A Data Subject Access Request (DSAR) is a request made by individuals to an organization asking for access to the personal data that the organization holds about them.
This right is a fundamental aspect of data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union, allowing individuals to have more control over their personal information.
When you submit a DSAR, you are essentially asking to see a copy of all the personal data an entity has about you.
This can include your name, address, email, and any other personal details, as well as how this data is being used, who it is being shared with, and the purpose of its processing.
You might also ask for clarification on the logic behind automated decision-making processes affecting you, such as credit scoring.
Organizations are required to respond to your DSAR without undue delay, typically within one month of receipt.
They must provide a copy of the data free of charge, although they may charge a reasonable fee for additional copies or if the request is unfounded or excessive.
Submitting a DSAR can be done for various reasons.
Perhaps you wish to verify the accuracy of the personal data held about you, or you’re concerned about how your data is being processed and want to ensure it’s being done lawfully.
You might even use a DSAR as a precursor to exercising other rights, such as the right to erasure (the right to be forgotten) or the right to data portability.
In practice, fulfilling a DSAR can be a complex process for organizations, requiring them to meticulously gather and review the requested information while ensuring they do not infringe on the privacy of other individuals.
For instance, if your data is intertwined with that of others, the organization must redact information related to third parties before providing you with your data.