Data Subject Rights and its Exercise Under GDPR
Updated: Mar 16
Data subject rights has been a major point of discussion with the onset of GDPR. However, the concept is not new and can be traced back to Directive 1995.Before GDPR, companies could collect the personal data of consumers and users without much transparency or accountability to those individuals. On May 25, 2018, that all changed. GDPR granted new rights to data subjects (defined as the identifiable individuals about whom personal data is held) over how their personal data is processed by these companies, which are either based in the European Union (EU) or process the data of individuals who reside in the EU. Today, personal data is owned by the data subjects (with some exceptions, of course), as opposed to the companies which largely profit off this information.
One of the new rights granted to data subjects is the right to file a Data Subject Access Request (DSAR). A DSAR is a petition to a company by a data subject looking to confirm whether or not a company is holding personal data about the data subject petitioning, and if so, the data subject has the right to access that data, amend that data, or request for that his/her data be erased. The following are the types of DSR request:
Right to be informed- This right is about providing individuals with clear and concise information about what you do with their personal data.
Right of access (known as subject access request)- Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a ‘subject access request’ (SAR).
Right of rectification- right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
Right to erasure (also known as the right to be forgotten)- individuals have the right to ask to erase their personal data
Right to restrict processing- If someone asks you to restrict processing, you will be allowed to store the data, but won’t be able to use it.
Right to data portability- This right allows individuals to receive a copy of their personal data for personal use and/or to have their personal data transmitted from one controller to another controller.
Right to object to processing- the right to object to the processing of their personal data in certain circumstances. Individuals have the absolute right to object to the processing if it is for direct marketing purposes.
Right related to automated decision making including profiling- You should consider asking data subjects to consent if you need to process their data automatically for evaluation purposes.
Information to provide in a DSR response
The organization is obligated to provide confirmation that they are processing personal data, a copy of personal data, and other information including:
Purpose of personal data processing
Third-parties with whom the organization is sharing personal data if any
Categories of personal data the organization is processing
Source of data, (if the data is not collected from the individual)
Data retention period or for how long will organization keep data
Information about automated decision-making (including profiling)
Information about their GDPR rights (right to rectification, right to erasure, restriction of processing etc.).
Who can Submit a DSR?
DSAR can be submitted by anyone whose personal data the organization is processing. The individuals are not obligated to provide any reason for submitting a DSAR and can request a copy of their data at any time.
Contrary to some beliefs, DSAR is not applied only to employees, but also to customers, partners, and contractors. According to some research on the state of data rights, the requests mostly originate from customers rather than employees.
This is especially true in the U.S. However, employees of companies headquartered in the EU request personal data at a significantly higher rate than employees of companies headquartered in other parts of the world.
DSAR can also be submitted on behalf of someone else if that person is authorized by the data subject. Examples would be a:
Parent requesting on behalf of a child
Legal representative requesting on behalf of the client
Relative or a friend
Person appointed as a guardian
The organization has a right and an obligation to ask for a written authorization or other documents supporting the authorization. How to submit a request?
DSAR can be submitted in writing or verbally. For example, over the phone, or by filling out the form on the web.
Through any channel, including social media, and to any person inside the organization (for example to the marketing department).
Also, the request does not have to be addressed as a DSAR request, mention GDPR or any specific right.
The person can simply ask to get insight into their data or to get information about the processing of their personal data and the organization is obligated to recognize the request and respond timely.
This is why it is extremely important that key personnel and departments are familiar with data subject rights and know how to recognize DSAR and which steps to take when they receive such a request.
What does this mean for businesses?
The advent of DSARs creates a greater administrative burden for the companies that process personal data, but there are a few best practices that may help alleviate this burden for data controllers and processors.
The very first thing an organization must do that is trying to comply with GDPR is nominate a Data Protection Officer (DPO). The DPO is responsible for overseeing an organization’s GDPR obligation and specifically fulfilling DSAR requests.
Once a DPO has been nominated, an organization ought to create a living data inventory of all the data that is collected and stored on behalf of the organization. It is explicitly stated in Article 30 of GDPR that an organization must keep records of all the personal data stored, and all data processing activities. This inventory is critical to fulfilling DSAR requests because it will provide an overview of all the personal data stored in organization databases, which will inform how the DSAR is executed.
After the data inventory has been created and maintained, a compliance officer at the organization must establish protocol for recognizing DSARs, verifying the identity of the requester, articulate a protocol for fulfilling a DSAR and delivering a fulfilled DSAR within the one-month deadline.
By aiming to become GDPR compliant and creating the infrastructure to fulfill DSARs means that an organization is committing to at least the following:
Maintain an accurate data inventory