There are several formal steps that are required to respond to a DSAR. However, before any of those steps commence, an organization must first recognize and acknowledge that a DSAR has been submitted. GDPR does not explicitly state what form a request must take, however the regulation clearly indicates that an individual can use any means (email, phone, chat, social media) and does not need to use the phrase “Data Subject Access Request” or “Article 15” as long as the intent is clearly understood.
Once you have received a request, it must be fulfilled for the data subject using “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12.1). The DSAR must be fulfilled in writing, in print or electronically. Alternatively, the request can be fulfilled orally, if that is what the data subject requests. Most often, companies fulfill the request in writing, and in the format that the request initially arrived (in print or electronic).
One interesting twist on delivering information is that context must be provided. This means if you have an internal coding system, or a unique internal language that is surfaced in a DSAR, the organization has an obligation to explain the system and meaning to the data subject.
Real World Example
Marcus files a DSAR through your company’s DSAR electronic submission portal. Marcus requests confirmation that your company has collected his personal information, and pending confirmation, has requested that his personal data be transferred to a new company (Article 18). Because Marcus filed the DSAR electronically through your company’s online portal, any DSAR processing and communication with Marcus also should be conducted digitally through the online portal, unless Marcus requests a different mode of communication.
Stay on top of your compliance obligations with our GDPR Checklist.
