Skip to content

Subject Access Request Requirements

Paige Harris Feb 25, 2022 8:00:00 AM

If your e-commerce business collects or processes information from customers in the European Union, you'll need to have a  Data Subject Access Request DSAR process flow to deal with any data access requests that come your way.

The same applies if there are other data privacy rules in your region. You must have a policy that explains:

Don’t worry if you're unsure what to do if a DSAR lands in your inbox. We'll run through what you need to do if this happens.


Business SAR Responsibilities

Understanding your responsibilities is important because if you violate data management regulations, even unintentionally, you could have a serious problem on your hands.

Regulators can impose fines or even launch an investigation, so data privacy laws should never be ignored.

Responding to a DSAR

If you trade in Europe and are subject to the General Data Protection Regulation (GDPR), you have just 30 days to respond to a DSAR. The time frame is tight, but you can extend the deadline if the request is complicated or you've had several requests from the same person.

You'll have to inform the person, in writing, why you need the extension and keep the notice on record if a regulator checks in.

Charging DSAR Fees

In most cases, you can't charge a fee for processing a DSAR.

However, there are a few circumstances where you're allowed to charge a reasonable cost. For example, if someone requests multiple copies of their data or makes a request that Is excessive.

If you think there are grounds for a fee, you'll need to justify your decision. So, it's best to avoid charging unless absolutely necessary!

CTA Protect Your DataWhat Information Do I Need to Include in a DSAR Response?

In a DSAR response, there are a few things you will need to include, such as:

  • Why you collected the data and how it was processed.
  • The names of the people or entities you've shared the data with (such as third parties).
  • How long you've had the data, and how long you plan to keep it.
  • Whether you've used the data to make automated decisions, such as when sending offers or promotions.
  • If you used the data to create a customer profile.

While it seems a lot to take in, having a defined process to follow or using a template or checklist can make life a whole lot easier. It will also help ensure you don't miss anything important!

Most DSARs are rather vague.  They might simply say: I'd like a copy of all my personal data. You can reply and ask for clarity, although the individual doesn't have to respond if they don't want to.


How Can I Get Help Responding to DSARs?

Data privacy compliance can be a challenge for small and medium-sized businesses, and changing rules and new regulations make it even more complex.

At Enzuzo, we specialize in helping retailers deal with data privacy requirements and future-proof their policies.

Take a look at our privacy tools that range from free custom policy downloads to one-click cookie consents, and everything in between.

Leave a Comment