Data Subject Access Requests – 5 Things Your Company Needs to Consider


6 minute read | April.21.2023

The Cybersecurity & Privacy CompassThis Essential Guide to the EU und UK GDPR is part of Orrick’s Cybersecurity & Privacy Compass Series. The Cybersecurity & Privacy Compass is your global guide to constant cybersecurity and privacy change.

Both the EU and UK GDPR grant data subjects rights in relation to their personal data. Article 15 gives data subjects the right to access their personal data and increasingly, data subjects are exercising this right by sending data subject access requests (“DSARs”) to companies.

Our team sets out below 5 things to consider when responding to a DSAR to help ensure your company complies with its statutory obligations under EU and UK data protection laws.

  1. Personal data isn’t just someone’s name
  2. Protection of Third-Party Data
  3. Be mindful of the deadline to respond
  4. Valid exemptions
  5. Precursor to litigation

1. Personal data isn’t just someone’s name

Under both the EU and UK GDPR, the definition of personal data is very broad and covers “any information relating to an identified or identifiable natural person”. Relevant information could be found in emails, instant messages, documents, databases, video or audio recordings and anything else that could be electronically stored. Therefore, multiple searches might need to be carried out to ensure that all personal data is collated. It is particularly important to remember that personal data will include comments and opinions which have been documented about a data subject e.g., in their internal performance reviews.

A company’s IT team must be able to run searches across the relevant company databases, phones and mailboxes to capture all of a data subject’s personal data. It is vital to keep an accurate record of the conducted searches for responsive data, and it is also advisable to respond to the data subject regarding the search parameters and potential amount of responsive data ahead of conducting your search and review.

2. Protection of Third-Party Data

If some or all of the requested personal data also reveals information that relates to and identifies another individual, particular care needs to be taken when responding to the data subject. A company must have a legal basis for disclosing third-party data to the requesting data subject, and for the most part, that basis will be consent (if consent can be sought). To disclose such information without consent from the third party, an assessment will need to be carried out by the company, considering for example, the type of information that would be disclosed and the duty of confidentiality owed to the third party.

Consideration should also be given as to how reasonable it would be for a company to redact the third-party personal data before sharing information with the requesting data subject. A company can also provide data in an extracted format. For example, if a document contains a lot of information that is not the data subject’s personal data, an extract containing the personal data can be produced, rather than the document itself.

3. Be mindful of the deadline to respond

Following receipt of a DSAR, a company must reply to a data subject without undue delay and in any event within 1 month. This period can be extended by a further 2 months where necessary (considering the complexity and number of requests received from a data subject).

Additional information to narrow the DSAR can be sought from the data subject. Initial investigations may determine that a company processes a large quantity of information about the data subject. Additional information, for example whether there are particular email custodians to be searched or a specific time period, can help to make the exercise more proportionate. Note however, that one generally has no right to request a limitation of the DSAR.

If additional information is sought, this may, depending on local guidance from the competent supervisory authorities (in the EU) or the Information Commissioner (in the UK), pause the above-mentioned statutory timeline for responding to a data subject until any additional information or clarification is received.

4. Valid exemptions

A company can only refuse to comply with a DSAR if a valid statutory exemption applies. The purpose for which a data subject makes a DSAR does not affect its validity. Valid exemptions for DSARs include where requests:

  • are “manifestly unfounded or excessive”, which must be considered on a case-by-case basis considering the following non-exhaustive factors: (i) whether an individual has no real intention of exercising their rights; (ii) whether the request is malicious in its intent; (iii) whether multiple DSARs are systematically being sent (e.g., once a week to cause disruption); or (iv) whether the request is clearly or obviously unreasonable;
  • adversely affect the rights and freedoms of others;
  • would lead to the disclosure of information relating to other data subjects (and where no protections could be put in place to counterbalance this); or  
  • would lead to the disclosure of information to which a claim to legal professional privilege could be maintained in legal proceedings.

Additional exemptions might also apply as set out in applicable national law, for example Schedules 2 and 3 of the Data Protection Act 2018 in the UK or § 29 German Federal Data Protection Act (BDSG). Only if one of these exemptions apply will a company be able to refuse to comply with a DSAR. As such, in most cases, companies will be required to comply with DSARs, and it is therefore crucial that companies understand their legal obligations and the restrictions on what they can and cannot produce in response to a DSAR.

5. Precursor to litigation

DSARs received from data subjects indicate an intention to bring litigation against a company. DSARs allow documents and information to be obtained to assist a data subject in bringing a claim. For example, DSARs received from current or former employees in the context of disciplinary procedures are often used to look for evidence of what other employees or management have reported about the individual. Companies, therefore, need to be aware of this risk and ensure that appropriate care is taken by employees when committing information about individuals to writing, particularly if relationships with the individual have become strained.

It is important that employees receive training on how to respond to such requests and that they are informed immediately that they must not alter or delete any data responsive to a DSAR.

DSARs can be immensely challenging for companies to deal with. There are potentially significant consequences for failing to respond at all or appropriately. DSARs are costly and time consuming for legal and human resources teams to address. However, they cannot be ignored and by addressing them swiftly and in a structured manner, you will place your company in the best possible position to avoid future risks.