Data PrivacyUncategorizedHow to Handle Data Subject Access Requests

INTRODUCTION

The emergence of strong data protection legislation responds to a growing concern about data privacy worldwide. In the wake of the new data protection act titled Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDPA”), the principle of subject access is enforced. It is stated that individuals (data principals) have the right of access to their personal information in a format that they select, which is held by organizations, known as data fiduciaries.

Subsequently, it is pivotal for data fiduciaries to efficiently handle Data Subject Access Requests (hereinafter referred to as “DSAR”). It empowers individuals to access the personal data organizations hold about them.

DSARs are crucial for ensuring transparency and accountability in data processing activities. When individuals submit a DSAR, organizations are obligated to provide them with details about their personal data, including its collection, processing, and sharing. Compliance with DSARs is essential for maintaining trust between individuals and organizations while upholding privacy rights in an increasingly data-driven world.

WHAT IS DSAR?

Through the process of DSAR, data principals can seek for the requisite information from the data fiduciary, including information on how their data is being processed, stored, and shared.

The DSAR allows individuals to request information on:

• The categories of personal data that are processed.
• The purpose for which the data is to be used.
• The recipients or categories of beneficiaries to whom the information shall be shared.
• The source of the information, if it had not been collected directly from the data principal.
• The period in which the data are to be kept, or the criteria for determining this time limit.

Article 15 of the General Data Protection Regulation (hereinafter referred to as “GDPR”) grants individuals specific rights regarding their personal data. It outlines the right of access, allowing individuals to obtain confirmation from data controllers as to whether or not personal data concerning them are being processed, and if so, to access that data and receive additional information about the processing.

This additional information includes details such as the purposes of the processing, the categories of personal data involved, the recipients or categories of recipients to whom the personal data have been or will be disclosed, and the envisaged period for which the personal data will be stored. Additionally, Article 15 also grants individuals the right to obtain a copy of the personal data undergoing processing.

GLOBAL LANDSCAPE OF DSAR

1. General Data Protection Regulation: The GDPR established a comprehensive framework for the protection of personal data. Article 15 of the GDPR grants data subjects the right to access their personal data and obtain a copy in a commonly used electronic format.

2. California Consumer Privacy Act (hereinafter referred to as “CCPA”) and California Privacy Rights Act (hereinafter referred to as “CPRA”): California residents have the right to access specific pieces of personal information collected by a business in the last 12 months under these California laws. In response to excessive and repeated requests, the CCPA allows businesses to charge a reasonable fee.

3. Digital Personal Data Protection Act: The recently enacted DPDPA in India gives individuals the right to control their personal data. However, the DPDPA itself does not provide any special guidance on how to handle DSARs.

KEY REQUIREMENTS UNDER THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

The DPDPA enlists the data principals’ rights as follows:

i. Right to Confirmation and Access their personal data:Data controllers shall be entitled to access personally identifiable data which are held by a data fiduciary, such as the source of that data, its purpose for processing and their categories of beneficiaries. The data fiduciary must inform the user what email address they have, why they process it, how they obtained it, and who they share it with, if they process only email addresses. Data principals have the right to confirmation from the data fiduciary whether their personal data is being processed. If this is the case, they shall have the right to access a copy of the data in a clear and comprehensible format.

ii. Information to be provided: The data fiduciary shall provide the data principal with the following information upon receipt of the DSAR.

iii. The right to correct their personal data:Data principals have the right to have their personal data corrected if it is inaccurate or incomplete. For example, a person who changes his or her last name has the right to have his or her personal data corrected to reflect such a change.

iv. The right to the erasure of their personal data:If it is no longer necessary for the purposes for which it was collected or processed, or if the data controller withdraws its consent, the data controller shall have the right to have his or her personal data erased. The fact that the right to erasure must be exercised in so far as one or both of these requirements is satisfied should be taken into account.

v. The right to restrict the processing of their personal data:Under certain conditions, data principals have the right to restrict the processing of their personal data.

vi. The right to data portability:Data principals have the right to transfer their personal data to another data fiduciary and to receive a copy of it in a commonly used, machine-readable format. Transferring medical records among physicians, such as.

vii. The right to object to the processing of their personal data:The data principal may object to the use of his personal information for specific purposes. Objecting to the use of data for automated decision making or direct marketing could be a part of this.

viii. The right to withdraw consent:Data principals are free to change their mind at any moment regarding the processing of their personal information. It is supposed to be pretty clear. Preference centres offered by consent management providers such as Secure Privacy may be used by users to exercise their rights.

HOW TO HANDLE THE DSAR

Handling DSARs involves several key steps to ensure compliance with jurisdictional data protection regulations and meet the data principal’s request for access to their personal data.

1. Verify Identity: Upon acknowledging the DSAR, verify the identity of the individual making the DSAR to prevent unauthorized access to personal data. Request additional information or documentation to confirm identity. This aids in negating unwarranted exposure of other personal data or sensitive information

2. Gather Relevant Data: Identify and gather all relevant personal data held by the organization about the individual making the DSAR. This may involve data mapping and accessing data from various sources and systems within the organization.

3. Review Data: Review the gathered data to ensure its accuracy and relevance to the DSAR. Remove any irrelevant or sensitive information.

4. Provide Response: Prepare a comprehensive response to the DSAR, including a copy of the individual’s personal data and any additional information mandated by the law of the land. Be transparent about how the data is processed, stored, and shared. Furthermore, ensure that the response is being provided in a timely manner.

5. Record Keeping: Keep records of all DSARs received and the actions taken to process them. This documentation is essential for demonstrating compliance with the law of the land and may be subject to regulatory scrutiny.

AMLEGALS REMARKS

Responding to the process of DSAR is as equally important as the basis of data protection, and India’s DPDPA, through its essential stipulations, establishes a holistic framework for organizations to react to such process within a reasonable time and in a fair and transparent manner.

Specifically, the DPDPA reinforces the central role of consent in data processing by obliging that consent be given “freely, explicitly, clearly comprehended, without any kind of restrictions or coercion and specific”. Consequently, entities must ensure that the data principals are provided with all necessary information on how their data will be used and in particular, they should have a choice of whether or not to approve this processing whenever they so wish.

In conclusion, DSARs serve as a critical mechanism for data principals to exercise their rights to access and control their personal data. These requests are mandated by data protection regulations like the GDPR, empowering individuals to gain insight into how organizations handle their information.

DSARs foster transparency, accountability, and trust between individuals and organizations by providing individuals with the opportunity to review, verify, and, if necessary, rectify or erase their personal data. By establishing clear procedures, promptly responding to requests, and maintaining open communication, organizations can effectively handle DSARs while upholding data protection principles and safeguarding individuals’ privacy rights. Ultimately, DSARs play a pivotal role in promoting a culture of data privacy and empowering individuals in an increasingly data-driven world.

– Team AMLEGALS assisted by Ms. Nandini Muktani (Intern)