How to Make a Data Subject Access Request?

What is a data subject access request?

A data subject (that's you!) has the right to request access to data a company or organization holds on them. The process of doing so is therefore called a “data subject access request”, or DSAR for short. You might also see it titled simply as a subject access request (SAR).

Companies are under obligation by law to respond to access requests. In the EU, DSARs are underpinned by Recital 63 of the GDPR, which states:

“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”

If you live stateside, and in particular, in California, then you can make a data subject request under California's answer to GDPR. The California Consumer Privacy Act (CCPA) which has now been extended and renamed the California Privacy Rights Act (CPRA) explains:

“[...] It is the intent of the Legislature to further Californians' right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: [...] (4) The right of Californians to access their personal information.”

While our article will concentrate on how to make a GDPR data subject access request, the process is pretty much the same for Californians wanting to make a request under the newly adopted CPRA.

The only real difference is the time frame of compliance for the company. With GDPR, companies have to respond to a request within one calendar month, with a possible extension of two months. Under CPRA, companies have 45 days to respond, with an extension of up to 90 days if necessary.

Why make a Data Subject Access Request at all?

The natural question that follows “what is a Data Subject Access Request?” is WHY... Why would someone want to make a DSAR? What is the purpose of them?

Well, it's no secret how valuable personal data is to companies. Some companies make millions from your data. But it's time that individuals start to consider it in the same light.

Your data makes up who you are.

If your data gets into the wrong hands, your identity, privacy, and security could be at serious risk. We hand over so much of ourselves every time we deal with companies on or offline.

You have a right to know just how much personal data a company holds on you, how they process it, and who else they may have shared it with.

This information then enables you to exercise your other rights. For example, under GDPR's core protections you also have the right to:

• correct inaccurate details
• request deletion (under certain circumstances)
• restrict or pause data processing if there are irregularities
• transfer your personal data to another company

What is a DSAR's content?

So, we've answered what is a DSAR, and now we want to know what type of information you're going to learn from it. This really depends on the company you're dealing with and what you specifically ask for. When submitting a data subject access request, you aren't limited to just asking for a copy of the data they hold on you.

You can also ask about:

• the purposes of the processing
• the lawful basis for processing their data
• the categories of personal data
• any third parties the data is/will be shared with
• how long the personal data will be stored
• where the personal data was collected (if not from you directly)
• The logic of any automated decisions made about you and profiling

Who can make a Data Subject Access Request?

Anyone can send a DSAR to any organization. You don't even have to be a customer of the company. If they don't have your data, they're obliged to tell you that.

Of course, you could be a customer but you could also be an employee, a partner, a client, or a contractor. No matter who you are, you can submit a DSAR at any time and you don't have to provide a reason for doing so.

You can also make a data subject access request on behalf of someone else as long as that person has authorized you to do so. This could be a parent or guardian requesting on behalf of a child, or a legal representative on behalf of a client. But unless you're acting with their knowledge and consent, you cannot make a request for their data.

Do you have to pay to submit a DSAR?

Not anymore, no. Under the old regulation, the Data Protection Act 1998, organizations could charge a fee in order to provide you with details on the information they held.

When GDPR came into force in 2018, this administration fee was removed to make DSARs easier and the whole practice of data processing more transparent.

Organizations now have to provide you with the information for free. That said, companies can charge a “reasonable fee” but only if the data request is deemed to be repetitive. For example, if a data subject has sent multiple access requests.

As companies are the ones bound by law, it is in their best interest to make requests as simple as possible. Otherwise, they could end up like the Dutch Credit Registration Bureau. The company was fined €830,000 ($937,000) for charging a fee and discouraging individuals from requesting access to their personal data.

Can companies refuse to respond to a DSAR?

While companies are bound by law to comply with a DSAR, there are some exemptions. If the data request is deemed “unfounded or excessive”, the company can either charge a fee as previously mentioned OR they can refuse to act on the request.

The Information Commission's Office (ICO) in the UK, which follows the same EU GDPR standards, explains all the ways a request may be determined as “unfounded or excessive”.

But, basically, if you are exercising your rights with good intentions, and not out to harass or make unsubstantiated accusations against a company, then your request should be accepted.

Other situations of exemption might be if the data you have requested could also identify someone else or if you are being investigated for a crime and the investigation would be impacted by the information.

How to make a Data Subject Access Request

Making a DSAR isn't really all that difficult. You can even do it over the phone, via the company's social media messenger, or in person. But should anything dodgy be dished up or the company doesn't comply immediately, it's advisable to make the request in writing. That way, you have evidence of your request and a timeline to follow.

Before you make contact with the company, there are a few things you should do.

Work out the scope of the data you wish to request

It's absolutely fine to ask for a copy of “all data you have on me”, but in some cases, it will be more beneficial to be specific. For example, you might want a copy of emails or CCTV footage between a certain date or time.

Prep your identifiers

You'll need to provide the company with some form of identification to prove you are who you say you are. This could simply be your name, or additional details like date of birth, address, customer reference number, or account number.

But some companies may ask for a photo ID so having a scanned and digital copy of your ID ready to use will speed things up. You may choose to censor any details on the ID that are not necessary for identification purposes.

When you're sending identifying information, don't send the company something that they don't already have! But if you must, you can request that these identifiers are erased from their database once your DSAR is dealt with.

Find a contact to direct your DSAR to

The best way to make sure your DSAR is dealt with in a timely manner is to make sure it gets to the right person or department. The details should be mentioned in their privacy policy. It might be an email address for a specific Data Protection officer or a generic customer support email.

For example, take a look at the Netflix Privacy Policy:

Some companies, like the Bank of Scotland (see image below) may have a dedicated online form through which you can make your data subject access request.

But just because they have this as an option, doesn't mean you have to use it. You can still decide to make the request in writing and the company must still process it.

Image source: Bank of Scotland (screenshot)

Write your email

Once you have all these details ready to go, the next stage is to write the email. To make that easy, the lovely people at Privacy International have created a DSAR template that you can copy, paste and adjust accordingly.

If you're not concerned about what the data is or how the company deals with it, then you can just ask them to delete it. The easy way to do this is by using Rightly Protect.

This independent company analyzes your email inbox to see which companies have your data and provides you with a list. You can then select which companies you want to delete your data from.

They generate a ready-written email complete with your name and email address, which you can instantly send to all the companies you have selected.

What happens once you've submitted a DSAR?

Now, you wait. According to GDPR, companies must deliver on your request within one calendar month. If it's a complex request and gathering all the data is going to take more time, the company must inform you of this within the one-month period. The extension period is another two months.

This is why it's a good idea to have everything in writing, so that you can time things accordingly, like pinging them a little reminder if you haven't heard from them and time is running out.

Should the time lapse, you can take further action which we explain below.

Although the process is really quite simple in theory, the practice can be a little bumpy. Often companies don't take DSARs as seriously as they should or they don't have internal processes in place to deal with them. This can result in a lot of back and forth between you and the company. So, be prepared and manage your expectations from the outset.

What if the company doesn't respond to your DSAR?

If the company doesn't respond to your DSAR or the response doesn't satisfy for any reason, you should first try to resolve the issue directly with the organization. Make a complaint in writing and keep copies of any correspondence just in case you need to take the issue further.

In your communications, you can also remind the company of its legal obligations. If they still don't comply, you can then contact your national data protection authority if you are EU based or the ICO if you are UK-based.

Now that we've answered the question of, what is a data subject request, it's up to you whether you wish to exercise your rights and submit one. Knowledge is power and remember you own your data, not any company or organization.

For more tips on how to protect your data and your privacy, check out more articles from the Hoody Privacy Hub.