Term: Data Subject Requests (DSRs)
Data Subject Requests (DSRs) are requests from data subjects exercising their rights for data deletion, access, copies, and objections from data controllers.
Data Subject Requests under the GDPR
Data subjects’ (individual) rights are covered in chapter 3 of the GDPR, including the right to access, the right to rectify, the right to erase, the right to restrict processing, the right to data portability, the right to object and not being subject to decisions based solely on automation.
An individual can therefore contact the Data Controller to exercise their rights, such as an access request (also known as DSAR), a correction request, a deletion request, or a request for a copy of their data. The act of exercising the above mentioned rights and contacting the controller is called Data Subject Request (DSR).
Besides the GDPR, California’s CCPA and Connecticut’s CTDPA, Brazil’s LGPD, and other global privacy laws grant individuals the right to make these requests.
Responding To Data Subject Requests (DSRs)
- Verify the individual’s identity before responding to the DSR. Otherwise, you risk sending personal data to an unauthorized party.
- Under the GDPR, you must respond within 1 month to a data subject request.
- If you can’t fulfill the request in that time, you must inform the data subject (within the original timeframe) that there will be an extension. You must also inform the data subject the reason for the necessity of the extension. An extension grants you with an additional 2 months to fulfill the DSR.
- Each regulation enforces its own timeline, generally ranging from 15 days under LGPD to 45 days under CCPA, with predefined extensions permitted
- Use clear, plain language when delivering personal data to a user in response to their access request.
Understanding the Differences Between DSRs, DSARs, and SARs
SAR and DSAR are both requests for access to personal data a company (data controller) holds about an individual. Alternatively, a DSR is an umbrella term that refers to all types of requests made by individuals to access, modify, or delete personal information.« Back to Glossary Index