How to Submit a Data Subject Access Request (DSAR) + Example DSAR

Under the European Union’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), individuals have the right to request data collected about them via a data subject access request, or DSAR. 

But who is eligible to submit a DSAR? What information is covered, and what should a DSAR include? This article clearly explains the answers to these questions, plus, includes an example DSAR you can copy, edit, and use yourself.

‍

Contents:

• Who can submit a DSAR?
• What information is covered by a DSAR?
• What should be included in a DSAR?
• Sample DSAR

‍

Who can submit a DSAR?

As the name implies, a DSAR is a request by a data subject – that is, an individual about whom data is collected. Data subjects covered by the relevant laws (CCPA or GDPR) may make requests.

Under the CCPA, these data subjects are California residents. Under the GDPR, this issue is more complicated, particularly regarding extra-territorial reach. Generally, though, the right of access under the law applies to:

• Data subjects whose information is collected by a business that is in the EU, or
• When data is collected about someone who is in the EU, regardless where the collecting entity is located 

💀Both laws apply to natural persons only. The GDPR expressly excludes deceased persons, though it notes that EU member states may provide for rules regarding the processing of the data of deceased persons. The California provisions apply to “consumers,” a term defined under the law as “a natural person who is a California resident” for purposes of state tax law. 

Within those limitations, DSARs are available to a range of individuals, such as consumers and company employees, both current and former. (The CCPA originally excluded employees, but they are now included as of January 1, 2023.)

In some cases, a third party – such as a legal representative, parent or guardian – may submit a DSAR. Responding companies should be cautious about making data available to someone not authorized to receive it. 

Also, note that companies collecting the data of minors have other privacy protection obligations outside the scope of this ebook.

Related: How do privacy attorneys think about AI? Read 👀

‍

What information is covered by a DSAR?

The requirements for businesses to respond to DSARs arise from individuals’ rights of access/rights to know about their personal data being held or processed by the business. 

As such, businesses must provide information to requesting individuals such as:

• Whether they are collecting, selling, sharing, and/or processing personal information
• The purposes the personal data is being held for
• Categories of information
• The specific information collected and/or processed

‍

Personal information: GDPR vs. CCPA

Personal data can be fairly broad. For example, the GDPR defines “personal data” as:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‍Note: This covers information from which a person may be identified “directly or indirectly.” Pseudonymized information may be covered if the information can be combined with other information to be attributed to a person.

Under the CCPA, “personal information” means: 

information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This may include such information as name, address, IP address, account name, and more, if it could be “reasonably linked, directly or indirectly, with a particular consumer or household.” The CCPA also sets forth other specific categories, such as characteristics of protected classifications, commercial information like purchase history, browsing history, geolocation, employment information, and other categories.

Personal information covered by other laws

This guide discusses personal data or personal information generally. Certain categories – like health information or particularly sensitive information like religious or philosophical beliefs, sexual orientation, etc. – may be covered by other laws, or its processing outright prohibited. 

For example, the CCPA does not cover medical information covered by federal laws including the Health Insurance Portability Act (HIPAA), as well as California state law governing medical information.

‍Related: Learn how data privacy architects safeguard your data against AI 🕵️

‍

What should be included in a DSAR?

There is no specific required format for a DSAR. It simply needs to request access, by an individual covered by the relevant law, to personal data or information.

The following elements may be included:

• Date of the request;
• Name (including other names by which you have been known, if relevant);
• Email address;
• Mailing address;
• Phone number;
• Account numbers that would help the organization to identify you;
• The information you would like to receive. This could also include, if applicable, information that you do not wish to receive;
• Other information that would help the organization to identify you, such as relevant dates;
• How you would like to receive the information; and
• Although not required, the reason you would like to access your information (this may assist the organization in identifying your information).

The EDPB’s guidelines state that, unless the request specifically states otherwise, a data subject’s “request to exercise the right of access shall be understood in general terms, encompassing all personal data concerning the data subject.” In other words, the DSAR should be read broadly unless it is clearly limited.

CCPA requirements for DSAR submission

The CCPA requires businesses to make available to consumers at least two methods to submit an access request, including a toll-free telephone number. 

If the business has a website, one method must be the website. 

For a business operating exclusively online with “a direct relationship with a consumer from whom it collects personal information,” only an email address is required. 

‍

Sample DSAR

Below is a sample DSAR containing the elements discussed above. Each individual and situation may differ and this template is provided as general guidance.

‍

[Data subject name, address, and email address]

[Business name, address, and email address, including name of Data Protection Officer, if available]

[Date]

Subject: Data Subject Access Request

Dear Sir or Madam:

I am writing pursuant to [applicable law, such as California Consumer Protection Act or Article 15 of the General Data Protection Regulation] to request access to personal data your organization has collected about me.

Please provide:

• Confirmation whether or not your organization has collected personal data about me;
• A copy of any personal data your organization has collected about me;
• The purpose(s) of the collection, processing, sharing, and/or selling of personal data about me;
• the categories of personal data collected about me;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed [in particular recipients in third countries or international organizations, under GDPR];
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; and
• the sources [or categories of sources under the CCPA] from which personal data is collected about me.

[Optional: Insert information about the purpose of your request or other information that would help to identify you. For example, account numbers, date in which you became a customer or employee of an organization.]

Please provide the information in a readily usable electronic format [and/or other reasonable specifications regarding the format in which you would like to receive the information].

Please let me know as soon as possible if you require further information from me in order to process this request.

Thank you for your attention to this matter. 

Kind regards,

[Name]

Seamless DSAR response with DISCO

While responding to DSARs can be complicated and time-consuming, compiling and preparing the information requested doesn’t have to be overwhelming. With dethreading, deduplication, and mass redaction capabilities, DISCO Ediscovery makes DSAR response fast, compliant, and straightforward.

Per happy DISCO client Khadra Isse, Data Protection Specialist at global insurance brokerage Lockton,

“Switching to DISCO's DSAR workflow was a game-changer for our team. Previously, a DSAR took us a staggering 817hours across six people, stretching our resources thin.

With DISCO's streamlined platform, we completed the same task in just 141 hours, with only three people involved. This impressive reduction in time even includes the 35 hours we spent getting oriented with the platform. DISCO not only saved us hundreds of hours but also significantly improved our team's efficiency and focus. We couldn't be more pleased with the results!"

‍

See for yourself how DISCO can help your organization with DSARs and more: Request a demo.

About the author: Richard English is Director of Review Operations, EMEA at DISCO. He has over 12 years of experience in eDiscovery professional services and is a specialist in all aspects of UK DSAR review work.