Back to Blog Posts

Data Subject Access Requests (DSARs) for GDPR and CCPA

Industry & Legal Education
4 Min Read
By: 
Richard English
Posted: 
September 13, 2024
social link
social link
social link

https://www.csdisco.com/blog/dsars-gdpr-ccpa-guide

In this article, you’ll get an overview of the structure and underlying concepts in the major data privacy laws pertaining to Data Subject Access Requests (DSARs) – the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Cover for DISCO's Comprehensive Guide to Data Subject Access Requests (DSARs)
Download the full guide for free

What is a Data Subject Access Request and what is its purpose?

Under both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), consumers have rights to access data collected about them. A Data Subject Access Request – or DSAR – is a name commonly given to the requests submitted by individuals seeking the data that companies collect about them.

Simply put, the DSAR is a request for personal information. 

As a general matter, individuals have the right to know what information is being collected and used about them under the CCPA, GDPR, and similar laws. There are some limitations discussed below, but the requirements associated with a DSAR should be interpreted broadly. 

DSARs vs. DSRs

Data Subject Access Requests vs. Data Subject Requests

As noted above, DSAR stands for “data subject access request.” DSR, on the other hand, is an acronym for “data subject request.” 

In short, DSRs simply request information. DSARs require an organization to turn over information collected, along with certain details about the collection and sharing of the information. DSARs might be considered a subset of DSRs. 

In addition to access, DSRs may request other action. This could include a request to delete, correct, or opt out of the sale of personal information. This guide primarily discusses the right of access, though companies should be aware of these other rights.

Note: The terms “DSR” and “DSAR” are sometimes used interchangeably, as well as other terms like subject access request (SAR). Further, consumers are not required to use any of these terms in an access request. Companies processing requests should understand what is being requested, as the response requirements may differ.

Related: How do privacy attorneys think about AI? Read 👀

DSARs and GDPR

The European Union’s General Data Protection Regulation (2018)

The European Union has long had robust privacy laws. The adoption of the GDPR (General Data Protection Regulation) in 2018 brought these laws into stark perspective. 

The GDPR made clear that businesses that collect personal information from EU residents are subject to the law, even if the businesses are located outside of the EU. 

Article 15 of the GDPR governs the right of access. It states, in part:

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In 2023, the European Data Protection Board (EDPB) – an independent body established under the GDPR to ensure consistency on the law  – adopted guidelines on the right of access by data subjects. According to the EDPB, the right of access under the GDPR includes three separate components:

  1. Confirmation of whether or not data is processed;
  2. Access to personal data; and
  3. Access to information about the processing, such as the purpose of processing, categories of data, duration of processing, and more.

Related: Learn how data privacy architects safeguard your data against AI 🕵️

DSARs and CCPA/CPRA

The first comprehensive data privacy laws in the U.S.

Unlike the EU, the United States does not have a comprehensive national data privacy law. Federal laws cover certain aspects, including collection of data by federal agencies, health-related data, financial data, and children’s data. However, regulation is largely left to individual states to determine, leading to laws like the California Consumer Privacy Act (CCPA).

The CCPA was signed into law in 2018, took effect in 2020, and was the first comprehensive data privacy law in the U.S. The CCPA was followed in 2020 by the California Privacy Rights Act (CPRA), a ballot proposition approved by voters in the state, much of which took effect in 2023. Many considering U.S. privacy laws look to California as an example.

The CCPA established a “right to know” about personal information collected, along with other rights. The CPRA adds rights to correct personal information and limit use and disclosure.

The CCPA and CPRA apply to the personal information of California residents, even in some cases when the business collecting the information is outside of California. 

A covered business must do business within the state and either 

1) have gross annual revenues over $25 million

2) buy, receive, sell, or share personal information of at least 100,000 people or households per year, or 

3) derive at least half of annual revenues from selling or sharing consumers’ personal information. 

Doing business within the state does not require a physical presence in California, and may apply to businesses with online sales, employees, or some other connections to the state. The CCPA also applies to service providers and third parties dealing with such businesses, and the CPRA added contractors. 

The CCPA, as amended by the CPRA, provides in part:

(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

(b) The categories of personal information it has collected about that consumer.

(c) The categories of sources from which the personal information is collected.

(d) The business or commercial purpose for collecting, selling, or sharing personal information.

(e) The categories of third parties to whom the business discloses personal information.

(f) The specific pieces of personal information it has collected about that consumer.

Cal. Civil Code § 1798.110(a)

Unless the data subject specifies otherwise, disclosure only needs to reach back 12 months prior to receipt of the DSAR. In addition, businesses are not required to provide information more than twice in a 12-month period.

Cover for DISCO's Comprehensive Guide to Data Subject Access Requests (DSARs)
Download the full guide for free

Easier DSAR response with DISCO

Complying with DSARs can bring up complicated questions and potentially time-consuming procedures. While this guide provides an overview of common issues, the circumstances and your response to the DSAR will vary depending on the law, the information being requested, and more.

While responding to DSARs can be complicated and time-consuming, compiling and preparing the information requested doesn’t have to be overwhelming. Learn how DISCO can provide customized and efficient solutions for reviewing and complying with DSARs. 

With our deep experience providing solutions to companies and law firms – including our award-winning ediscovery platform with dethreading, deduplication and mass redaction capabilities – our platforms can give you and your counsel a leg up in seamlessly handling DSARs.

Richard English, DISCO Director of Review Operations, EMEA

About the author: Richard English is Director of Review Operations, EMEA at DISCO. He has over 12 years of experience in ediscovery professional services and is a specialist in all aspects of UK DSAR review work.

How to Handle Complex Data Types in Ediscovery: The Expert Guide

Your complete guide to complex data types in ediscovery.

View more resources
Table of Contents
0%
100%