Businesses and organizations gather vast amounts of our personal data for various purposes. Whether it’s for enhancing customer experiences, improving services, or conducting marketing campaigns, the collection and processing of personal data are integral to modern business operations. However, as data privacy becomes a critical concern for individuals, regulations such as the General Data Protection Regulation (GDPR) have been implemented to protect individuals’ personal data and provide them with control over how it is used. One of the most fundamental rights granted by the GDPR is the right to access your personal data through a Data Subject Access Request (DSAR).
In this post we will discuss what personal data is, the various categories of data businesses may store, and the legal grounds for collecting and processing such data. We will explore why and how to make a DSAR, what individuals can expect from the process, and the broader rights they have concerning their personal data. Additionally, we will explain how individuals can enforce their rights, including how to lodge a formal complaint if their data is mishandled. Businesses also have an obligation to comply with data privacy laws, and understanding these rights helps both individuals and organizations remain compliant.
What is Personal Data?
At its core, personal data refers to any information that can identify an individual, either directly or indirectly. The definition of personal data is broad, encompassing everything from names and email addresses to more complex data such as IP addresses, online identifiers, or even behavioral data gathered from social media activity. The definition used under GDPR is expansive, ensuring that individuals are granted comprehensive protection over their privacy.
Categories of Personal Data
Businesses may hold different categories of personal data, depending on the services they offer and the interactions they have with their customers. Here’s an overview of the most common categories:
- Basic personal information: This is the most commonly collected data, including names, addresses, phone numbers, and email addresses. Every time you register for a service or fill out a form, this data is likely stored by the business.
- Financial data: If you make purchases or financial transactions with a business, they may hold details such as bank account numbers, credit card information, payment history, and purchase records. Financial data is particularly sensitive and often subject to strict protections due to the risk of fraud and identity theft.
- Contact and communication history: Any interactions you have with customer service, support teams, or general communication with the business are often recorded and stored. These records can include emails, chat transcripts, or phone call logs.
- Technical data: Modern businesses often collect technical information related to how users interact with their website or apps. This may include IP addresses, browser type, device information, location data, and cookies that track online behavior.
- Special categories of data: GDPR defines certain types of personal data as “special categories,” which require extra protections. These include data related to racial or ethnic origin, religious or philosophical beliefs, health data, sexual orientation, political opinions, and genetic or biometric data. Businesses must meet higher legal standards before collecting and processing this type of data.
- Behavioral data: This refers to information about how users engage with a business’s products or services. It may include marketing preferences, purchase behaviors, and browsing habits. Behavioral data is often used to personalize services or target individuals with specific marketing campaigns.
Legal Grounds for Storing and Processing Personal Data
Under the GDPR, businesses and organizations cannot process personal data unless they have a valid legal basis for doing so. The law is clear that personal data should be handled responsibly and transparently, ensuring that individuals’ rights are respected. The most common legal grounds for processing personal data include:
- Consent: One of the most straightforward grounds for data processing is consent. This occurs when an individual actively agrees to the processing of their data for a specific purpose. For consent to be valid under GDPR, it must be freely given, specific, informed, and unambiguous. For example, when a user ticks a box agreeing to receive marketing emails, they are giving consent.
- Contractual necessity: If personal data is required to fulfill a contract, such as delivering a product or service, this forms a legitimate ground for processing. For example, an online retailer needs a customer’s address to deliver a purchased item.
- Legal obligation: In some cases, businesses must process personal data to comply with legal obligations. This can include obligations related to tax laws, employment regulations, or reporting requirements. For example, employers may need to store employee tax information.
- Legitimate interest: This is a flexible legal basis that allows businesses to process personal data for legitimate business purposes, provided that this does not override the individual’s privacy rights. An example might be processing personal data for fraud prevention. Businesses must carry out a legitimate interest assessment to ensure that the processing is necessary and does not disproportionately affect individuals’ rights.
- Vital interests: In rare cases, businesses may process personal data to protect someone’s vital interests, such as in life-threatening situations. For instance, health data might be processed in an emergency to protect the individual’s life.
- Public task: Certain types of personal data processing may be necessary for tasks carried out in the public interest or the exercise of official authority. This applies mainly to government bodies or organizations acting in the public sector.
Making a Data Subject Access Request (DSAR)
One of the most powerful tools available to individuals under GDPR is the ability to make a Data Subject Access Request (DSAR). This request enables individuals to find out what personal data a business or organization holds about them, how it is being used, and whether it has been shared with any third parties. It is an essential right for ensuring transparency and accountability in data processing.
Why Make a DSAR?
Making a DSAR serves several important purposes for individuals:
- Gain transparency: You can learn exactly what personal data is being stored about you and whether it is being processed in accordance with data protection laws.
- Verify data accuracy: Accessing your data allows you to check that the information is accurate and up to date. If errors are found, you can request corrections.
- Ensure lawful processing: A DSAR helps you confirm that your personal data is being processed in a lawful manner and not being used for purposes you did not consent to.
- Check third-party sharing: You can find out whether your personal data has been shared with third parties, and if so, ensure that it was done in compliance with GDPR.
- Assess risk: You may want to know what types of data are held to evaluate potential risks, such as exposure to fraud or identity theft.
How to Make a DSAR
Submitting a DSAR is a straightforward process, but it’s important to follow the correct steps to ensure the business responds appropriately. Here’s how to make an effective DSAR:
- Identify the data controller: The data controller is the business or organization that determines the purpose and manner in which your personal data is processed. This could be your employer, a service provider, or any business that has collected your data. Most businesses have a designated privacy or data protection officer to handle such requests.
- Submit your request: You can submit a DSAR via email, online form, or even by letter. There is no specific format required by law, but your request should clearly state that you are making a “Data Subject Access Request.” It’s helpful to include your full name, any relevant account numbers, and specific details about the data you wish to access.
- Proof of identity: To protect against unauthorized disclosure, businesses may request proof of identity before providing access to your data. This may involve submitting copies of official documents like a passport or driver’s license.
- Specify your data request: Although you can request access to all personal data a business holds on you, being specific can help speed up the process. For instance, if you only want access to your financial transactions or contact history, mention this in your request. This can also help reduce the chance of receiving irrelevant information.
- Timeline: Once your DSAR has been received, the business has one month to respond. In certain complex cases, this deadline can be extended by an additional two months, but you must be informed of the reason for the delay.
What to Expect from a DSAR Response
When a business responds to your DSAR, they must provide the following information:
- Confirmation of whether they are processing your personal data.
- A copy of the personal data they are processing.
- Details of the purposes for which the data is being processed.
- Information on any third parties with whom the data has been shared.
- The source of the data, if it wasn’t collected directly from you.
- The period for which the data will be stored, or the criteria used to determine that period.
- Information on your rights, including the right to rectification, erasure, restriction, and objection.
- Any automated decision-making or profiling used in processing your data.
In most cases, businesses are required to provide the data free of charge, although they may charge a reasonable fee if the request is excessive or repetitive.
Your Rights Under GDPR
Beyond the right of access, GDPR grants individuals several important rights over their personal data. These rights are designed to give individuals control over their data and ensure that businesses are transparent and accountable. Here are the key rights you have under GDPR:
- Right to rectification: If you discover that the personal data a business holds on you is inaccurate or incomplete, you have the right to request its correction.
- Right to erasure (Right to be forgotten): Under certain circumstances, you can request that a business delete your personal data. This right applies if the data is no longer necessary for the purposes it was collected for, if you withdraw your consent, or if the data is being processed unlawfully.
- Right to restrict processing: In some cases, you can request that a business restrict the processing of your data, meaning the data can still be stored but not used. This might apply if you contest the accuracy of the data or object to its processing.
- Right to data portability: GDPR allows you to request that your personal data be transferred to another business or organization in a structured, commonly used, and machine-readable format. This is particularly useful if you want to switch service providers without losing your data history.
- Right to object: You have the right to object to certain types of data processing, including processing based on legitimate interests or direct marketing. Once you object, the business must stop processing your data unless they can demonstrate compelling legitimate grounds for doing so.
- Rights related to automated decision-making and profiling: If decisions about you are made purely by automated means (e.g., algorithms) that have a significant impact on you, you can request human intervention or challenge the decision.
Filing a Complaint
If you believe a business has mishandled your personal data, failed to respond to your DSAR, or violated your rights under GDPR, you have the right to file a complaint with the relevant data protection authority. In the UK, this is the Information Commissioner’s Office (ICO), and in the EU, it is your country’s Data Protection Authority (DPA).
When filing a complaint, include all relevant details such as a copy of your DSAR, any correspondence with the business, and an explanation of how your data rights have been violated. If the issue remains unresolved, you may also consider seeking legal advice or pursuing the matter through the courts.
Taking Control of Your Data Privacy
The collection and processing of personal data are fundamental to the modern business landscape, but individuals must remain vigilant about how their data is used. Through the Data Subject Access Request process, you can gain transparency, control, and assurance that your personal data is being processed lawfully. Understanding your rights under GDPR is crucial for protecting your privacy and ensuring that businesses treat your data with the respect it deserves.
If you’re a business owner, ensuring compliance with GDPR is not just a legal obligation but also a way to build trust with your customers. At LexDex Solutions, we specialize in helping businesses become GDPR compliant, ensuring that personal data is handled securely and ethically.
Contact LexDex Solutions today to learn more about how we can help you protect your business and customer data. Compliance doesn’t have to be complicated—let’s make it simple and effective.