With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
A Data Subject Access Request (DSAR) refers to a petition by a data subject (an identifiable individual about whom personal data is held) to a data controller (e.g., an organization/institution which sets personal data processing standards) regarding their personal data. A data subject may request access to their personal data record, edits or corrections to their personal data record, or request that their some or all of their personal data record with the company be deleted. The organization receiving this request, whether it is a data controller or a data processor, is expected to oblige this request within 30 days unless an exemption is made.
Real World Examples
Through a DSAR, an individual has the right to receive confirmation that your company is or is not collecting his/her data, insight into how the data is being used, and the ability to request erasure, correction, or deletion of data collected. If your company is collecting his/her personal data, that company has an obligation to grant a data subject access to their personal data. Below are two examples that highlight when a data subject might invoke their right to access, amendment, or deletion of their personal data under GDPR.
Example 1
Amy is moving from her city flat into a bigger home in the countryside, so she needs to update her billing address for her monthly book club shipment. Amy can request that the company that manages her book club membership change her personal data record (Article 16 of GDPR) from her old address to her new address in every instance on her personal data record. The book club company has 30 days to complete this request under GDPR, which is incidentally the time frame of Anna’s monthly book club membership.
Example 2
Jonas has been a loyal customer of ACME Running’s custom running shoes for years. Until recently, when his running partner finally convinced him to try a new brand of running shoes, and now he’s hooked. He wants to erase his personal data record from ACME Running shoes, and calls to request that his personal data record (which includes identifiable information, his running shoe purchase history, shipping information and more) be deleted (Article 17 of GDPR). ACME Running has exactly one month to honor Jonas’ request that all his personal data be removed from their system.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.