Data Subject Access Requests (DSARs) for GDPR and CCPA Compliance

In this article, you’ll get an overview of the structure and underlying concepts in the major data privacy laws pertaining to Data Subject Access Requests (DSARs) – the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

What is a Data Subject Access Request and what is its purpose?

A DSAR - or Data Subject Access Request – is a request submitted to organizations by individuals seeking to access and control the data that companies collect about them.

Simply put, a DSAR is a request for personal information. 

Under both the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), consumers have rights to access data collected about them. 

As a general matter, individuals have the right to know what information is being collected and used about them under the CCPA, GDPR, and similar laws. There are some limitations discussed below, but the requirements associated with a DSAR should be interpreted broadly.

What is the difference between DSARs vs. DSRs?

Data Subject Access Requests vs. Data Subject Requests

As noted above, DSAR stands for “data subject access request.” DSR, on the other hand, is an acronym for “data subject request.” 

In short, DSRs simply request information. DSARs require an organization to turn over information collected, along with certain details about the collection and sharing of the information. DSARs might be considered a subset of DSRs. 

In addition to access, DSRs may request other action. This could include a request to delete, correct, or opt out of the sale of personal information. This guide primarily discusses the right of access, though companies should be aware of these other rights.

Note: The terms “DSR” and “DSAR” are sometimes used interchangeably, as well as other terms like subject access request (SAR). Further, consumers are not required to use any of these terms in an access request. Companies processing requests should understand what is being requested, as the response requirements may differ.

Related: How do privacy attorneys think about AI? Read 👀

GDPR DSAR requirements

The European Union’s General Data Protection Regulation (2018)

The European Union has long had robust privacy laws. The adoption of the GDPR (General Data Protection Regulation) in 2018 brought these laws into stark perspective. 

The GDPR made clear that businesses that collect personal information from EU residents are subject to the law, even if the businesses are located outside of the EU. 

Article 15 of the GDPR governs the right of access. It states, in part:

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In 2023, the European Data Protection Board (EDPB) – an independent body established under the GDPR to ensure consistency on the law  – adopted guidelines on the right of access by data subjects. According to the EDPB, the right of access under the GDPR includes three separate components:

1. Confirmation of whether or not data is processed;
2. Access to personal data; and
3. Access to information about the processing, such as the purpose of processing, categories of data, duration of processing, and more.

‍Related: Learn how data privacy architects safeguard your data against AI 🕵️

CCPA DSAR requirements

The first comprehensive data privacy laws in the U.S.

Unlike the EU, the United States does not have a comprehensive national data privacy law. Federal laws cover certain aspects, including collection of data by federal agencies, health-related data, financial data, and children’s data. However, regulation is largely left to individual states to determine, leading to laws like the California Consumer Privacy Act (CCPA).

The CCPA was signed into law in 2018, took effect in 2020, and was the first comprehensive data privacy law in the U.S. The CCPA was followed in 2020 by the California Privacy Rights Act (CPRA), a ballot proposition approved by voters in the state, much of which took effect in 2023. Many considering U.S. privacy laws look to California as an example.

The CCPA established a “right to know” about personal information collected, along with other rights. The CPRA adds rights to correct personal information and limit use and disclosure.

The CCPA and CPRA apply to the personal information of California residents, even in some cases when the business collecting the information is outside of California. 

A covered business must do business within the state and either 

1) have gross annual revenues over $25 million

2) buy, receive, sell, or share personal information of at least 100,000 people or households per year, or 

3) derive at least half of annual revenues from selling or sharing consumers’ personal information. 

Doing business within the state does not require a physical presence in California, and may apply to businesses with online sales, employees, or some other connections to the state. The CCPA also applies to service providers and third parties dealing with such businesses, and the CPRA added contractors. 

The CCPA, as amended by the CPRA, provides in part:

(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

(b) The categories of personal information it has collected about that consumer.

(c) The categories of sources from which the personal information is collected.

(d) The business or commercial purpose for collecting, selling, or sharing personal information.

(e) The categories of third parties to whom the business discloses personal information.

(f) The specific pieces of personal information it has collected about that consumer.

Cal. Civil Code § 1798.110(a)

Unless the data subject specifies otherwise, disclosure only needs to reach back 12 months prior to receipt of the DSAR. In addition, businesses are not required to provide information more than twice in a 12-month period.

DSAR Comparison: GDPR vs CCPA

While GDPR and CCPA share the common goal of giving consumers control over their personal data, these laws differ in jurisdiction, scope, compliance requirements, and enforcement mechanisms. Below is a brief overview of key aspects of DSAR compliance under each regulation.

Who must comply?

• GDPR: Any organization processing personal data of individuals in the EU, regardless of the organization's location.
• CCPA: Any organization that does business within the state of California (which does not require a physical presence in California), and meets certain revenue or data-processing thresholds.

What is the scope of personal data covered?

• GDPR: Any piece of information that relates to an identifiable person, including but not limited to name, identification number, location data, and factors specific to the physical, genetic, and cultural identity of that person.
• CCPA: Any data that could reasonably be linked to a California resident or household, such as name, social security number, internet browsing history, and email address.

Verification of identity

• GDPR: Organizations must use reasonable measures to verify the identity of the requester before disclosing personal data. However, businesses should avoid requesting formal identification documents unless necessary.
• CCPA: Businesses must verify identity to a reasonable degree of certainty through methods such as matching two data points provided by the customer to data points maintained by the business, such as an email address.

Right to third-party authorization

• GDPR: Data subjects can authorize third parties, such as legal representation, individuals, or public authorities, to make DSARs on their behalf or process personal data.
• CCPA: Consumers may designate an authorized agent to submit a request on their behalf, subject to verification.

Time to comply

• GDPR: Organizations must respond within one month, extendable to three months in complex cases.
• CCPA: Businesses must respond within 45 days, with potential extensions up to 90 days if reasonably necessary.

What must be disclosed?

• GDPR: Organizations must provide a copy of the personal data, the purpose of processing, data recipients, data retention periods, and rights related to rectification or erasure. In addition, businesses must disclose information such as:
  
  • The lawful basis for the processing
  • The categories of personal data obtained
  • The details of transfers of the personal data to any third countries or international organizations
  • The details of the existence of automated decision-making, if applicable
• CCPA: Businesses must disclose the categories of personal data collected, sources, purposes for collection, third-party recipients, and the specific pieces of collected information. In addition, organizations must disclose the categories of information sold and the categories of third parties to whom the information was sold.

Right to data portability

• GDPR: Data subjects have the right to receive their data in a structured, commonly used, and machine-readable format.
• CCPA: Consumers have the right to request and receive their personal information in a readily usable format, and the business must provide it in a format that will enable the data subject to transmit the information to another party.

Right to deletion

• GDPR: Individuals can request deletion of their data unless an exemption applies, such as legal obligations.
• CCPA: Consumers can request deletion, but businesses may deny the request if the data is necessary for legal, security, or contractual purposes.

Exemptions & limitations

• GDPR: DSARs are limited to personal data and can be denied if they are excessive, unfounded, or conflict with other legal obligations. Exemptions include processing necessary for exercising the right to freedom of expression and information, public interest in public health, and archiving of certain public interest, scientific, or historical research.
• CCPA: Businesses can deny DSARs for reasons such as security concerns, fraud prevention, and compliance with legal obligations. Additional exemptions for refusing a deletion request include completing a transaction, debugging, exercising free speech rights, certain internal business uses, and specific scientific, historical, or statistical research purposes.

Non-compliance penalties

• GDPR: There are two tiers of GDPR fines, with less severe infringements resulting in a fine of up to 10 million euros or 2% of the firm’s worldwide annual revenue, whichever amount is greater. More serious infringements could result in a fine of up to 20 million euros or 4% of the firm’s worldwide annual revenue, whichever amount is higher.
• CCPA: Businesses may face fines of up to $7,500 per intentional violation and $2,500 per unintentional violation.

Easier DSAR response with DISCO

Complying with DSARs can bring up complicated questions and potentially time-consuming procedures. While this guide provides an overview of common issues, the circumstances and your response to the DSAR will vary depending on the law, the information being requested, and more.

While responding to DSARs can be complicated and time-consuming, compiling and preparing the information requested doesn’t have to be overwhelming. Learn how DISCO can provide customized and efficient solutions for reviewing and complying with DSARs. 

With our deep experience providing solutions to companies and law firms – including our award-winning ediscovery platform with dethreading, deduplication and mass redaction capabilities – our platforms can give you and your counsel a leg up in seamlessly handling DSARs.