GDPR Data Subject Access Request Procedure Template
Introduction
One of the main goals of the GDPR is to grant the data subjects the right to understand which personal data of theirs is being collected and stored by an organization, and how it’s being processed. In order for the data subject to get this information, they must first submit a DSAR.
Scope and Purpose
The confirmation of a DSAR is intended to let the requestor know which personal details of theirs are being stored, for how long and for what purpose. The response also provides records for any audit (internal or external).
The DSAR should include the following fields –
1. Confirmation that the data subject's personal data is being stored by the organization.
2. The details of the responder (or data controller)
3. The basic details of the data subject (end-user)
4. Which attributes of the data subject are collected by the organization
5. How the personal data has been processed
6. Which data controllers within the organization have access to the personal data
7. Which third-party entities the personal data has been shared with
8. Which automatic decision making or profiling has been executed
Examples of Processed Personal Data
Attributes –
1. Name
2. Phone number
3. Email address
4. IP address
5. ID number
6. Marital status
7. Number of children
8. Annual income
9. Political opinions
10. Religious beliefs
11. Sexual orientation
Obligations of the Data Controller
1. Explain which tools and processes are planned to be used to protect personal data.
2. Duration of processing and erasure or return of data: Define the length of time in which the parties can keep the personal data to process it.
3. Sensitive Data: Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply specific restrictions and/or additional safeguards. E.g., Masking data.
Sharing of the Personal Information with a 3rd Party Organization
The data importer is obliged to follow the same GDPR statutes that the exporter committed to when it first started to collect the personal data of its data subjects. This includes responding in a timely manner to their DSAR’s, while using clear everyday language. In case of a justified request to erase personal data, the exporter shall include the servers of the importer on the list of databases that must expunge the personal data. The importer will send a validation of the erasure to the exporter once it has followed the request. The same shall apply to any rectification request for personal data.
Term & Definitions
What is a data subject (also known as an end-user)?
Any person who created a unique username on the organizations’ website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.
What is personal data?
Any type of unique data which relates to an individual data subject. This can include such information as: Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.
What is the processing of personal data?
Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it’s no longer required.
What is a DSAR (Data Subject Access Request)?
Any data subject whose personal data is collected, manipulated, and stored on an organization’s servers has the right to request to know which of their personal data is stored. This request is known as a DSAR, and once a request has been deemed valid, it must be answered in a timely fashion and contain valid and accurate information. The response to a DSAR is usually free of charge; however if the request is deemed to be massively repetitive, excessive, or unfounded, then it’s acceptable to charge a reasonable fee.
Key Takeaways / Conclusions
1. The GDPR grants the data subjects the right to submit a DSAR, and it’s the obligation of the DPO to ensure that these are responded to in a timely manner while using day-to-day language.
2. The DSAR should also include a clause specifying which departments within the organization have access to the personal data of the requestor.
3. Automation is also regarded as data manipulation and should be treated as such.