Introduction
This checklist will provide step-by-step guidance to in-house counsel and private practitioners responding to a data subject access request (DSAR) pursuant to the European Union’s General Data Protection Regulation (EU GDPR), and / or advising clients on these issues.
The checklist addresses the following stages:
- Identifying a DSAR
- Initial response and general process for responding to a DSAR
- Deciding what information to provide in response to a DSAR
- Deciding how to provide the DSAR response
- Keeping records on DSARs
It is presented as a list of requirements that you can tick off as they are addressed. At the end of the document there are explanatory notes, and specific notes corresponding with each step in the checklist.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’, are further explained in How-to guide: Understanding key data protection definitions.
This checklist can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklist: GDPR compliance self-assessment audit.
Step 1 – Identifying a DSAR
| No. | Issues | Legally required? | Good practice |
|---|---|---|---|
| 1.1 | Does the request involve an individual (or an authorised third party on their behalf) asking for information relating to them? | ✔ | |
| 1.2 | Has the request been made by the data subject through your specified DSAR process? | ✔ |
Step 2 – Initial response and general process for responding to a DSAR
| No. | Requirement | Legally required? | Good practice |
|---|---|---|---|
| 2.1 | Have you verified the identity of the requester? | ✔ | |
| 2.2 | Have you taken special precautions if the data subject is a child? | ✔ | |
| 2.3 | Have you requested clarification about the information requested, if necessary? | ✔ | |
| 2.4 | Have you met the time limits for responding? | ✔ | |
| 2.5 | Have you informed the data subject that you will require an extension, if necessary? | ✔ | |
| 2.6 | Have you determined if a fee can be charged? (optional) | ✔ (in exceptional circumstances) | |
| 2.7 | Have you performed a reasonable search for the information? | ✔ | |
| 2.8 | Have you responded by providing or refusing to provide information? | ✔ | |
| 2.9 | Are your systems set up to be able to easily locate the information you need? | ✔ | |
| 2.10 | If you are acting as a processor on behalf of another organisation, have you implemented technical and organisational measures to assist the controller with DSARs? | ✔ | |
| 2.11 | Have you followed your internal DSAR policy / procedure? | ✔ |
Step 3 – Deciding what information to provide / exclude in response to a DSAR
| No. | Question | Answer | Next step |
|---|---|---|---|
| 3.1 | Have you confirmed if personal data about the data subject is being processed or not? | Yes (unless exempt) | Disclose |
| No | Don’t disclose | ||
| 3.2 | Is the information requested personal data relating to the data subject? | Yes (unless exempt or excluded) | Disclose |
| No | Don’t disclose | ||
| 3.3 | Have you excluded or redacted all information relating to third parties (or obtained third party consent to disclose)? | Yes | Disclose |
| No | Don’t disclose | ||
| 3.4 | Have you ensured that providing a copy of the requested information would not adversely affect the rights or freedoms of others? | Yes | Disclose |
| No | Don’t disclose | ||
| 3.5 | Have you excluded all information to which an exemption or restriction applies? | Yes | Disclose |
| No | Don’t disclose | ||
| 3.6 | Is the request (or part of it) manifestly unfounded? | No | Disclose |
| Yes | Don’t disclose | ||
| 3.7 | Is the request (or part of it) excessive? | No | Disclose |
| Yes | Don’t disclose | ||
| 3.8 | Can the legally required supplementary information be provided? | Yes (unless exempt) | Disclose |
| No | Don’t disclose |
Step 4 – Deciding how to provide the DSAR response
| No. | Requirement | Legally required? | Good practice |
|---|---|---|---|
| 4.1 | Does the response contain a copy of the personal data being processed (after applying exemptions etc)? | ✔ | |
| 4.2 | If the DSAR was received electronically, is your response in a commonly used electronic form? | ✔ | |
| 4.3 | Is the information disclosed to the data subject by secure means? | ✔ | |
| 4.4 | Have you informed the data subject of their right to complain to the relevant supervisory authority and to judicial redress? | ✔ |
Step 5 – Keeping records on DSARs
| No. | Requirement | Legally required? | Good practice |
| 5.1 | Have you kept records of DSARs? | ✔ |
Explanatory notes
General notes
Legal framework
The checklist covers the requirements under:
- EU GDPR; and
- the European Data Protection Board (EDPB) Guidelines on data subject rights – Right of access.
Articles 12 and 15, EU GDPR set out the key requirements regarding DSARs. Additional local EU member state law requirements may apply.
You must also inform data subjects whose information you process about their data subject rights. For further guidance see Checklist: What to include in your organisation’s privacy notice.
Data subject rights requests
A ‘data subject’ means an identified or identifiable natural person (article 4(1), EU GDPR). The EU GDPR provides for a range of rights of data subjects. These include:
- rights to information (articles 13 and 14, EU GDPR);
- rights of access to personal data (article 15, EU GDPR);
- rights to rectification of incorrect data (article 16, EU GDPR);
- rights to erasure / be forgotten (article 17, EU GDPR);
- rights to restrict processing (article 18, EU GDPR);
- rights to data portability (article 20, EU GDPR);
- rights to object (article 21, EU GDPR); and
- rights in relation to solely automated decision-making, including profiling (article 22, EU GDPR).
This checklist focuses on data subject access requests (DSARs) by individuals to exercise rights to access their personal data. A DSAR is broadly a request by an individual to access information that a controller is processing about them. The right of access entitles the data subject to obtain a copy of their personal data and prescribed supplementary information.
The purpose is to help people understand how and why their data is being used so they can ensure organisations are acting lawfully. Requesters need not tell you the reasons for their DSAR (although this may assist in locating the information).
Responding to DSARs can be complex and time-consuming, and the EU GDPR allows limited time to respond, so being prepared is essential. In particular, you should have:
- a clear DSARs policy;
- information management systems that allow for efficient identification and retrieval of information; and
- information in your privacy notices about individuals’ rights regarding DSARs (and other rights), including details of how to exercise their rights.
Controllers are primarily responsible for complying with the DSAR requirements. However, processors must implement technical and organisational measures to support controllers with their obligations (article 28(3)(e), EU GDPR).
Step 1 – Identifying a DSAR
1.1 Does the request involve an individual (or a third party on their behalf) asking for information relating to them?
There are no formal requirements for a valid DSAR under the EU GDPR. DSARs can be made verbally or in writing. DSARs can be received via social media, so you will need to monitor all communication channels for DSARs.
Even if a request does not expressly say that it is a DSAR, if it is clear from its nature that this is what the individual means, it should be treated as one. This may include an individual requesting ‘my information’ or specific information relating to them or information about them held in a particular location or system (eg, ‘my personnel file’), or similar.
A request for information that is not personal data relating to the requesting individual (non-personal data or data relating to third parties) does not fulfil the requirements for a valid DSAR.
A duly authorised representative (such as a solicitor, relative or guardian of a child) may request information on the data subject’s behalf.
1.2 Has the request been made by the data subject through your specified DSAR process?
It is not mandatory for DSARs to follow your preferred process, such as an online portal – you have to respond to all valid DSARs received via any reasonable means.
Step 2 – Initial response and process for responding to a DSAR
2.1 Have you verified the identity of the requester?
Take reasonable steps to verify the requester’s identity to ensure you only disclose information to the data subject or someone who is authorised to receive this on their behalf. Request information such as ID to verify an individual’s identity if you are unsure. The timescale for responding to a DSAR does not start until you have received this information, but you need to request the information promptly.
A third party may make a DSAR on behalf of another person. If they do so, you will need to check their identity and that they are duly authorised to make the request.
2.2 Have you taken special precautions if the data subject is a child?
If the request is from a child, you need to be sure they can understand their rights – if so, you can respond directly to the child. However, with the child’s authorisation, or if evidently in the child’s best interests, you can allow the parent or guardian to exercise the child’s rights on their behalf.
2.3 Have you requested clarification about the information requested, if necessary?
Only seek clarification where it is genuinely required to respond to a DSAR and you process a large amount of information about the person. To this end, you may ask them to specify the information or processing activities their request relates to before responding to the request to narrow this down.
Request clarification promptly and without undue delay after receiving the request, or as soon as it becomes clear that you need further information.
The onus is on the controller to request clarification. The time limit for responding to the request is paused until you receive clarification, meaning you do not need to provide the individual with a copy of the information, or any supplementary information that you cannot reasonably provide, unless you have obtained clarification. In the interim, you must:
- comply with the request as best you can by making ‘reasonable searches’ for the information and providing any information you can (eg, a copy of your privacy notice); and
- explain that the clock stops from the date that you request clarification and will resume once the data subject responds.
See time limits for responding and closing requests in explanatory notes at 2.4 below.
2.4 Have you met the time limits for responding?
Information must be provided in response to a DSAR without delay, subject to a standard maximum time limit of one month from the date of receipt of the request. The following time frames are relevant when responding to DSARs:
- Acknowledging the request - Acknowledge receipt of the request promptly. Depending on the channel the requester uses (eg, a portal), you may choose to set up an automatic reply. If you need to reply manually, having a template initial response will save time.
- Requesting ID - If necessary to verify the requester’s identity (see explanatory notes at 2.1), ID should be requested promptly. If appropriate, request this when acknowledging the request.
- Requesting clarification - If the request requires clarification as to the information requested, do so promptly and without undue delay. If clarification is requested, the clock is paused until you receive the clarification, subject to certain conditions (see explanatory notes at 2.3).
- Requesting a fee - If you are able to charge a fee and decide to do so, you need only comply with the request once you have received the fee. However, it would be good practice to request the fee promptly and at the latest within one month of receiving the DSAR (ie, request the fee as soon as possible). (See explanatory notes at 2.6.)
- Requesting an extension - If you are entitled to an extension, inform the data subject without undue delay as soon as you know this will be required and within the initial one-month period (see explanatory notes at 2.5).
Providing information - Information must be provided in response to a DSAR without delay and at the latest within:
- one month from the date on which ID is provided;
- one month from the date on which the fee is paid; or
- three months from the date on which ID is provided or clarification is requested, if an extension is required.
The standard one-month period starts on the day you receive the request (even if this is not a working day). The timeline looks like this:
DSAR received / fee paid / ID provided = Day 1 (eg, 31 August)
Time to respond = the same calendar date next month, unless:- the next month is shorter – then on the last day of the next month (eg, 30 September); or
- the response date is on a weekend or public holiday – then on the next working day (eg, if 30 September is a Saturday, then you can respond on Monday, 2 October).
If you have requested clarification, the one-to-three-month time limit may be extended by the number of days that you stopped the clock. Using the above example, if the request was received on 31 August and you request clarification on 1 September, if the data subject takes seven days to respond, you can add seven days onto the time limit (ie, respond by 7 October).
- Closing the request - If ID is not provided, the fee is not paid or clarification is not given, it is generally reasonable to close the request within one month (depending on the situation). However, it is still open to the data subject to make a further request in future. Keep a record of the reasons for closing the request.
2.5 Have you informed the data subject that you will require an extension, if necessary?
You may extend the time limit by two months if the request is complex or you receive multiple requests from the individual. You must inform the data subject of this within one month of receiving their request and explain the reasons for the extension.
2.6 Have you determined if a fee can be charged?
In most cases, the information must be provided for free. The exceptions to this are where:
- the request is manifestly unfounded or excessive; or
- the data subject requests additional copies of their data following an earlier request.
The fee can only cover the associated administrative costs. Your other option is to refuse to comply with a manifestly unfounded or excessive request.
2.7 Have you performed a reasonable search for the information?
You need to try to locate and retrieve the requested information. However, you do not have to do searches that would be unreasonable or disproportionate in the circumstances.
2.8 Have you responded providing or refusing to provide information?
If required, you will obviously need to provide any information that you can, plus the prescribed supplementary information (see ‘Step 3’).
If you are refusing to comply with the request (for instance, where an exemption applies), you will still need to notify the data subject and inform them of:
- the reasons why (although how much you say will depend on the circumstances); and
- their right to complain to the relevant supervisory authority, and their ability to pursue court action.
(See ‘Step 3’.)
2.9 Are your systems set up to be able to easily locate the information you need?
A controller needs to be able to facilitate the exercise of rights of access (article 12(1), EU GDPR), and has a general obligation to implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is carried out in accordance with the EU GDPR (article 24(1), GDPR). This would include having systems to locate the information to be disclosed in response to a DSAR and then putting this into a form that can be disclosed to the data subject.
2.10 If you are acting as a processor on behalf of another organisation, have you implemented technical and organisational measures to assist the controller with DSARs?
Processors must implement technical and organisational measures to support controllers with their obligations in relation to DSARs (article 28(3)(e), EU GDPR).
2.11 Have you followed your internal DSAR policy / procedure?
Your organisation should have a clear and up-to-date internal policy for dealing with DSARs. This should explain to staff how to recognise them, designate people within the organisation to handle them and set out the process for dealing with them within the time limits.
A processor needs to have appropriate systems and policies to deal with DSARs in line with the controller’s instructions.
Step 3 – Deciding what information to provide or exclude in response to a DSAR
3.1 Have you confirmed if personal data about the data subject is being processed or not?
A data subject has the right to know if you are processing their personal data (article 15(1), EU GDPR). You need to confirm this in your response, unless an exemption applies (eg, for reasons of national security).
3.2 Is the information requested: personal data relating to the data subject?
A request for information that is not personal data relating to the requesting individual does not fulfil the requirements for valid a DSAR – non-personal data or data relating to third parties cannot be sought through a DSAR (unless the request is made by a duly authorised representative, (such as a solicitor, relative or guardian of a child) on the data subject’s behalf).
3.3 Have you excluded or redacted all information relating to third parties?
Data relating to third parties cannot be sought through a DSAR. You will generally need to redact this and provide what information you can. If this is not possible, compliance with the request is not required, except with the third party’s consent or where it is reasonable to comply with the request without their consent. See also explanatory notes at 3.4.
3.4 Would providing a copy of the requested information adversely affect the rights or freedoms of others?
The right of access to personal data must not adversely affect the rights and freedoms of others (article 15(4), EU GDPR). If disclosure would have a negative impact on third parties, particularly if it could result in harm or disadvantage them in some way, that person’s data, or information that would lead to their identification, should not be disclosed.
3.5 Have you excluded all information to which an exemption or restriction applies?
Rather than specify particular DSAR compliance exemptions, article 23, EU GDPR provides scope for EU member states to restrict DSAR rights of data subjects. The exemptions applied vary from EU member state to EU member state and which exemptions that apply will depend on the type of organisation and the nature and context of the request. The exemptions most commonly provided under EU member state law that are available to commercial organisations include those related to legal professional privilege, research and statistics, archiving in the public interest, management information, negotiations with the requester and confidential references.
Importantly, exemptions must be considered case by case. They will often only exclude part of the data you are processing for reasons related to the purpose of the data’s use. Some exemptions require certain conditions to be met in order to be relied on.
3.6 Is the request manifestly unfounded?
You can refuse to comply with a DSAR if it is manifestly unfounded. This includes where:
- the data subject clearly has no intention to exercise their right of access (eg, for blackmail or leverage in negotiations with the organisation); or
- the request is malicious and is being used to cause disruption (eg, an excessive number of requests are sent as part of a systematic harassment campaign).
This issue needs to be considered in context. See explanatory notes at 2.8 about what to do if you decide to refuse to comply with a DSAR.
3.7 Is the request excessive (ie, multiple requests for the same information)?
You can refuse to comply with a DSAR if it is excessive. Relevant here is if the request is clearly or obviously unreasonable, based on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. If you decide to refuse all or part of a request, you should note your reasons why. You need to be able to justify refusing a request. A request could be considered excessive if it repeats or overlaps with other recent requests.
You may also consider asking for clarification of the request (see explanatory notes at 2.3). See explanatory notes at 2.8 on what to do if you decide to refuse to comply with a DSAR.
3.8 Can the legally required supplementary information be provided?
In addition to confirming if the personal data is being processed, and providing access to the personal data being processed, (unless exempt) a controller must provide the supplementary information set out in EU GDPR article 15(1) relating to:
- the processing purposes;
- the categories of personal data;
- the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients outside the European Economic Area (EEA);
- where possible, retention periods or at least retention criteria;
- the other data subject rights (in addition to access to information);
- the right to lodge a complaint with the relevant data protection regulator;
- details of the sources of the personal data, where this is not collected from the data subject;
- certain information about automated decision-making, including profiling, referred to in EU GDPR article 22(1) and (4), if being carried out; and
- information about the appropriate safeguards used under article 46 for data transfers outside the EEA.
Step 4 – Deciding how to provide the DSAR response
4.1 Does the response contain a copy of the personal data being processed?
The individual is only entitled to receive a copy of their personal data that is being processed. If you no longer hold the data, it need not be disclosed. You must, however, make reasonable efforts to obtain relevant information from your processors.
The right of access does not give a data subject the right to specific documents; only their personal data within them. You may decide to disclose other information that is not personal data in your discretion, provided this would not be prejudicial to the organisation, but strictly speaking the data subject has no right to receive this through a DSAR.
It may be necessary to give the individual some additional information to assist their understanding, if the requested personal data is not in an easily understandable form and it is reasonable to do so (eg, providing a key of internal abbreviations used). Using clear and plain language is particularly important if you are disclosing information to a child.
4.2 If the DSAR was received electronically, is your response in a commonly used electronic form?
If you receive a DSAR electronically (eg, by email or via a portal or social media) your response needs to be in a commonly used electronic form, unless the data subject requests otherwise (article 12(3), EU GDPR).
4.3 Is the information disclosed to the data subject by secure means?
The EU GDPR contains obligations for both controllers and processors regarding security of processing (article 32, EU GDPR). The exact security measures you should take will be determined by the level of risk, including the sensitivity of the data.
For particularly sensitive data, wherever possible, encrypt data files and keep the decryption key separate. You could set up a secure file sharing protocol or at the very least password-protect the data and send the password separately. Be extra careful to send information to the correct recipient – check email and physical addresses are correct, and use a confirmed or signed-for delivery service.
Step 5 – Keeping records on DSARs
5.1 Have you kept records of DSARs?
A controller has a general obligation to implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is carried out in accordance with the EU GDPR (article 24(1), EU GDPR). This would include keeping appropriate records of DSARs and how the organisation dealt with these. Your records should include:
- details of the requests (ie, by whom, for what information and when), including writing down or recording requests by telephone or in person;
- ID checks;
- requests for clarifications and reasons for extensions;
- reasons for any time limits being missed;
- the extent of your search (ie, systems or databases searched) and your search methodology;
- your decisions to withhold certain information (eg, third-party data, excessive requests or exemption); and
- how you responded – including a copy of everything that was provided to the data subject.
Have a retention schedule for retaining this information, based on how long you will need this to comply with your legal obligations (in particular, if the data subject made a complaint to a relevant supervisory authority or brought a claim in court relating to your handling of their DSAR).
Additional resources
European Data Protection Board’s Guidelines on Data Subject Rights – Rights of Access
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Assessing whether an organisation is a controller or processor under the GDPR
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.