This article aims to help organisations understand and manage DSARs in a way that builds trust and ensures comprehensiveness in the data protection regime of the company. If you are heading into data protection and privacy regime, this will help you.
Table of Contents
Introduction
You are sitting at your desk working on a complex Data Protection Impact Assessment when suddenly you get a notification – a Data Subject Access Request (DSAR).
Do not panic! While it might sound like something from a spy thriller (“The DSAR Identity” or “Mission: DSAR-possible”), it is just someone exercising their fundamental right- right to know what data you have about them. Think of it as a digital version of “This Is Your Life,” except instead of surprising celebrities with long-lost relatives, you are surprising customers with copies of their data.
Understanding DSARs
What are data subject access requests?
You make a Data Subject Access Request (DSAR) when you want to see what personal information an organisation holds about you.
For example, if you are curious about the data a company has collected from your online activities, you can submit a DSAR to access that information.
Imagine you are opening your filing cabinet within an organisation’s records. You have the right to explore what is inside. This includes everything from your basic contact details to any assessments, opinions, or decisions made about you.
For example, your phone number and email address are part of your contact details, while a performance review or a medical assessment reflects opinions or decisions regarding your situation.
Why are DSARs important?
DSARs serve as a fundamental bridge between individuals and organisations handling their data. They promote transparency and build trust. For businesses, proper DSAR handling is not just good practice – it is a legal requirement that shows respect for customer privacy and helps avoid hefty fines.
Regulatory frameworks governing DSARs
GDPR and DSARs
The General Data Protection Regulation (GDPR) establishes specific guidelines for managing Data Subject Access Requests (DSARs) across Europe. Organisations need to respond within 30 calendar days and typically cannot impose a fee. Companies must provide a copy of personal data in a clear and understandable format, ensuring that individuals can easily access and comprehend their information. It emanates from Article 15, which deals with the Right to access data.
Other global data protection laws
Many countries have implemented their own data protection laws in addition to GDPR. For example, Brazil has the General Data Protection Law (LGPD) while California has the California Consumer Privacy Act (CCPA). These regulations aim to safeguard personal data and ensure individuals’ privacy rights are respected.
The California Consumer Privacy Act (CCPA) grants individuals in the United States the right to access their data. Similarly, LGPD empowers citizens to request information about their data usage. In Japan, the APPI ensures that individuals can access their personal information held by businesses.
Every organisation must adhere to specific requirements and timelines unique to each situation.
The rights of data subjects
Think about how much of your life exists online—your emails, shopping history, bank transactions, social media interactions, and even fitness tracking data. Every time you sign up for a service, buy something, or simply browse a website, you leave behind digital footprints. But does that mean companies can do whatever they want with your information? Absolutely not.
Just as you would not hand over your house keys to a stranger, your personal data should not be accessible without your knowledge or control. That is why data protection laws grant individuals certain rights over their information. Let us walk through them.
Right to access personal data
At its core, this right is about transparency. If a company is holding your personal data, you have the right to ask, “What exactly do you know about me?” and they are legally required to provide an answer.
For instance, say you have been banking with the same institution for years. You might want to see what personal details they have on record, including your transaction history, contact information, and any communication you have had with customer support. Similarly, if you frequently shop online, you can request access to the data the retailer has stored—purchase history, delivery addresses, and even customer service chat logs.
This right ensures that no organisation is holding secret information about you or using your data in ways you are unaware of. It is the equivalent of being able to review your medical records whenever you need them—you should have full visibility over what is being kept in your name.
Similarly, a customer can enquire about the details a retail company has collected during their purchases. This encompasses:
- Communicating through email
- Records of customer service interactions
- Transactions involving money
- Preferences in marketing
- Records of employees, if applicable.
Right to rectification and erasure
What if the information a company has about you is wrong? Maybe they have an old phone number, a misspelled name, or outdated address details. In such cases, you have the right to request corrections.
Beyond fixing mistakes, you can also ask companies to erase your data entirely. For example, if you stop using a particular service and no longer want your details in their system, you can request deletion. However, there are some exceptions—organisations might need to keep certain data for legal or contractual reasons. A bank, for instance, can’t erase your transaction history if financial regulations require them to retain it for auditing purposes.
Think of it like canceling a membership at a gym. If you decide you are done with the service, they should remove your records unless something legally binds them to keep it.
Right to data portability
Imagine you have been using a streaming service for years, building playlists and saving favorites. Then, one day, you decide to switch to a new platform. Should you have to start from scratch? No. The right to data portability ensures that you can take your personal data from one service to another in a structured, commonly used format.
This applies not only to entertainment services but also to more critical areas like banking, cloud storage, and even healthcare. If you are moving to a different bank, for example, you should be able to transfer your financial data seamlessly rather than manually re-entering years’ worth of details.
The idea is to prevent companies from trapping users by making it difficult to move their data elsewhere. You should have the freedom to switch services without losing access to your own information.
Right to restrict processing
Let us say a company has your contact information because you bought something from them once. Does that mean they can flood your inbox with promotional emails forever? Not if you do not want them to.
This right allows individuals to restrict how their data is processed. You might allow a company to keep your information for billing purposes, but you can explicitly say, “I don’t want my data used for marketing.” Similarly, you might permit a medical provider to store your health records but not share them with third-party researchers without your consent.
It is about having control. Just because a company has your data doesn’t mean they can use it however they like.
Building a robust DSAR management process
Since individuals have these rights, organisations must have a clear and structured process for managing requests. Otherwise, things can quickly become chaotic—especially for companies handling large amounts of customer data.
Step 1: Establish a clear policy
Every organisation should have a documented policy for handling Data Subject Access Requests (DSARs). This policy should answer key questions:
- Who is responsible for managing requests? Should it be the legal team, customer support, or a dedicated privacy officer?
- How quickly must they respond? Most regulations set strict deadlines for replying to data requests.
- What steps should be followed? There should be a standardised process for verifying identities, retrieving data, and securely delivering it.
- Where is the data stored? If a company cannot easily locate the information, responding to requests will be unnecessarily complicated.
- How should requests be documented? Keeping proper records ensures compliance and helps resolve disputes if needed.
This is similar to how companies handle customer complaints—you wouldn’t want employees guessing how to respond each time. A structured approach ensures efficiency and compliance.
Step 2: Involve the right teams
Handling data requests is not just a one-person job. It requires coordination across multiple departments:
Legal & compliance teams
The legal team ensures that the company’s response aligns with privacy laws. They help:
- review complex cases (e.g., when deleting data might conflict with legal obligations),
- update internal policies to stay compliant with evolving regulations, and
- decide how to handle difficult or excessive requests.
IT & data management teams
Since data is stored digitally, IT teams play a crucial role in retrieving and securing it. Their responsibilities include:
- Locating and compiling requested data efficiently.
- Ensuring that personal information is securely transferred.
- Automating processes to make DSAR responses faster and smoother.
Without IT involvement, retrieving scattered data across multiple databases can become a logistical nightmare.
DSAR policy clauses with explanations
I. SCOPE AND PURPOSE CLAUSE
Think of this clause as the backbone of your policy—just like a constitution defines a government’s powers, this clause sets the boundaries for how DSARs (Data Subject Access Requests) apply within your organisation.
Key points to keep in mind:
- Be broad yet clear – Ensure the language covers all data processing activities within the organisation. Do not limit it to digital databases—include handwritten records, archived files, and automated systems.
- Cover all entities involved – Your organisation remains responsible for personal data, even when employees, contractors, or third-party processors handle it. This is like a construction project—if a subcontractor makes a mistake, the main contractor is still accountable.
- Acknowledge global compliance needs – Instead of tying the policy strictly to GDPR, refer to “applicable data protection laws.” This flexibility is essential, especially for businesses operating in multiple jurisdictions.
- Legal foundation matters – Your policy should align with GDPR Articles 2 and 3 (which define material and territorial scope) and Article 24 (which sets out controller responsibilities). Ensuring compliance with these provisions strengthens your policy against regulatory scrutiny.
By structuring your Scope and Purpose clause with these elements, you create a strong foundation for handling DSARs efficiently while staying compliant across different legal frameworks.
The drafted part should look something like this:
“1.1. This Data Subject Access Request Policy applies to all Personal Data processed by [Company Name] (“the Company”), its employees, contractors, and third-party processors. It establishes mandatory procedures for handling Data Subject Access Requests in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations.
1.2. This Policy covers all Personal Data held by the Company in any form, whether electronic or physical, structured or unstructured, including but not limited to customer databases, employee records, surveillance footage, email communications, and log files.”
II. DSAR SUBMISSION AND RECEIPT CLAUSE
Think of this clause as your customer service system for DSARs—it ensures requests are accessible while keeping the process structured and secure.
Multiple ways to submit requests – Not everyone prefers (or can use) online portals, so providing options like email and postal mail ensures inclusivity. This aligns with GDPR Article 12, which requires organisations to facilitate the exercise of data subject rights.
Fast & reliable logging – A 24-hour logging requirement is not just a regulatory checkbox; it is a safeguard to ensure requests do not slip through the cracks. Every request is promptly recorded, creating a trackable, auditable system.
Why logging details matter
- Date & Time Stamp → Keeps compliance deadlines on track.
- Identity Record → Ensures proper verification.
- Nature of Request → Determines the right processing path.
- Acknowledgment & Assignment → Adds accountability.
The drafted part should look something like this:
“2.1. Data Subjects may submit DSARs through the following authorised channels:
a) Online portal at [website URL]
b) Email to privacy@[company].com
c) Written request to [postal address]
d) In person at [office location]
2.2. All DSARs must be logged in the Company’s DSAR tracking system within 24 hours of receipt recording:
a) Date and time of receipt
b) Identity of the requestor
c) Nature of the request
d) Acknowledgment status
e) Assigned handler”
III. VERIFICATION REQUIREMENTS CLAUSE
Verification is the first line of defense against unauthorised access to personal data. Just like a bank verifies identity before granting account access, this clause ensures that only genuine requests are processed while keeping the process fair and efficient.
For online account holders – Since they already have a secure relationship with the organisation, verification builds on existing safeguards. Secure login and two-factor authentication (2FA) help confirm identity, while matching details with registered information helps detect any fraudulent attempts.
For non-account holders – Stronger verification is needed due to the lack of an established relationship:
- Government-issued ID → Confirms identity.
- Proof of address (dated within 3 months) → Ensures up-to-date information.
- Signed declaration → Adds a legal layer of accountability.
For third-party requests – Since these involve additional risks, stricter controls apply:
- Written authorisation from the data subject → Establishes consent.
- Proof of legal authority → Confirms the third party’s right to act.
- Dual verification (checking both the requester & data subject) → Prevents impersonation and fraud.
The drafted part should look something like this:
“3.1. The Company shall verify the identity of the Data Subject before processing any DSAR through the following methods:
a) For online accounts:
– Login to a secured account
– Two-factor authentication where enabled
– Verification against registered information
b) For non-account holders:
– Government-issued photo ID
– Proof of address dated within 3 months
– Signed declaration of identity
3.2. For requests made by third parties acting on behalf of a Data Subject: – Written authorisation from the Data Subject – Evidence of legal authority (power of attorney court order) – Verification of both third party and Data Subject identities”
IV. PROCESSING TIMELINES AND RESPONSE DEADLINES
This clause establishes how quickly DSARs must be processed, ensuring compliance while allowing for flexibility in complex cases. To draft it effectively, here is what you need to include:
- A clear baseline timeline – The standard response time is one month, as required by GDPR Article 12(3). This means the organisation must act promptly and not delay processing until the deadline approaches.
- Immediate action requirement – Using phrases like “without undue delay” ensures that requests are acknowledged and assessed as soon as they arrive. This prevents backlogs and ensures timely handling.
- Extension provisions – If a request is particularly complex, the policy should allow for an extension of up to two additional months. However, the clause must also require justification and communication of the delay to maintain transparency.
- Defining when the clock starts – The countdown begins when the request is received and fully verified. This prevents compliance risks from incomplete requests or delayed identity confirmation.
The drafted part should look something like this:
“4.1. The Company shall respond to all DSARs without undue delay and in any event within one month of receipt of the request. This period may be extended by two further months where necessary taking into account the complexity and number of requests.
4.2. In case of an extension the Company shall inform the Data Subject of any such extension within one month of receipt of the request together with the reasons for the delay.
4.3. The timeline shall commence from the date of receipt of the request or in cases where additional identification is required from the date the Data Subject provides the requested verification information.”
V. RESPONSE CONTENT AND FORMAT REQUIREMENTS
Think of this clause as your quality control checkpoint—it ensures DSAR responses are not just complete but also clear and useful to the data subject. Just like a legal disclosure document, everything must be well-structured, easy to understand, and leave no room for ambiguity.
First, every response should confirm whether data is being processed. Even if no data exists, the organisation must explicitly say so. This is not just a formality—it reassures the data subject and fulfills transparency obligations. It works the same way as a legal response to allegations—you cannot just ignore a claim; you must acknowledge it.
Now, if data is being processed, the response must include a copy of that data—but this does not mean simply dumping raw information. Context matters. The response should explain:
- Why the data was collected
- What categories it falls under
- Who it has been shared with
This ensures the data subject is not left guessing, much like how legal discovery requires not just documents but also their context and significance.
Next, the response should outline data retention and subject rights. People need to know how long their data will be stored and what rights they have, such as the right to request deletion or correction. This isn’t just about compliance—it minimises confusion and unnecessary follow-ups, making the process smoother for everyone.
- Finally, let us talk about format and accessibility. The response must be:
Clear and in plain language—no technical jargon or legalese that makes it hard to understand. - Provided electronically by default—if the request was digital, the response should be too, though alternatives should be available if needed.
The drafted part should look something like this:
“5.1. The Company’s response to a DSAR shall include: a) Confirmation of whether Personal Data concerning the Data Subject is being processed b) A copy of the Personal Data undergoing processing c) The purposes of processing d) The categories of Personal Data concerned e) The recipients or categories of recipients to whom the data has been or will be disclosed f) The envisaged retention period or criteria for determining that period g) Information about the Data Subject’s rights to rectification erasure and complaint h) Information about the source of the data if not collected from the Data Subject i) The existence of automated decision-making including profiling and meaningful information about the logic involved.
5.2. The response shall be provided in a concise, transparent, intelligible and easily accessible from using clear and plain language.
5.3. Unless otherwise requested by the Data Subject the information shall be provided in electronic format where the request was made electronically.”
VI. EXEMPTIONS AND LIMITATIONS
This clause acts as a safeguard, ensuring DSARs are processed fairly while protecting against misuse, security risks, and privacy conflicts. It does not take away the right to access—it just ensures requests are legitimate and manageable.
One key exemption applies to “manifestly unfounded” requests. The concept of “manifestly unfounded or excessive” requests comes directly from GDPR Article 12(5) but requires careful interpretation in practice.This doesn’t mean a request is denied just because no data exists—that still requires a response. Instead, this applies to bad-faith requests, like those made to harass an organisation or for malicious reasons. It is similar to how courts dismiss frivolous lawsuits.
Another limitation covers excessive or repetitive requests. If someone keeps asking for the same data over and over, the organisation can refuse or charge a reasonable fee—but only if it can justify why the request is excessive.
Identity verification is also critical. If a requester’s identity cannot be confirmed, the request cannot be processed—otherwise, there’s a risk of exposing personal data to the wrong person. This works just like security checks before accessing sensitive accounts.
Lastly, there’s the issue of third-party data. Sometimes, requested information includes details about other individuals. In such cases, access might be limited, redacted, or require additional consent to protect everyone’s privacy.
The drafted part should look something like this:
“6.1. The Company may refuse to act on a DSAR or provide only limited information where: a) The request is manifestly unfounded or excessive b) The Company cannot verify the identity of the requestor c) The request is repetitive in nature within a reasonable timeframe d) The data contains information about other individuals who have not consented to disclosure e) Legal professional privilege applies to the requested information f) The information is part of ongoing negotiations with the Data Subject g) The disclosure would prejudice ongoing legal proceedings
6.2. Where the Company refuses to act on a request it shall inform the Data Subject within one month of receipt of the request providing: a) The reasons for not taking action b) The possibility of lodging a complaint with a supervisory authority c) The option of seeking a judicial remedy”
VII. SECURITY MEASURES FOR DSAR PROCESSING
This clause is essential to ensure data access rights do not create security risks. Every DSAR contains sensitive information, so security must be built into every step of the process. Here’s how to draft it effectively:
- End-to-End Encryption
Mandate encryption not just for the final response but throughout the entire DSAR process—from receipt to internal handling and delivery. This ensures that data remains secure at all times, just like the chain of custody in legal proceedings. Specify encryption standards, such as AES-256 for stored data and TLS for transmission.
- Strict Access Controls
- Define who can access DSAR-related data. Only authorised personnel should handle requests, and access should be granted on a “need-to-know” basis. This means:
- Clear role-based access controls
- Mandatory training on DSAR handling
- Logging every access attempt
This section should explicitly state that unauthorised access is prohibited and outline penalties for breaches.
- Comprehensive Audit Logging
Every DSAR action—from receipt to resolution—should be logged. The clause should specify:
- What information must be logged (e.g., timestamps, user actions)
- Retention periods for logs to ensure compliance
- Tamper-proof storage to prevent manipulation
The drafted part should look something like this:
“7.1. The Company shall implement appropriate technical and organisational measures to ensure the security of Personal Data during the DSAR process including: a) End-to-end encryption for all electronic transmissions of Personal Data b) Access controls limiting DSAR processing to authorised personnel c) Secure channels for communication with Data Subjects d) Audit logging of all DSAR processing activities e) Secure destruction of any temporary copies created during processing.
7.2. All personnel involved in DSAR processing must: a) Complete specific training on secure data handling b) Sign confidentiality agreements c) Follow documented security procedures d) Report any security incidents immediately
7.3. Where Personal Data is transmitted to the Data Subject it shall be: a) Password protected with secure password transmission b) Sent via secure delivery methods c) Accessible only by the intended recipient”
VIII. RECORD-KEEPING REQUIREMENTS
The Record-Keeping Requirements clause acts like an organisation’s memory, just as court records preserve legal history. It is more than just a compliance checklist—it creates a clear audit trail that safeguards both the organisation and individuals.
Here is why it matters:
- Tracking requests efficiently – Assigning a unique identifier to each request ensures easy tracking and reference, just like case numbers in court.
- Maintaining complete records – Keeping all related communications (not just formal requests) ensures decisions have proper context, similar to a legal case file where even minor details can be crucial later.
- Documenting exemptions clearly – If a request is denied or limited, the justification must be recorded, just like a judge explains a ruling. This includes the specific exemption used and supporting facts.
- Retention period balance – A two-year minimum ensures records are available for dispute resolution while avoiding unnecessary long-term storage. However, records can be kept longer if required, such as for ongoing litigation.
The drafted part should look something like this:
“8.1. The Company shall maintain a comprehensive record of all DSARs received and processed including: a) A unique identifier for each request b) Complete correspondence with the Data Subject c) Internal processing records and decisions made d) Copies of information provided in response e) Documentation of any exemptions applied f) Evidence of identity verification g) Timeline of all actions taken
8.2. These records shall be retained for a minimum of two years from the completion of the request unless a longer period is required by applicable law or ongoing legal proceedings.
8.3. The records shall be maintained in a searchable format that permits both individual request tracking and trend analysis.”
IX. THIRD-PARTY DATA HANDLING
The Third-Party Data Handling clause tackles a key challenge in DSAR processing—balancing the privacy rights of multiple individuals when their data is intertwined. It works like a judicial balancing test, ensuring fair decisions by weighing competing rights and interests.
The first step is always to separate the data, minimising interference with others’ privacy. If that is not possible, the next move is to seek consent. Only if consent is not granted does the organisation consider disclosure without it. This structured approach mirrors the legal principle of trying voluntary cooperation before taking more serious action.
If disclosure without consent is necessary, it must be carefully assessed. Factors like confidentiality obligations, potential harm, and the requester’s rights come into play, much like how courts evaluate privacy disputes. Documenting every step—separation attempts, consent efforts, and reasons for disclosure—demonstrates good faith and ensures compliance.
The drafted part should look something like this:
“9.1. Where the Company receives a DSAR that involves Personal Data about third parties it shall: a) Assess whether the information can be provided without revealing third-party Personal Data b) Where separation is impossible seek explicit consent from the third party for disclosure c) Consider whether it is reasonable to proceed without third-party consent d) Document all decisions and rationale regarding third-party data
9.2. In assessing the reasonableness of disclosure without consent the Company shall consider: a) Any duty of confidentiality owed to the third party b) Any steps taken to seek consent c) Whether the third party is capable of giving consent d) Any express refusal of consent by the third party
9.3. Where third-party data must be redacted the Company shall: a) Use appropriate redaction techniques that prevent reconstruction b) Maintain the context and meaningfulness of the remaining information c) Inform the Data Subject about the fact and extent of redaction”
X. SPECIAL CATEGORIES OF DATA
The Special Categories clause deals with the most sensitive types of personal data, requiring extra protection under data laws. This aligns with Article 9 of the GDPR, which treats certain data—like health records or biometric information—as high-risk and in need of strict safeguards. Handling such data in DSARs requires extreme caution, much like how medical records are given special legal protections.
Stronger security measures are a must since a breach could have serious consequences. Encryption must go beyond standard levels, and access controls should be extra tight—think of it like a hospital where certain areas require special clearance.
Access is also restricted to specially trained personnel. This reduces mishandling risks and ensures that only those with the right expertise manage sensitive data, just like how only qualified doctors can perform certain medical procedures.
Before any release, a Data Protection Officer (DPO) review acts as a final safeguard. This “four-eyes” principle ensures expert oversight, verifying both the content of the response and the security of its transmission. By following these precautions, organisations can handle special category data with the care it demands.
The drafted part should look something like this:
“10.1. When processing DSARs involving special categories of Personal Data the Company shall: a) Apply heightened security measures for the entire processing operation b) Restrict access to specially trained personnel c) Require additional verification of the Data Subject’s identity d) Implement enhanced encryption standards for data transmission
10.2. Special categories of Personal Data include: a) Racial or ethnic origin b) Political opinions c) Religious or philosophical beliefs d) Trade union membership e) Genetic and biometric data f) Health data g) Data concerning a natural person’s sex life or sexual orientation
10.3. Responses containing special categories of data must be reviewed and approved by the Data Protection Officer before release.”
XI. CROSS-BORDER DATA TRANSFERS
The Cross-Border Data Transfers clause should clearly define how an organisation ensures that personal data remains protected when transferred internationally. To draft this effectively, start by identifying all locations where data is processed or stored. This helps establish oversight and ensures transparency, much like determining jurisdiction in legal matters.
Next, the clause should require compliance with the strictest applicable data protection standards. Since different countries have varying rules, applying the highest standard ensures consistency and avoids conflicts. This is particularly important for multinational operations, where a unified approach simplifies compliance.
The clause must also outline how data transfer legitimacy is verified. This includes specifying the legal basis for the transfer—such as Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules (BCRs)—and assessing whether the receiving country provides sufficient protection. The organisation should commit to regularly reviewing these assessments, as international data laws evolve.
Finally, documentation is key. The clause should require a clear record of transfer mechanisms, risk assessments, and ongoing monitoring. This ensures accountability and provides a strong compliance framework in case of audits or regulatory inquiries.
The drafted part should look something like this:
“11.1. For DSARs involving Personal Data stored or processed in multiple jurisdictions the Company shall: a) Identify all relevant data locations and applicable laws b) Coordinate response efforts across jurisdictions c) Apply the highest standard of protection where requirements differ d) Ensure compliant transfer mechanisms are in place
11.2. When transferring Personal Data internationally in response to a DSAR the Company must: a) Verify the legitimacy of cross-border transfers b) Implement appropriate safeguards for the transfer c) Document the legal basis for the transfer d) Inform the Data Subject of the international transfer
11.3. Where restrictions exist on international data transfers the Company shall: a) Seek alternative methods of providing access b) Consider providing access locally where possible c) Document any instances where transfer restrictions limit response capabilities”
XII. STAFF TRAINING AND RESPONSIBILITIES
The Staff Training clause ensures that DSAR handling is not just a policy on paper but a well-practiced skill among employees. To draft this effectively, outline a structured training framework that builds competence and keeps staff updated on evolving data protection laws.
Start by requiring initial training before any staff member handles DSARs. This should cover not only procedures but also the principles of data protection and data subject rights. Setting this as a prerequisite ensures that only qualified personnel process DSARs, much like legal practitioners needing admission to practice.
Next, include a regular refresher training requirement. Since laws and best practices evolve, annual training sessions help staff stay current and maintain their expertise. Think of this as continuing professional development—essential for ensuring compliance over time.
Clearly define roles and responsibilities to prevent confusion. Specify who handles which part of the DSAR process and ensure accountability. A well-structured system assigns clear ownership of tasks, making the entire process more efficient and legally sound.
The drafted part should look something like this:
“12.1. The Company shall ensure that all staff involved in DSAR processing receive appropriate training including: a) Initial comprehensive training before handling DSARs b) Regular refresher training at least annually c) Additional training when procedures or laws change d) Specific training for handling special categories of data
12.2. Staff responsibilities shall be clearly defined and documented: a) Front-line staff receiving requests b) DSAR processing team members c) Technical support staff d) Management and supervisory staff e) Data Protection Officer
12.3. All staff members shall be required to: a) Acknowledge their understanding of DSAR procedures b) Comply with confidentiality obligations c) Report any potential data breaches immediately d) Maintain detailed records of their DSAR activities”
XIII. COMPLAINT HANDLING AND APPEALS
The Complaint Handling clause ensures a fair and structured process for resolving disputes over DSAR responses, much like an internal appeals system. It reinforces the organisation’s commitment to data subject rights while providing a way to correct mistakes.
To draft this clause, start by requiring prompt acknowledgment of complaints—ideally within 48 hours. This reassures the complainant that their issue is taken seriously while allowing time for proper recording and review.
Next, mandate an independent assessment by someone who wasn’t involved in the original decision. This fresh review ensures objectivity, similar to how appeals courts reassess legal rulings.
The final decision must include detailed reasoning to explain the outcome clearly. This not only helps the complainant understand the decision but also ensures thorough internal review and compliance with data protection principles.
The drafted part should look something like this:
“13.1. The Company shall establish a formal complaint and appeals process for DSAR responses including: a) Clear procedures for submitting complaints b) Designated personnel for handling appeals c) Specific timeframes for response d) Documentation requirements for all decisions
13.2. Upon receiving a complaint the Company shall: a) Acknowledge receipt within 48 hours b) Review the original DSAR process and decision c) Conduct an independent assessment of the complaint d) Provide a reasoned response to the complainant
13.3. The appeals process shall include: a) Review by senior personnel not involved in the original decision b) Consultation with the Data Protection Officer c) Consideration of any new information or arguments d) Final written decision with detailed reasoning”
XIV. POLICY REVIEW AND UPDATES
The Policy Review clause ensures that DSAR procedures stay effective and compliant as laws and organisational needs evolve. Just like maintaining critical infrastructure, regular updates keep the system running smoothly.
To draft this clause, set a mandatory annual review while also requiring immediate reassessment when legal changes, organisational shifts, or incidents occur. This ensures policies remain relevant and effective rather than becoming outdated.
Define clear assessment criteria, including operational effectiveness, legal compliance, and resource adequacy. This structured approach ensures policies work in practice, align with regulations, and have the necessary staff and tools for success.
Finally, include update implementation measures: senior approval for oversight, mandatory communication to staff for smooth adoption, and version control to track changes. This keeps the policy transparent, accountable, and continuously improving.
The drafted part should look something like this:
“14.1. The Company shall conduct regular reviews of this DSAR Policy: a) At least annually as part of regular compliance review b) Following significant changes in applicable law c) After major organisational changes affecting data processing d) In response to identified deficiencies or incidents
14.2. The review process shall include assessment of: a) Effectiveness of current procedures b) Compliance with legal requirements c) Resource adequacy and allocation d) Technology and security measures e) Staff training needs
14.3. Policy updates shall be: a) Approved by senior management b) Communicated to all relevant staff c) Documented with version control d) Implemented with appropriate training e) Monitored for effectiveness”
XV. COMPLIANCE MONITORING AND REPORTING
The Compliance Monitoring clause ensures DSAR handling remains effective by turning policy requirements into measurable outcomes. Think of it as a diagnostic tool—regular checks help identify strengths, weaknesses, and early warning signs of potential issues.
To draft this clause, define Key Performance Indicators (KPIs) that track response times, procedural compliance, and the appropriateness of extensions. These metrics should be meaningful, not just easy to collect, ensuring real insights into efficiency and legal adherence.
Include a periodic audit requirement to dive deeper into selected cases, much like financial audits uncover details beyond routine tracking. This helps spot hidden inefficiencies and ensure best practices are followed.
Finally, set reporting and improvement measures. Regular reports should be reviewed at senior levels, turning data into actionable insights. A strong feedback loop ensures monitoring drives actual process improvements, keeping DSAR handling dynamic, compliant, and continuously evolving.
The drafted part should look something like this:
“15.1. The Company shall implement a comprehensive monitoring system to track DSAR compliance including: a) Key performance indicators for DSAR processing b) Regular compliance audits c) Process effectiveness reviews d) Staff performance monitoring
15.2. Compliance monitoring shall track: a) Response times and deadline compliance b) Quality of responses c) Complaint rates and resolution d) Security incident occurrence e) Staff training completion f) Resource utilisation
15.3. Regular compliance reports shall be prepared for senior management including: a) Summary of DSAR activities b) Compliance metrics and trends c) Identified risks and issues d) Recommended improvements e) Resource requirements”.
A final version will look like this: here
Receiving and validating DSARs
So, you have got a Data Subject Access Request (DSAR) coming in. Now what? The key is to make the process smooth—for both your team and the person making the request. Let us break it down.
Online forms
Imagine You book a flight, and within seconds, a confirmation email lands in your inbox. That’s the level of efficiency your DSAR process should aim for. Online forms are your best bet because they:
- Are simple and easy to access
- Have clear instructions so no one’s left guessing
- Work well on mobile (because let us be real, most people are on their phones)
- Send automatic confirmation messages—so requestors know their submission didn’t just disappear into the void
Email and postal requests
Some folks prefer the traditional ways—email, letters, or even in-person visits. To keep things organised:
- Set up a dedicated email address for DSARs
- Clearly list your postal address for mail-in requests
- Allow in-office visits or customer service assistance for those who want that face-to-face interaction
Verifying the identity of the requestor
Before handing over sensitive data, you need to make sure the person requesting it is actually who they say they are. Here’s how:
- Ask for official ID—passport, driver’s license, something solid
- Cross-check against their existing account details
- Request proof of address—utility bills work well
- Compare signatures—subtle details like loops and slants can reveal inconsistencies
- Match their info with customer records—does everything align?
Handling invalid or vexatious requests
- Not every request is made in good faith. Some people might:
- Ask for excessive data without a clear purpose
- Submit repeated or disruptive requests to cause chaos
- Try to manipulate or deceive with bad-faith claims
- If you suspect a request is unreasonable, it is okay to push back. Just make sure you document everything—you might need that paper trail later.
FAQs
Q.1. What is the typical timeline for responding to a DSAR under GDPR?
Organisations must respond within 30 calendar days. This can be extended by two months for complex requests but you must inform the individual within the first month.
Q.2. Can a company charge a fee for processing a DSAR?
Generally, no. However, companies can charge a reasonable fee for excessive or repetitive requests or request additional copies.
Q.3. What should be done if a DSAR involves third-party data?
Redact or remove third-party information unless you have their consent, or it is reasonable to disclose without consent.
Q.4. How can small businesses manage DSARs efficiently?
Small businesses should:
- Create simple clear procedures
- Use available technology
- Train key staff members
- Keep good records
- Seek expert help when needed
Q.5. Are there exceptions to complying with a DSAR?
Yes, exceptions include:
- Legal professional privilege
- Management forecasts
- Confidential references
- Ongoing negotiations
- Prevention of crime
Q.6. What are the consequences of failing to respond to a DSAR?
Consequences can include:
- Regulatory fines
- Reputation damage
- Legal action
- Loss of customer trust
- Increased regulatory scrutiny
Allow notifications
Leave a Reply