7+1 tips on how to make the most out of your DSAR
Here are a few suggested tips, based on our own experience with Data Subject Access Requests (DSARs). This is based on DSARs under the EU General Data Protection Regulation (GDPR), but we hope our tips may be useful in other jurisdictions too.
- We have used DSARs as part of a few PI projects and learned many things along the way. This is a collection of tips based on our experience.
- While the issues detailed here are not exhaustive and PI is not in a position to advise you individually on your request, we hope that these tips might provide you with as much information upfront as possible on some of the most commonly experienced issues.
- Although this was primarily designed with the GDPR, the EU data protection law, in mind, we hope it may be helpful for other jurisdictions too. We are always interested in finding out about similar efforts.
- A template for DSAR is available at the bottom of this page
You may have found your way here because you are thinking about, or have just submitted, a Data Subject Access Request, maybe to your Facebook advertisers like we did. Or maybe you are curious to see if Policing, Inc. has your personal data.
The right to access your personal data (or access right) is just one of a number of data rights that may be found in data protection law, including the European Union's General Data Protection Regulation, better known as "GDPR", which took effect in May 2018. Under GDPR, you have the right to ask for a copy of your personal data as well as other accompanying information about this data, such as where it came from, what's being done with it and who it has been shared with. Subject to a few exceptions, the data controller must comply, for free, within 1 month.
To learn more about the right to access: we have a FAQ
If you wanna find out more about the other rights that do and should form part of a strong data protection framework, have a look at PI's Data Protection Guide.
While the issues detailed here are not exhaustive, we have tried to gather some tips on the most commonly experienced issues, including issues we encountered with our own DSARs to Facebook advertisers. We hope that this might make the process easier for users to exercise their rights, specifically the right of access, esnhrined in the GDPR.
Please note that any guidance contained here is neither exhaustive nor the only way to effectively exercise data protection rights. It is solely based on our own experiences while exercising our data protection rights as part of various PI projects (see for example our work with Data Brokers and AdTech companies.
PI is not in a position to advise you individually on your request. However, we hope that these tips will provide you with as much information upfront as possible. PI has not been nor will be legally representing you in connection with any request you make. You are responsible for providing any additional information or submissions to the companies you contact or to any regulatory body with which you may file a complaint.
1. It is less complicated than it sounds
If you think you'll need some kind of fancy lawyer to exercise your basic data protection rights, you are wrong. The whole purpose of access rights is to make it easy for anyone to verify that companies and governments process our data in a lawful way. This is why submitting a DSAR doesn't require any formalities; it can be as simple as an oral statement or even a comment on the social media accounts of the company you wish to DSAR, saying, for example, "I would hereby like to request a copy of all the personal data you have on me together with the relevant information I am entitled to".
However, we suggest that you submit your DSAR in writing, as this will give you a record of your request, and that, in case you have serious doubts about the lawfulness of the processing, you include all the questions GDPR enables you to ask (see 2 below).
Not all companies might have a specialised department dealing with data protection matters so it might be good to adequately signpost your correspondence. For example, you can include "GDPR Data Subject Access Request" in the subject line or body of your email. Finally, we recommend that you keep a copy of any correspondence for your own records, including any proof of delivery or screenshots in the case of online forms, as these might come in handy should you wish to follow up with the controller or the supervisory authority.
2. Ask for more than a copy of personal data
In the context of DSARs, a crucial aspect that is often ignored is that the GDPR allows you to ask for more than just your data. Yes, a copy of your perosnal data is important but do not forget that having the necessary information that accompanies it can be vital for the interpretation of the raw data you might receive. It might help you get a clearer picture about whether your personal data was treated lawfully and what the consequences of the use of your data might be.
According to Article 15 of the GDPR, besides requesting a copy of your personal data, you can also ask controllers questions about:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
As part of PI investigations, this information has helped us several times understand how data might be shared among various recipients, or what other third parties a company might be using to obtain additional data and enrich their user profiles, for example.
3. Choose your identifiers wisely
Let's say you want to submit a DSAR to your water supplier. The minimum information this company could possibly have on you is your name and surname, your address, your date of birth and maybe your email address or phone number. Submitting identifiers that you know that the company is already in posession of helps the controller identify you and pull the relevant data from their systems.
However, if you just submit a picture of you to your water supplier, chances are you are probably disclosing more data than necessary and it won't actually help them to find which data relates to you - which will likely result in an email hassle trying to properly identify you and the company eventually ending up with more data on you. It is therefore important to think about what data a controller, for example, a company, could possibly already have.
There might also be cases where you cannot be sure what exact data a company holds on you as you might have never interacted with them in the past. This was the case for us when we sent DSARs to Facebook advertisers as we specifically picked [companies we had never heard of[(/node/3864). In that case and after some research, we provided a series of identifiers that matched the personal data an advertiser would be expected to upload on Facebook, such as email address and Facebook ID. Some of these non-exhaustive identifiers are included in the DSAR template below. Also note that you can add a sentence in your DSAR to emphasise that you would like to have these identifiers erased from the controller's database once they've dealt with your request.
If in doubt a good place to start might be the controller's privacy notice, which should explain what type of data they hold and for what purpose. It's also fair to ask them to clarify what identifiers they need to search their database. For example, some AdTech companies, use their own specific AdIDs or rely on unique identifiers stored in cookies which they can link to your browsing history. The controller should facilitate you excercising your rights, and this should include explaining to you how to find any such identifier.
4. Asked to verify your identity? Don't send more than what is really necessary!
Often, a controller might ask you to verify your identity. This is in line with data protection laws and can help ensure that personal data, especially special-category data, are handed to the correct person. The last thing anyone wants when responding to a DSAR is a data breach. However, controllers do not have unlimited powers when it comes to what they can demand from you in order to verify your identity - it must be proportionate.
For example, a controller might ask you to provide a copy of your passport, in order to verify your ID, despite the fact that they are not in possession of that document in the first place. Note: providing a passport might be a proportionate step, if for example your full name and date of birth is an essential identifier and the controller wants to make sure that you are who you claim to be. But in many instances, it shouldn't be necessary.
While it is entirely up to you whether you want to provide these companies with a document they might not hold in the first place, it is important to make sure you feel comfortale submitting a copy of your ID or passport. In case you don't, we believe that you should still be able to obtain access to your personal data, so we suggest you reach out to the company suggesting alternative and reasonable ways to, if possible, verify your identity.
If you are OK with submitting a copy of official documents such as passports or ID cards (never submit the actual document), consider redacting any parts that are unnecessary for the purposes of verification and keep only the relevant ones.
5. You are not obliged to fill in these extra forms
The GDPR is clear. Data subjects should not be placed under an unreasonable or disproportionate burden to provide reasons for their DSARs or be confronted with unnecessary bureaucracy.
A company or local authority might provide for their own access request forms. This may help them locate your data more easily and effectively. However, you don't have to use this format and should still not be asked to fill in fields that require unnecessary or unreasonable data besides the ones needed to facilitate your access rights.
Make sure that the form you're filing in is indeed an access request and not an erasure request one. We observed that a number of companies sending erasure request forms in response to DSARs, asking for individuals to fill it and send it back. So, make sure you check the tile of the form you're filling out!
In any case, such forms are not mandatory and cannot replace the original DSAR submitted via other means. You are not obliged to fill in a new form, especially when you have already provided all necessary identifiers and information in your original request. In that case, the date for the controller to get back to you with a response will still be 1 month after the date you first sent your request.
Finally, submitting a DSAR is an exercise of your right of access under data protection laws and you do not need to provide reasons for doing so.
6. Calendarise, wait and ping if needed
Normally, controllers have one month to respond to your request, starting from the day your request is received. The GDPR allows for a further 2-month extension of the 1-month deadline, provided there are reasons to justify such an extension. In any case, controllers are obliged to confirm receipt of your DSAR within one month. We suggest you calendarise accordingly so that you can follow up later in case of no response.
If the controller has not gotten back to you within one month or exceptionally the extended 3-month deadline, then consider pinging them and remind them of your DSAR and their obligation to get back to you within the statutory deadline. If you don't get any reply it may be worth following up with another contact point or by phone.
7. Unsatisfied with the anwser? Don't hesitate to ask for clarifications!
Once you receive a response, there are usually three possible scenarios.
First, you have received all the data you asked for in a comprehensible and exhaustive manner as well as sufficient responses to any questions you asked. Congratulations, you have been extremely lucky!
Second, your DSAR was only partially complied with. This might be because the company merely provided you with the personal data they hold on you wihtout responding to any other questions you have asked. It might also be that you think they probably hold more data, or a combination of all these.
Third, the controller has responded to you saying that they do not hold any personal data on you, but you are confident that they do have your personal data. This was the case for several Facebook advertisers we looked into. Specifically, some companies got back to us saying that they held no personal data on us, despite the fact that Facebook was showing them as advertisers who had uploaded personal data of ours on the platform. In that case, we got back to the controller attaching a screenshot from our Facebook profile and asking them to explain why they were being shown as not only having personal data of ours but also to have shared it with Facebook.
8. Manage your expectations! It's not always smooth sailing!
While the right of access is very clear in the law, sadly it can be challenging in practice - often because controllers -be they companies or public authorities- do not take seriously enough their obligation to facilitate this right and that there is still a lack of enforcement by regulators.
You might therefore be confronted with some email back and forth, delays or even non-responses. We suggest that you don't give up and continue reminding companies of your DSAR or asking for clarifications in case you still have questions. And, although we are unable to advise you individually or file complaints on your behalf, it is important to know that you do also have the option to complain to your national data protection authority.
Companies have the obligation to respect the rights in GDPR if they are based in the EU or process personal data of people in the EU.
Also access rights are still not available around the world - for example, the right of access in GDPR is limited to controllers based in the EU or those that process the personal data of people in the EU (as they direct goods or services or monitor their behaviour).
These challenges are one of the reasons we keep advocating for strong data protection frameworks around the world accompanied by effective impelmentation and enforcement and seek to hold to account, for example by complaining about exploitative practices! Learn more about our work and how you can support here.
*While this guidance is intended to generally apply along with GDPR, we should not ignore that it was written during the novel Coronavirus pandemic. The impact on individuals, the public and private sector worldwide may mean that there are some understandable delays in dealing with requests as well as follow up by regulators. This should not mean the exercise of rights can be ignored completely.
Feel free to use the text below by adapting it as needed. You can copy and paste it into a document or directly into the boyd of your message to the data controller. Please replace fields in [brackets].
[DATA CONTROLLER NAME]
[DATA CONTROLLER CONTACT DETAILS]
Data Subject Access Request
I, [NAME SURNAME], hereby make a Data Subject Access Request in respect of my personal data. Under Article 15 of the General Data Protection Regulation (GDPR), please provide me with a copy of all my personal data you process together with all the additional information I am entitled to, including answers to the questions below.
Please ensure that you include all information that is directly and indirectly associated with the following identifiers: [ADD RELEVANT IDENTIFIERS E.G. NAME, PHONE NUMBER, EMAIL, AD IDS, SOCIAL MEDIA IDS OR HANDLES, IP ADDRESS ETC – THESE WILL DEPEND ON WHO YOU ARE MAKING THE REQUEST TO AND HOW MUCH YOU ARE COMFORTABLE DISCLOSING].
If you do locate my personal data based on the identifiers, please further confirm whether there are other identifiers which may establish that you hold additional personal data, in order to fully comply with this request. Please advise me of them as soon as possible.
Please note that I am providing these identifiers in order to enable you to identify whether you hold any personal data about me. Aside from keeping a record of this subject access request, if you cannot identify my personal data, please do not store these identifiers in your datasets.
Please respond to me [by email or add other contact details].
- Please confirm whether or not you process my personal data and if that is the case provide me with a copy of ALL personal data that you hold on me.
Please provide the following information:
The purposes of the processing.
The categories of personal data concerned.
The recipients of the personal data, for what purpose and on what basis. Information about the recipients should include their name, and at least information about their activities, industry, sector, sub-sector and location.
Whether any of these recipients are based outside the EU and if so, what safeguards are in place.
The envisaged period for which my personal data will be stored and why.
Information about the source of my data, including where it came from, for what purpose and on what basis.
Information about the existence of automated decision-making including profiling, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. In relation to profiling, this includes input data used to create the profile, as well as information on the profile and details of any segments I’ve been placed in. In relation to any automated decision-making, the information should include factors taken into account for the decision-making process and on their respective weight.
For all processing please clarify the legal basis.
a. If the legal basis for processing is consent, demonstrable evidence of the date and how consent was provided;
b. If the legal basis for processing is legitimate interest, whether you have carried out a legitimate interest impact assessment and provide me with a copy;
c. My data and the above information should be provided in a transparent, intelligible and easily accessible form, using clear and plain language.
If you need any more information from me, please let me know as soon as possible.
[OPTIONAL, DEPENDING ON CONTEXT: For the purpose of verifying my identity for this request, please find enclosed a copy of my identification. This is not to be processed for any other purpose.]
I look forward to hearing from you as soon as possible and at the latest within the statutory deadline of 1 month.
Please confirm safe receipt.
This would usually be the company or public body that controls the processing of your personal data. Note that not only private companies but also public authorities can be covered by GDPR.
This is the individual whose personal is being processed by the data controller.
Data Subject Access Request (DSAR)
The most effective manner to exercise your access rights. Basically, it is a request sent to a data controller where the individual asks for a copy of their personal data and/or information about the processing of their personal data, for example, any third parties their personal data has been disclosed to, data transfers to third countries etc.
Information that can help identify an individual or can even make an indvidual identifiable.
In simple terms, processing means pretty much any operation you can perform on personal data: collecting it, using it, making it available to or sharing it with others, storing it etc.
Supervisory Authority (SA) or Data Protection Authority (DPA)
The regulator that oversees compliance with GDPR and makes sure the latter is enforced. Every EU member state has at least one, and the SA is also responsible for dealing with individual complaints and alleged violations of data protection laws.