does not contain anyone else’s personal information.
Collect the data. Choose a common and easily accessible file type. Preferably via access to a secure system that gives data subjects direct access to their personal data, such as their data on the web shop.
Clarify the rights. Include a passage in which you remind the data subjects of their rights to privacy, including the right to object, to request rectification, and/or to lodge a complaint with a supervisory authority.
Send the data or preferably a link to the data subject. Document your communications so there is an audit trail.