A GDPR Request, formally known as a Data Subject Access Request (DSAR), is a communication received from a data subject that they wish to exercise their rights under the GDPR to access their data.
The right of access (Article 15) is a data subject right. It gives citizens the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)); furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing (Article 15(1)(a)), with whom the data is shared (Article 15(1)(c)), and how it acquired the data (Article 15(1)(g)).
- We should consider which of our staff who regularly interact with individuals may need specific training to identify a request.
- We should define procedures for recording details of the requests we receive, particularly those made by telephone or in person/chat/social media.
- We should keep a log of requests.
- We MUST respond within 1 month. We should respond as quickly as possible.
- We MUST comply with GDPR and respond to these requests properly.
- We should be prepared to receive GDPR requests through any medium, not just electronically.
The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.