Skip to content
English

SUBJECT ACCESS REQUEST

Subject Access requests handled efficiently and with compliance

Simplify how users submit their request, verify their identity and securely manage and respond the request.

 
Logo
Logo
Logo
Logo
Logo

Get started in minutes - free of charge

With these simple steps you can get started today and start building trust with your customers. 

1

Sign up for free - no credit card - no charge

2

Receive the unique link directly in your inbox

3

Copy and add the link to your webpage

4

Get notified when a request is submitted

Once you have published the link you can be certain your customers has a easy way to submit their Subject Access Request and you will be notified when you need to take action. 

Subject Access requests made simple. 


 

Group 505 (2)

Access Requests without concerns

We understand that access requests can be complex and time-consuming. Our solution makes it easy to handle requests quickly and efficiently, so you can focus on your core business. 

Group 509

Security in focus

With our solution, the individual is securely verified and legally bound to act on their behalf. The service ensures that information is delivered to the right person, always encrypted and with additional security depending on the type of data disclosed.

Group 528

Practical compliance with requirements

The right to access is one of the fundamental rights for individuals. We ensure that your business operates by current laws and regulations. The service helps to meet the requirements and makes it easily accessible for your customers.

AdobeStock_300202573 (1) 2

Group 528

Unique Link for Your Business

Upon registration, you will automatically receive a unique link complete with your own logo to direct inquiries to your business. The link can quickly be made available on your website, within services, or sent directly upon requests.

Check out our demo video of how it works for the user. 

Group 530

Secure Verification

Requests and information are securely verified with authentification, and you can confidently process the request without further verification of information and ID. By default we offer a set of high level authentication methods, let us know if you need more and we are here to help. 

Notifications

Notification and Overview of Requests

Receive immediate notifications to your desired email address when any new Subject Access Requests are filed. Gain a complete overview of the information in the inquiry and deadlines, with automatic reminders as the deadline approaches to keep you on track.

Safe transfer

Secure response

Upload relevant files or input details using standard information fields that provide the customer with an understandable and editable overview. All information is securely encrypted and protected, ensuring that responses are safely stored and securely delivered to the correct recipient. Sensitive information can be tagged to activate higher-level verification for access

Safe transfer

Customer receives a response 

Once the inquiry is fully processed, the registered individual will automatically be notified and receive a personalized 'data card' containing the delivered information and files in an understandable format. The customer will in addition be able to download the data in an exchangeable format all supporting the requirements of GDPR. 

What is a Data Subject Access Request?


When the General Data Protection Regulation (GDPR) was enforced back in 2018, it was set out to give individuals control over their data by granting eight data subject rights.

The Right of access empowers individuals to obtain information about the data organizations hold about them, providing them with an understanding of the purposes and methods behind the use of their data.

Even though the Right of access is not a novelty, the GDPR expands it with new mandatory categories of information that the organization is obligated to provide and makes it easier for individuals to submit their requests, access their data, and get information.

The access request is one of the most common types of requests organizations receive, so sooner or later, as an organization, you will have to deal with answering the DSAR.

What is a Data Subject Access Request?

Data Subject Access Request (DSAR) is directed to the organization granting individuals the right to access information about personal data the organization is processing.

Individuals can exercise this right easily and at reasonable intervals to verify the lawfulness of the processing.

Every individual has the right to know and obtain information about the purposes of personal data processing.

What information are you obligated to provide in a DSAR response?

The organization is obligated to provide confirmation that they are processing personal data, a copy of personal data, and other information, including:

  • Purpose of data processing
  • Third parties with whom the organization is sharing personal data, if any
  • Categories of personal data the organization is processing
  •  Source of data (if the data is not collected from the individual)
  • Data retention period or for how long will the organization keep data
  • Information about automated decision-making (including profiling)
  • Information about their GDPR rights (right to rectification, right to erasure, restriction of processing…).

When responding to a DSAR, the organization is obligated to provide a copy of personal data and the information listed above.

Who Can Submit a DSAR?

DSAR can be submitted by anyone whose personal data the organization is processing. The individuals are not obligated to provide any reason for submitting it and can request a copy of their data.

Contrary to some beliefs, DSAR is not applied only to employees but also to customers, partners, and contractors. According to some research, the requests mostly originate from customers rather than employees.

This is especially true in the U.S. However, employees of EU companies request personal data at a significantly higher rate than in other parts of the world.

DSAR can also be submitted on behalf of someone else if the data subject authorizes that person. Examples would be:

  •  A parent requesting on behalf of a child
  •  Legal representative requesting on behalf of the client
  •  A relative or a friend
  •  A person appointed as a guardian

The organization has a right and an obligation to ask for written authorization or other documents supporting the authorization.

How Can an Individual Submit a DSAR?

DSAR can be submitted in writing or verbally, for example, over the phone or by filling out the form online.

Through any channel, including social media, and to any person inside the organization (for example, to the marketing department).

Also, the request does not have to be addressed as a DSAR request, mention GDPR, or any specific right.

The person can simply ask to get insight into their data or to get information about processing their personal data, and the organization is obligated to recognize the request and respond timely.

This is why it is extremely important that key personnel and departments are familiar with data subject rights,  know how to recognize DSAR, and know which steps to take when they receive such a request

Verifying the Identity of the individual - How can it be done?

According to Recital 64 of the GDPR, the organization should use all reasonable measures to verify the identity of an individual who requests access, in particular in the context of online services and online identifiers.

The organization should not request more information than necessary during the verification process.

The two most popular ways of verifying the data subject’s identity are via email and via photo identification, while organizations also rely on login with email and password, challenge questions, and identity proofing platforms.

Nevertheless, there are several privacy violation cases in which companies have been fined for not properly verifying the person requesting, hence leading to different violations such as

  • Providing information of others to the wrong person. Case: the requestee is mistakingly mixed with similar others and/or are not properly verified as the rightfull person to recieve such questions
  • Failing to identify hence responding that they do not have information on the requestee. Case: using email as only identifyer and the requestee submit their request with another email. 
  • Using weak identifiers publicly available, such as "What is your adress?" "Name of your dog?" etc. in which otherwise easily may be retrieved by others. 
Who should respond to a DSAR?

Some organizations are obligated to appoint a Data Protection Officer (DPO), and some are not.

Whatever the case, there should be one person within the organization in charge of compliance who will have a high-level overview of DSAR processes and document all requests to ensure they are resolved in a timely manner.

This does not mean the DPO should respond to each and every request personally. However, the DPO should have control over the processes and assure compliance along the way.

Automation of the process can help you manage DSAR more efficiently and prevent requests from being accidentally overlooked or ignored. Automation can be especially important if your privacy department is comprised of smaller staff or even a one-person department.

Deadline for Responding to the DSAR

The organization should respond to a DSAR without undue delay and within one month of receiving the request.

That deadline may be extended by two months if the request is complex or if the organization has received several requests from the same individual. For example, the individual submitted DSAR and the right to be forgotten at the same time.

If that is the case, the organization should notify the individual of any such extension within one month of receipt of the request and the reasons for the delay.

The deadline is calculated from the day of the receipt of the request, fee, or other requested information until the corresponding calendar date in the next month.

Can You Charge a Fee for a DSAR?

The organizations are not allowed to charge a fee for a DSAR. However, there are a few situations where a reasonable fee can be charged for administrative costs if the request is unfounded or excessive.

A small fee can be applied to multiple or excessive requests to prevent an individual from repeatedly submitting unnecessary DSAR. However, organizations should never make a profit from the fee.

When charging a fee, you should develop a list of criteria for determining a reasonable fee since this will help you if you have to clarify it to the supervisory authority.

The criteria should be clear, and the organization should explain the costs to an individual.

However, relying on these exceptions has proven risky since we have seen how the Dutch DPA issued 830K euro GDPR fine for charging a fee to access information.

Can You Refuse to Respond to a DSAR?

There are situations where the organization can refuse to comply with DSAR if the exemption can be applied or if:

 The request is manifestly unfounded
This means an individual has no real intention to exercise the right or if the request has malicious intent and no other purpose than to cause a disruption

 The request is manifestly excessive
The DSAR is unreasonable and is disproportionate to the cost or other burdens involved with DSAR.

If you refuse to comply with a request, be sure that you can defend your decision to the supervisory authority.

You will also have to notify the individual of why you are refusing the request, inform the individual of their right to make a complaint to the supervisory authority, and have the option to enforce their right through the courts.

How to Automate the Data Subject Requests?

When we talk about the Data Subject Access Request, we only refer to one of the eight rights granted by the GDPR, and organizations are obligated to comply with all of them.

Considering most organizations are still managing DSAR manually, combined with some sort of front-end submission form and processing requests via email or phone, it is doubtful if they are ready to tackle DSAR effectively.

On a larger scale, resolving data subject rights manually will almost certainly be accompanied by human errors in handling and potentially expose organizations to huge risks.

The top business drivers for fulfilling DSARs are GDPR compliance, the organization’s reputation, CCPA compliance, and customer transparency. Therefore, numerous organizations worldwide are investing in a privacy tool to help them manage DSARs and stay compliant.