All Collections
Data Subject Requests
How do I respond to a DSAR?
How do I respond to a DSAR?
Updated over a week ago

A Data Subject Access Request (DSAR) form allows your users to request access to the personal information stored on them or request that certain actions be taken with their personal information. Under some data privacy protection laws — like the General Data Protection Regulation (GDPR) — you need to ensure your users can submit requests to access, edit, transfer, or delete their personal data.

Termly offers an embeddable DSAR form that can be found in your dashboard.

Preparing to receive DSARs

Here are some steps you should take as you prepare to begin receiving DSARs:

  1. Give users a way to submit DSARs — you may wish to embed a form or provide specific contact details for DSAR submissions.

  2. Create and document a standard DSAR response process.

  3. Keep a detailed list of all the places where your organization may store personal data. These may include:

    1. Client/team member files

    2. Email accounts

    3. Data stored on servers belonging to service providers

    4. Audio recordings

    5. And more — review your specific situation carefully to find all the places you store personal data

Responding to a DSAR

Here are some steps we would advise organizations to implement when responding to DSARs:

  1. Determine which data privacy law applies to the data subject. Different laws have different requirements for the timeframe to deal with the request, the responsibility of a company processing the data, and more. You can determine which law applies by verifying the data subject’s location. If you use Termly’s DSAR form, the requestor will be able to select which law is applicable to them when submitting their request.

  2. Verify the requestor’s identity. Individuals with malicious intent could be using your DSAR form to collect information on your users. Notify the requestor that the DSAR was received, but always verify the requestor’s identity before sending personal data. For example, you may verify a requestor’s identity by requiring them to send their request using the same contact information as when they signed up for your service, or by asking the requestor to confirm the information you have for their account.

  3. Clarify the request. Is the requestor asking for access to data, deletion, or something else? Get additional information from the requestor if necessary.

  4. Determine the request’s validity. Establish whether the request is valid and can be completed within a legal timeframe. If not, you can take further steps to request an extension up to 60 days.

  5. Inspect the data. You will need to conduct a search of your files and data to locate all personal information belonging to the requestor. This can include hard copies, digital files, accounts, data stored on service provider servers, and more.

    1. Ensure to protect other data subjects’ personal information — do not delete or share information to the requestor that is not theirs.

    2. If you are unable to delete the requested data for fraud protection, pending court proceedings, legal obligations, or other reasons, notify the requestor what you cannot delete and why. Seek legal advice if you encounter this scenario.

  6. Choose the right format to provide the information. We recommend creating DSAR email templates for responses and deletion requests. Some of the information we recommend that you include is detailed in the section below.

  7. Keep an audit log of DSAR requests. Include the sources of collected information, the review process, key decisions made concerning the legitimacy of the request and whether exemptions applied, the response provided and disclosures, as well as all communications with the individual and other third parties. This will be essential if the individual seeks an internal response review or files a complaint.

Information to include in your DSAR response

We recommend including the following information in your DSAR responses:

  • Data information requests

    • Purposes of processing

    • Categories of personal data concerned

    • The recipients or categories of recipients to whom personal data has been or will be disclosed, including any other countries or international organizations

    • Any appropriate safeguards for the transfer of data

    • The time period for which personal data will be stored, or, if not possible, the criteria used to determine that time period

    • The source of the data if it was not collected from the data subject directly

    • The existence of any automated decision making, including profiling and any meaningful information about the logic involved

  • Data deletion requests

    • Confirm that the personal data was successfully removed from your systems and third-party systems

    • If the requestor needs to manually delete their personal data, provide detailed instructions on how to do so

    • If there is an exception and you cannot fulfill the deletion request, state the reasons for the denial

    • If some personal data is stored in backup systems awaiting deletion, make sure to explain the deletion schedule.

  • Additional information

    • Before sending your DSAR response, ensure the requestor knows their rights, including:

      • The right to request rectification or erasure of personal data or restriction of processing of their personal data

      • The right to complain to the relevant supervisory authority.

Tracking DSARs

Termly will notify you by email when a DSAR submission is made for your website. The email will contain the details of the submission, and some instructions on how to respond.

We recommend you keep records of all received requests, their status, and any additional information or comments.

When keeping a log of your DSAR requests, include the following information:

  • Request ID

  • Request type (erasure, access, rectification, objection, restriction, data portability)

  • Data subject category (website visitor, user, customer, employee)

  • Request date

  • Request deadline

  • Person responsible for responding

  • Request status

  • Comments

Did this answer your question?