A Data Subject Access Request (DSAR) form allows your users to request access to the personal information stored on them or request that certain actions be taken with their personal information. Under some data privacy protection laws — like the General Data Protection Regulation (GDPR) — you need to ensure your users can submit requests to access, edit, transfer, or delete their personal data.
Termly offers an embeddable DSAR form that can be found in your dashboard.
Preparing to receive DSARs
Here are some steps you should take as you prepare to begin receiving DSARs:
Give users a way to submit DSARs — you may wish to embed a form or provide specific contact details for DSAR submissions.
Create and document a standard DSAR response process.
Keep a detailed list of all the places where your organization may store personal data. These may include:
Client/team member files
Data stored on servers belonging to service providers
And more — review your specific situation carefully to find all the places you store personal data
Responding to a DSAR
Here are some steps we would advise organizations to implement when responding to DSARs:
Determine which data privacy law applies to the data subject. Different laws have different requirements for the timeframe to deal with the request, the responsibility of a company processing the data, and more. You can determine which law applies by verifying the data subject’s location. If you use Termly’s DSAR form, the requestor will be able to select which law is applicable to them when submitting their request.
Verify the requestor’s identity. Individuals with malicious intent could be using your DSAR form to collect information on your users. Notify the requestor that the DSAR was received, but always verify the requestor’s identity before sending personal data. For example, you may verify a requestor’s identity by requiring them to send their request using the same contact information as when they signed up for your service, or by asking the requestor to confirm the information you have for their account.
Clarify the request. Is the requestor asking for access to data, deletion, or something else? Get additional information from the requestor if necessary.
Determine the request’s validity. Establish whether the request is valid and can be completed within a legal timeframe. If not, you can take further steps to request an extension up to 60 days.
Inspect the data. You will need to conduct a search of your files and data to locate all personal information belonging to the requestor. This can include hard copies, digital files, accounts, data stored on service provider servers, and more.
Ensure to protect other data subjects’ personal information — do not delete or share information to the requestor that is not theirs.
If you are unable to delete the requested data for fraud protection, pending court proceedings, legal obligations, or other reasons, notify the requestor what you cannot delete and why. Seek legal advice if you encounter this scenario.
Choose the right format to provide the information. We recommend creating DSAR email templates for responses and deletion requests. Some of the information we recommend that you include is detailed in the section below.
Keep an audit log of DSAR requests. Include the sources of collected information, the review process, key decisions made concerning the legitimacy of the request and whether exemptions applied, the response provided and disclosures, as well as all communications with the individual and other third parties. This will be essential if the individual seeks an internal response review or files a complaint.
Information to include in your DSAR response
We recommend including the following information in your DSAR responses:
Data information requests
Purposes of processing
Categories of personal data concerned
The recipients or categories of recipients to whom personal data has been or will be disclosed, including any other countries or international organizations
Any appropriate safeguards for the transfer of data
The time period for which personal data will be stored, or, if not possible, the criteria used to determine that time period
The source of the data if it was not collected from the data subject directly
The existence of any automated decision making, including profiling and any meaningful information about the logic involved
Data deletion requests
Confirm that the personal data was successfully removed from your systems and third-party systems
If the requestor needs to manually delete their personal data, provide detailed instructions on how to do so
If there is an exception and you cannot fulfill the deletion request, state the reasons for the denial
If some personal data is stored in backup systems awaiting deletion, make sure to explain the deletion schedule.
Before sending your DSAR response, ensure the requestor knows their rights, including:
The right to request rectification or erasure of personal data or restriction of processing of their personal data
The right to complain to the relevant supervisory authority.
Termly will notify you by email when a DSAR submission is made for your website. The email will contain the details of the submission, and some instructions on how to respond.
We recommend you keep records of all received requests, their status, and any additional information or comments.
When keeping a log of your DSAR requests, include the following information:
Request type (erasure, access, rectification, objection, restriction, data portability)
Data subject category (website visitor, user, customer, employee)
Person responsible for responding