The General Data Protection Regulation (“GDPR”) provides rights to residents in the European Union (“EU”) that allows them to control their personal data. To exercise their rights, the GDPR allows EU residents to send a request to the data controller. In this guide, we will answer the following:
- What is a data subject request under the GDPR: General Data Protection Regulation?
- What are the GDPR rules for responding to data subject requests?
- What is a data subject access request (DSAR)?
What is a data subject request under the GDPR: General Data Protection Regulation?
Under the GDPR, the definition of “personal data” includes “any information” that relates to an identified or identifiable natural person, which is called a “data subject.” An identifiable natural person is someone “who can be identified, either directly or indirectly, in particular by reference to an identifier.” An identifier includes:
- A name
- An identification number
- Location data
- An online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
In the EU, the GDPR grants data subjects with a set of rights. Recital 1 of the GDPR states that protecting “natural persons in relation to the processing of personal data is a fundamental right.”
The GDPR provides consumer rights that include:
- The right to transparent information – Article 12
- The right of access by the data subject – Article 15
- The right to rectification – Article 16
- The right to erasure (‘right to be forgotten’) – Article 17
- The right to restriction of processing – Article 18
- The right to data portability – Article 20
- The right to object – Article 21
- Rights related to automated decision-making, including profiling – Article 22
To exercise one of the consumer rights listed above, a data subject needs to send a request to the controller. Article 12 explains how a controller should respond to data subject requests for the consumer rights under Articles 15 – 22.
What are the GDPR rules for responding to data subject requests?
Under Article 12, a data controller must “take appropriate measures” to provide any information relating to processing of the data subject. The controller must accept either a written or verbal request from a data subject. The controller must provide the information in writing or by another appropriate electronic means.
When a controller receives a data subject request, it must:
- Provide the information in a concise, transparent, intelligible, and easily accessible form
- Use clear and plain language, in particular for any information addressed specifically to a child
- Facilitate the exercise of data subject rights under Articles 15 – 22 unless the controller demonstrates that it is not in a position to identify the data subject
When requested by the data subject, the controller may provide the information orally if it can identify the data subject. If a controller has reasonable doubts of the identity of the data subject making a request that refers to Articles 15 to 21, the controller may request additional information necessary to confirm the identity of the data subject.
Recital 64 of the GDPR provides that a “controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.” Examples of reasonable means for identity verification include having the data subject:
- Verify an email account
- Submit an ID document
- Log into the account with the controller
- Answer several questions that only the data subject should know
When a controller receives a data subject request, it should respond “without undue delay” within one month of receiving the request. A controller may extend the one-month deadline to respond to a data subject request. Depending on the complexity and number of requests, the controller may extend the deadline by “two further months where necessary.” However, the controller must inform the data subject of any such extension within one month of receiving the request along with the reasons for the delay.
If the controller does not take action when it receives a data subject request, the controller must inform the data subject “without delay and at the latest within one month of receipt.” The controller must explain:
- The reasons for not taking action
- The possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy
Any actions that a controller takes to respond to a request must be provided to a data subject free of charge. If a request from a data subject is “manifestly unfounded” or excessive and repetitive, the controller has the “burden of demonstrating the manifestly unfounded or excessive character of the request.” The controller may either:
- Charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- Refuse to act on the request.
Presently, the GDPR does not offer a uniform guidance for data subject requests. However, to be compliant, companies acting as data controllers should adopt internal processes to address requests in accordance with the GDPR. Meanwhile, the European Data Protection Board plans to release guidelines in its “Work Program” for 2019–20. The guidelines will have a main focus “on the rights of access, erasure, objection, restriction and limitations to these rights.”
What is a data subject access request (DSAR)?
Article 15 of the GDPR gives a data subject “the right to find out whether or not personal data concerning him or her are being processed.” Data subjects may request access to the data, which is commonly called a “data subject access request” (DSAR).
The right of access provided in Article 15 of the GDPR requires a controller to:
- Confirm to a data subject any processing of personal data
- Allow the data subject to have access to the personal data
- Produce certain information about the data processing as required by the GDPR
- Provide a copy to the data subject of the personal data being processed
Although the GDPR does not have a formal process for submitting a DSAR, a controller must comply with certain requirements to respond to the requests. A controller must follow the Article 12 guidelines that establish the proper form of a response and the time frame to send the response. Article 12 allows a data subject to submit a DSAR in whatever method is convenient for the data subject. Many data subjects request a DSAR in writing, but a DSAR may also be a verbal request.
Under Article 15, when a controller receives a DSAR, it must provide a copy to the data subject that contains any relevant information it has on the data subject. The controller must provide access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- the envisaged period for which the personal data will be stored, where possible, or if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. The controller:
- must provide a copy of the personal data undergoing processing
- may charge a reasonable fee based on administrative costs for any further copies requested by the data subject
Where the data subject makes the request by electronic means, the controller must provide the information in a commonly used electronic form unless otherwise requested by the data subject.
The right for data subjects to obtain a copy of their personal data will not adversely affect the rights and freedoms of others. Where relevant, a controller should redact any information that’s not within the scope of the DSAR. This includes the personal data of other individuals and sensitive data belonging to the controller.