Guide to Compliance to Data Subject Access Request (DSAR)

DSAR is a right that data subjects can exercise to know what personal data an organisation holds on them, for what purpose, how it is processed, and if and with whom the data is disclosed. Parallel to European GDPR, different data privacy regulations, including California Consumer Privacy Act 2018 or  CCPA 2018 and Brazil’s PDPA, globally provide individuals–including employees and customers–with similar rights: to access, correct or delete personal data held by an organisation.

Even the Draft India Personal Data Protection Bill 2019 or Draft India PDPB 2019 has made provisions for Data Subject Access Requests by Data Principal under Chapter V through sections 17 to 21.

DSAR has been in practice for a long time. What has changed with recent data privacy regulations is the ease with which individuals can request access to their data. Coined by GDPR, DSAR is now a generalised term that is used interchangeably with Subject Access Request (SAR). DSAR mandates organisations to provide users with a copy of relevant information upon submission of data subject access requests.

Before we get to know DSAR in-depth, let’s acquaint ourselves with the International Association of Privacy Professionals (www.iapp.org), a global non -profit organisation in the field of global privacy knowledge,  IAPP-formulated definition of ‘data subject’ and ‘personal information’. Under India’s Draft Personal Data Protection Bill 2019, ‘Data Subject’ and ‘Data Controller’ have been termed  as ‘Data Principal’ and ‘Data Fiduciary’ respectively.

What is a Data Subject?

A data subject is an identifiable living natural person who, directly or indirectly, can be identified via identifiers like a name, a social identification number, mobile number, IP address, email address with personal name, an online identifier, location data, or by reference to the person’s one or several factors specific to physical, physiological, genetic, mental, economic, financial, insurance, health, cultural or social identity. In other words, data subjects are human beings/people whose personal data is collected, held and processed or stored by data controllers/organisations.

Under Draft India PDPB 2019, the term data subject is replaced with the term Data Principal.  The definition of the Data Principal is similar to the Data Subject.

What is referred to as Personal Information?

EU GDPR enlists personal data or personal information as any information relating to an identified or identifiable living  natural person (‘data subject’). In contrast, personal data, as defined in Section 1798.140(o) (1) of CCPA 2018, includes information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Hence, let’s understand what are the various Data Rights of the Data Subject as per
EU GDPR before proceeding to discuss the Data Subject Access Rights (DSAR).

Data Rights of a Data Subject (as per EU GDPR)

As per EU GDPR, the Data Rights of the Data Subject are as follows:

  • Article 12 Transparent Information, communication and modalities for the exercise of the rights of the data subject.
  • Article 13 Information to be provided where personal data are collected from the data subject.
  • Article 14 Information to be provided where personal data have not been obtained from the data subject.
  • Article 15 Right of Access by the data subject.
  • Article 16 Right to rectification.
  • Article 17 Right to erasure(Right to be forgotten).
  • Article 18 Right to restriction of processing.
  • Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 Right to data portability
  • Article 21 Right to Object
  • Article 22 Automated Individual decision-making including profiling

Data Covered under DSAR

Among others, names, telephone numbers, account numbers, driving license numbers, passport numbers, employment information, education information, biometric information, IP addresses, email addresses, property purchasing history, geolocation data, internet activities, etc. make the Personal Identifiable Information (PII).

A data subject access request can range from asking for specific personal details to seeing a full list of personal information that the organisation holds about them. When data subjects request to access info which an organisation has collected on them, in addition to letting them know about why the information was collected and who else with their info was shared, the organisation is also obligated to make data subjects aware of:

  • For how long it has had the data
  • For how further it has the plan to hold the data
  • If the data was utilised for making an automated decision about them
  • If the data was utilised for virtual profiling purpose

Data shared with third-party vendors

As per the EU GDPR, “third party” means a natural or legal person, public authority,  agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.  The other important points include that the third party would be considered a  recipient once personal data is disclosed to it, and legitimate interests of third parties can also be used as a legal basis and to justify processing of personal data by the controller where relevant.

As per the CCPA 2018, 999.301, part c, in addition to the definitions set forth in Civil Code section 1798.140, defines “Categories of third parties” means types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks and consumer data resellers.

When a request to delete personal data is made by an individual, EU GDPR requires an organisation to share the notification with parties that received or processed the relevant subject’s personal information. As per Article 28 of GDPR, data processors are held responsible for fulfilling requests with data controllers. Data controllers should regularly assess what methods the data processors apply or practise to protect the shared personal data with third parties. Under both EU GDPR and CCPA 2018, it is asked of data controllers to sign a detailed written contract with data processors, stating the lawful ways of processing the data, security measures for the protection of data, etc.

However, under EU GDPR as well as CCPA 2018, the most important thing to keep in mind is that both Privacy Notices as well as Terms of Service need to be very clear on whether the data are shared with service providers or third parties or with other types of recipients , what the types of services involved are and how these services are relevant for consumers.

Comparative Table of Data Subject Rights available under EU GDPR, CCPA 2018, UK DPA 2018, and Draft India PDPB 2019

Data Rights EU GDPR CCPA 2018 UK DPA 2018 Draft India PDPB 2019
Information Right to be informed The right to be informed of data collection and rights The right to be informed Applicable
Accessibility Right to Access Right to Disclosure The right of access The right to access
Portability Right to Data Portability Right to Disclosure The right to data portability The right to portability
Deletion Right to Erasure Right to Deletion The right to erasure/be forgotten The right to be forgotten
Objection Right to Object Right to opt-out The right to object The right to confirmation
Rectification Right to Rectification N/A The right to rectification The right to correction
Restriction Right to Restriction N/A The right to restrict processing N/A
Automated Decision Right not to be subject to automated Decision Making N/A Rights relating to automated decision making and profiling Applicable
Discrimination N/A Right not to be subject to discrimination for the exercise of rights N/A Applicable

“Right to be forgotten’ and  ‘Right to be left alone’ upheld under Right to Privacy, Article 21, Constitution of India and reference made to the Drat India PDPB 2019 –A case in study:

On 12th April 2021, Delhi High Court announced a historic decision  and upheld the Right to Privacy for users and consumers of Websites as well as Search engines, citing ‘Right to privacy’ under Article 21, Constitution of India –which further unfolds into ‘Right to be forgotten’ and ‘Right to be left alone’–recently ordered a website called Indian Kanoon, vLex.in, Google LLC and Google India Pvt Ltd  to take down the high court verdict link, thus to avoid its indexing on Google and other search engines for the petitioner person who was accused in possession of narcotics while travelling back to USA from India.

The Petitioner was acquitted in 2013 by the trial court as well as the Appeal Court.  However, the petitioner was being subjected to discrimination as well as prejudice while applying for jobs etc.  Now in 2021, the petitioner who was the earlier accused, tried and acquitted, prayed for the removal of the judgement from the platforms of Google, Indian Kanoon and vLex.in.   

The Delhi High Court in its judgement on 12th April, 2021 passed the following order of asking the removal of the judgment and its links on Google, Indian Kanoon and vLex.in and stated “Owing to the irreparable prejudice, which may be caused to him in his social life and career prospects, in spite of the petitioner having ultimately been acquitted in the said case via the said judgement, prima facie this court is of the opinion that the petitioner is entitled to some interim protection, which the legal issues are pending adjudication by this court,’ the court noted in this interim order. The judgement was related to an acquittal sentenced in a drug case to an American citizen of Indian origin who was slapped with a case under the NDPS Act when he visited India in 2009.

DSAR Workflow Design

When a DSAR is received, a company should make sure it abides by all the regulations to the letter to keep potential fines at bay. Designing a DSAR workflow involves the following steps:

  1. Registration and authentication of the request: Registering and logging the request creates a record of when the request was received, what info was asked to deliver, among others. Authentication entails verifying the identity of the data subject.
  2. Collection of personal information: Staff across multiple data stores with multiple managers should be informed of data collection request. All data should be centralised in one place and exclusion should be made of company-sensitive data.
  3. Information review: Both digital and paper records should be reviewed; not someone else’s information is collected; and that the collected information matches the nature of the request, like rectification, deletion, etc.
  4. Illustrate the data subject’s rights: Conclude the response with a section reminding data subjects of their privacy rights, like their right to object to how their data is processed, and complain to a supervising authority.
  5. Delivery of information: Information should be delivered securely. Communication with the requester should be documented to demonstrate accountability and compliance. Information should be delivered in a standard format to the right person.

A company should invest in the development of a compliance-compatible DSAR workflow design, considering the data privacy regulatory landscape is still rapidly evolving. DataSecure.ind.in is a leading vanguard of data protection. It houses a team of experts whose craftsmanship in DSAR workflow software development is spoken highly of. Our clearly defined workflow helps an organisation stay agile and respond effectively to changing compliance requirements.

FAQs

Medium for Request

Requests can be made in writing or verbally. A person can request access to personal information while having a telephonic conversation with the staff of an organisation; it means there is no documented way required. Writing is considered an apt way though; it works as a record for both individuals and organisations.

Do individuals need to provide a reason for a DSAR?

No, individuals don’t need to state why. Individuals could be asked to verify the identity though, to help the organisation authenticate the requester and locate the requested information.

Is there a charge incurred for DSAR

Before GDPR came into force, requesting for information access incurred a charge specified by the data controller. But now that GDPR is applicable, organisations need to provide a copy of a user’s personal data for free. According to GDPR, a data subject can be charged a reasonable fee for administrative costs on SAR only if the organisation finds the request made to be ‘manifestly unfounded or excessive.’

Is it possible to submit a DSAR on behalf of someone else?

Yes. Individuals can authorise someone to submit a request on their behalf. This applies when:

  • A request is made by a parent on behalf of their child
  • An individual appointed by the court is managing an individual’s legal affairs
  • A solicitor is appointed to act on behalf of the client
  • A relative or friend is asked for help by the data subject

Time frame for responding to a DSAR

Organisations need to fulfil a request “without undue delay”, and the latest within one month of receipt. While dealing with complex data or requests involving the overseas transfer of data, organisations may ask the applicant to extend the deadline by a maximum of two months, stating why the extension is necessary. Time frame varies with regulations.

However, as per EU GDPR the time frame for response is 30 days from the date the data subject submits the DSAR form through email/handwritten etc to the DPO.

As per CCPA 2018, the maximum time from receiving and closing the DSAR is 90 days from the date of submission of DSAR request.

Person responsible for responding to DSAR

Generally, a Data Protection Officer (DPO) looks after DSAR responsibilities. If there is no dedicated DPO in an organisation, the duty falls on someone with data protection knowledge. The responsible person should ensure the completion of the process takes place in line with GDPR or parallel regulatory body.

Can information be redacted?

Although GDPR and CCPA encourage transparency, organisations, when relevant, may redact anything that’s not within the scope of DSAR. A company may redact information if the individual’s requested data is stored alongside sensitive company data, as well as when documents are stored alongside the personal info of other people.

For downloading the latest version of various data privacy laws, kindly visit the Resources page under www.datasecure.ind.in

For demo/presentation of Data Subject Access Requests solutions, kindly write to us at info@datasecure.ind.in

Leave a Reply

Your email address will not be published. Required fields are marked *