How to Respond to a Data Subject Access Request (DSAR) Under the GDPR

How to Respond to a Data Subject Access Request (DSAR) Under the GDPR: A Step-by-Step Guide

Receiving a Data Subject Access Request (DSAR) can be a stressful moment for any organization. It triggers a strict regulatory clock and requires you to balance transparency with the protection of other people's data.

However, with the right process in place, handling a DSAR becomes a manageable routine rather than a compliance emergency.

Consuflix helps clients with Legal and Compliance matters, and we can help you to design efficient workflows and handling challenging Data Subject Access Requests ensuring you never miss a deadline! Contact us at info@consuflix.com or here.

What is a DSAR?

Under Article 15 of the GDPR, individuals (data subjects) have the "Right of Access."

This means they are legally entitled to obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data.

A DSAR does not need to be a formal letter. It can be an email, a tweet, or a verbal request made to customer support. Recognizing a request is the first hurdle.

The Golden Rule: The 30-Day Deadline

Time is your most critical metric. Under the GDPR, you must respond to a DSAR without undue delay and at the latest within one month of receipt.

Note: You can extend this by two further months if the request is complex or if you have received multiple requests, but you must inform the individual within the first month and explain why the extension is necessary.

How to Process a DSAR?

To ensure full compliance and avoid fines, we should create a structured workflow and give training to relevant stakeholders to make sure that you take the right actions, for instance, the verification of the identity of the Requester, or even conducting the data discovery exercise.

Also, bear in mind that your team needs to apply the right redactions to avoiding disclosing confidential data related to other individuals. The right support to review the final documentation is key to avoid further claims and fines.

Can You Charge a Fee or Refuse a Request?

Generally, no. Providing copies of data must be free of charge.

However, there are exceptions under GDPR Article 12(5):

• Manifestly Unfounded or Excessive: If a user spams you with the same request weekly, you may charge a reasonable fee based on administrative costs or refuse to act on the request. Warning: The burden of proof is on you to demonstrate that the request is excessive.

Conclusion

Handling a DSAR requires a mix of legal knowledge, technical capability, and organized workflows. Failing to respond correctly can lead to complaints to Data Protection Authorities and significant fines.

Don't wait until a request lands in your inbox to figure out your process.

Consuflix helps clients with Legal and Compliance matters, and we can help you to audit your current data practices and implement a foolproof DSAR response strategy today.