Data Subject Access Request (DSAR)

We need to tell our customers:

• What personal data we’re collecting from them
• How we are using it (or will be using it)
• How long we’re keeping it for; and
• Various other information.

Most data controllers choose to communicate this information via a privacy notice.

Data subjects may request a copy of the personal data we are processing (on that data subject), as well as information we must also share under Articles 13 and 14 (the right to be informed).

This includes:

• The purpose(s) of processing;
• The categories of personal data;
• The recipients of the personal data;
• Whether automated decision-making is taking place, its significance, and envisaged consequences for the data subject; and
• Whether we’re transferring the data internationally, and if so, what safeguards are in place.

We must also inform data subjects of their other GDPR rights, including the right to lodge a complaint with the ICO (Information Commissioner’s Office).

When someone exercises this right, we must respond within one month.

One of the key GDPR principles (Article 5(1)(d)) is ‘accuracy’. If exercised — meaning that a data subject alerts us to incorrect personal data on them — we (the data controller) must correct it.

The right to rectification also means that if a data subject points out that, within the purposes of data processing, the data on them is incomplete, we must complete it.

When someone exercises this right, we have one month to make the corrections and respond to the data subject.

When an individual submits a data subject access request (or SAR), AB PLUS must provide them with a copy of any relevant information about them.

The right to erasure is also known as the ‘right to be forgotten’. It obliges us to erase someone’s data if they ask, where any of the following applies:

• The processing was unlawful to begin with.
• The data subject has withdrawn their consent.
• We need to destroy the data to comply with a legal obligation.
• We no longer need the personal data for the purpose(s) for which we collected it.
• We were collecting the data to offer information society services directly to a child.
• The data subject can legitimately object to the processing.

This right isn’t absolute. If we receive a request, we must respond within one month.

If a data subject exercises this right, we may store their data but not process it. Someone may exercise this right because:

• They’re contesting the accuracy of the personal data;
• The processing is unlawful, but the subject doesn’t want their data destroyed;
• They’re challenging whether our legitimate grounds for processing override their interests; or
• We don’t need the personal data anymore, but the subject needs it for a legal claim.

If exercised, we must respond within one month.

This right allows people to obtain their data from us in a “structured, commonly used and machine-readable format”, so they can easily reuse their data for other purposes.

Data subjects can only exercise this right if:

• They provided their data under the lawful basis of consent; and
• Where the processing is carried out by “automated means”.

“The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”

Article 21(2) also specifies that data subjects can object to their data being used for direct marketing purposes “at any time” — meaning that this is an absolute right.

Whether or not we comply, we must inform the data subject of our decision within one month.

People have the right not to be subject to any automated decision-making with potentially legal or similarly significant consequences for them, unless:

• We need to conduct the processing to enter into a contract with the data subject;
• We’re required or authorised by law to conduct the processing; or
• The data subject has explicitly consented to the processing.

Where we proceed with the processing, we must:

• Inform the data subject about the processing;
• Enable them to easily request human intervention or challenge a decision; and
• Regularly review our systems to make sure they’re working as intended.

One of the first steps is to verify the identity of the requester so that we can determine whether we have all the information we need to fulfil the request.

Find out more about the request itself. Is it merely a request for access, or are they invoking other rights, such as rectification of the personal data being held?

Establish whether the request is valid and if it can be completed within the one-month period. If not, we can take further steps to request an extension.

Once we start collecting the data, check whether the data needs to be amended and if we need to protect the personal information of any other data subjects.

Once all the data has been collected, determine the most appropriate format in which to provide the information.

Before sending the information, ensure the data subjects know their rights, including the right to lodge a complaint.

Data subjects can theoretically submit a DSAR whenever they communicate with a member of staff. We ensure that all relevant employees can recognise a request and know how to respond.

We appoint someone or a team of people to take responsibility for responding to DSARs who is familiar with the GDPR’s compliance requirements. We make sure multiple employees know how to complete a request so they can fill in during holidays or other absences.