Data Subject Access Request (DSAR) support

The General Data Protection Regulation (GDPR) which came into effect on 25 May 2018 any individual whose personal data is obtained, stored or processed by an organization can make a request to that organization to obtain a copy of their information. This is known as a Data Subject Access Request (DSAR), and the right to access is one of the most powerful rights afforded to individuals under the GDPR. Therefore, organizations need to have robust procedures in place to be able to respond to DSARs.

What is a Data Portability Request (DPR)?

DSAR GDPRThe GDPR also provides individuals with the right to data portability, which means the individual can request a copy of their personal data be provided in electronic form to them, or to a nominated controller of their choice. This can be seen as a variant of a DSARs, as it only applies to certain personal data that fits the following criteria:

  • Processing of the personal data is based on consent
  • Processing of the personal data is based on a contract to which the data subject is a party
  • The processing is carried out by automated means

The right to portability only applies to data that the data subject has provided to the controller, which can be considered to be:

  • Data actively and knowingly provided by the data subject (for example, mailing address, user name, age, etc.)
  • Observed data provided by the data subject by virtue of the use of the service or the device (for example a person’s search history, traffic data and location data)