What are Data Subject Requests?

  • Updated


The General Data Protection Regulation (GDPR) grants data subjects (the person whose personal data is being collected) the right to access their personal data by making a Data Subject Access Request (DSAR). 

"A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing...
...Every data subject should, therefore, have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing."

Recital 63 - GDPR

The GDPR has introduced the following changes to DSARs:

  1. Companies cannot charge a fee for DSARs (reasonable exceptions apply).
  2. DSARs must be fulfilled within one (1) month of receipt. 
    1. **CCPA - DSARs must be fulfilled within 45 days of receipt with permitted exceptions of up to 90 days.**
  3. DSARs can be made in any form. 

Osano provides enterprise users with a means of better consolidating and managing DSAR requests. 

Continue on to the following Articles: