DSAR Response Letter: How to Respond to a Subject Rights Request

Osano
Contact

If you’re not accustomed to handling data subject access requests (DSARs), then it’s understandable if you feel a bit nervous about responding. After all, there are all sorts of legal requirements involved and the potential for fines and penalties if you get it wrong. 

But there’s no need to panic. So long as you make a good faith effort to fulfill the request on time and transparently communicate with the requester, there aren’t any magic words or phrases you have to say to make your response legal and official.  

However, there are some important things to understand and keep in mind when communicating with requesters at different stages of the DSAR process. 

Like any company, Osano receives DSARs. So, we’ve decided to walk you through the templated emails we send in response to DSARs. 

To start, we’ll cover a few basic but important details about DSARs first. There’s a lot to unpack on this subject, so if you want to learn more about data subject rights, check out our blog, What Is a DSAR? A Complete Guide to Data Subject Access Requests. 

And one final note: This blog can point you in the right direction and ensure you have a baseline of knowledge, but you’re going to be best served by consulting with legal counsel or relying on data privacy solutions to guide your response. 

What Are DSARs? 

DSARs are requests that consumers can make of your business based on certain rights laid out in the requesters’ governing data privacy law. The easiest way to understand DSARs is to break down the term. 

A data subject is the individual whose data you’ve collected. If you’ve got John Smith’s purchase history, then the purchase history is the data, and John Smith is the data subject. 

Access refers to one type of DSAR that a data subject can make. It’s the most common DSAR type, but there are other requests a data subject can make. Conventionally, all of these request types are referred to as DSARs even though they may go beyond merely accessing the data. (Technically, the correct blanket term is subject rights request, or SRR). 

Last is the term request, but DSARs are more like legal obligations. In most cases, you have to respond to a DSAR and carry out the associated request accurately, to the best of your ability, and within a certain timeline. 

What Kind of DSARs Might You Receive? 

Different data privacy laws feature different rights, but for the most part, you can expect to see the following DSARs come in: 

  • Requests to access and summarize the data subject’s information (this is where the access in DSAR comes from) 
  • Requests to delete data 
  • Requests to correct inaccurate data 
  • Requests to restrict processing—essentially, these requests ask you to stop doing anything with the data subject’s information, but you can still hold onto it. These requests can be very open-ended, and their final execution depends on the requester’s instructions. 
  • Requests to opt out of the sale or sharing of data with others 
  • Requests to limit the use of sensitive personal information 
  • Requests for portability—that is, to receive the data subject’s information in a standardized format 
  • Requests to contest the results of automated decision-making (e.g., automatically being approved for or denied a loan) 

There are other data subject rights out there, but the above are the relevant ones when it comes to actually responding to a data subject and doing some task for them. For example, data subjects also have the right to be informed about the collection and use of personal data. You'd want to do this in a cookie banner, a privacy policy, and/or some other form of notice. Some data privacy laws also require you to disclose third parties you transfer their data to. Again, you’d likely do this in your privacy policy. 

What Are Your Responsibilities Associated with DSARs? 

Timelines 

For the most part, you have between 30 and 45 days to respond to a DSAR depending on the governing law. You can generally request a 45-day or 2-month extension for particularly complex DSARs depending on the law. But if you do request an extension, you’ll need to thoroughly document your rationale since it can be a red flag for the data subject and potential auditors. 

Identity Verification 

For most request types, you should verify the data subject’s identity before you action the request—but not in all cases! Requests to opt out of sale/sharing and requests to limit the use of sensitive information should explicitly NOT involve identity verification. Most privacy laws consider verifying a requesters identity for these DSAR types as more of a threat to the data subject's privacy than just actioning the request, even if there’s a case of mistaken identity. Several penalties under the CCPA have involved verifying data subjects’ identities for these request types. 

Rejections 

Lastly, you can reject certain DSARs.  

Duplicate requests can be safely rejected. You're already working on the data subject’s request after all.  

It’s also possible to reject requests that are “manifestly unfounded or excessive,” also known as vexatious requests. But you must be very, very careful when doing so and should thoroughly document your rationale for rejection. Usually somebody submitting vexatious requests has a bone to pick with your organization and could be fishing for something they can use against you in court. 

DSAR Templates: Emails for Different Request Types 

Osano receives DSARs like any other organization. Below are the email templates we use to respond to data subjects depending on the nature of the request or the associated step in the DSAR workflow.  

Note that we use the Osano platform to manage our DSARs, so our responses direct data subjects to log in to the platform’s secure messaging portal to review the results of their processing. Most other data privacy platforms will have similar functionality. If you’re managing privacy in-house, you’d just attach their data or proof of your compliance to the email or send it via a secure, private file-sharing service. 

Email Verification Reminder 

As noted above, identity verification is NOT compliant for requests to opt out of sale/sharing and requests to limit the use of sensitive personal information under the CCPA. It is recommended for other request types, however. 

Again, we use Osano to manage DSARs, so this email template refers to the provision of a secure link for email verification. If you don’t use a privacy solution, there are email verification service providers you can use for this step. 

We ask data subjects to verify their email right away, but if 7 days pass, we’ll send out this reminder: 

In order to help you with your data rights request, you must click on the following secure link to verify your email address. If you don't verify your email, we may mark this request as closed and you will have to submit a new request.  

After 45 days, if the request requires verification and the requester has not verified their email, we close out the request. 

Email Verification Confirmation 

Here’s what we send once a data subject verifies their email. Providing data subjects with information about how their request is being processed is a requirement, but beyond confirming receipt of a request, the details of what information you should provide aren't always laid out in privacy laws. Letting them know their request is being worked on is a best practice that cuts down on confusion. 

We've confirmed your email and your request has been sent to our data privacy team.  

What to expect next:  

  • Our data privacy team will begin processing your request as soon as possible.  
  • In order to check the status of your request, and receive communications and documents related to your request, you will need to log in into our secure messaging portal. In some cases, our data privacy team may require additional information from you, which will also be communicated through the secure messaging portal.  
  • Once your request has been marked complete in our system, all communications and documents transferred through our secure messaging portal will be removed at 2 years. If you have additional questions you may be required to submit a new request. 

Note the reference to a secure messaging portal—that’s a feature of the Osano platform. We also keep documentation on file just long enough for compliance purposes, and you should do the same. Once that 2-year window closes, we promptly delete the associated records. 

Request Completion  

Any time we complete a request from a data subject, we start off our response with “We have completed processing your [Fill in the Blank] request.” Then, we add one of the following statements based on the request type.  

  • Correction Request: “Our systems have been updated with the corrected information you provided.” 
  • Deletion Request: “The specified data has been permanently removed from our systems." 
  • Summary Request: “A summary of the relevant information from our systems has been compiled for you.” 
  • Do-Not-Share/-Sell Request: “Your data has been removed from any lists or databases used for selling information.” 
  • Limit the Use of Sensitive Personal Information request: “The use of your data has been restricted according to your instructions.” 
  • Opt Out of Using Sensitive Data Request: “Your sensitive data has been excluded from any future processing or usage as per your instructions.” 
  • Opt-Out Request: “Your data has been excluded from any future processing or sharing activities as per your instructions.” 

Finally, we close out by reminding data subjects they can find additional information in the Osano platform messaging portal: “Let us know if you have any additional questions. Please login to the secure messaging portal below to view any additional details.” 

That additional information might be the portable data files requested in a portability DSAR, the summarized data in a summary request, and so on. If you don’t use a privacy solution with a comparable portal, you might have to send additional details in the email body or by a secure file-sharing service.  

No Results Found for Requests to Opt Out of Targeted Advertising 

Any DSAR could yield no results for the given data subject (often, this occurs when a third-party service provider submits bulk DSARs on behalf of their clients). Generally, these don’t require any special response; you just confirm that you checked your systems and found that the data subject’s personal information wasn’t there. 

We templated a response for requests to opt out of targeted advertising when no results were found because:  

  1. It’s common for this to be the case. 
  2. Regulators are placing higher scrutiny on these request types. 
  3. The CCPA requires fulfillment for opt-out requests in 15 days, unlike the usual 30 or 45 days.  

When data subjects who aren’t in our databases send Osano an opt-out request, we offer to put them on our Do Not Contact list pending their confirmation. It’s not technically required, but it’s safer and more respectful of the data subject’s wishes. To ensure a timely response, we use the following template: 

Hello,  

Thank you for your recent privacy request submitted through our Subject Rights Request (SRR) form.  

After conducting a thorough search of our records, we have determined that we do not currently possess any personal information associated with you. Nevertheless, to honor your request and uphold your privacy preferences, we can add your email to our Do Not Contact list. Please confirm if you would like us to take this action. This would ensure that, should we collect your information in the future, we will not process it for marketing or other outreach purposes.  

If you have any further questions or concerns regarding your data privacy, please do not hesitate to contact us using this secure messaging portal. 

Generic Rejection 

In certain circumstances, we need to reject requests. As stated earlier, we only do so when it’s clear that the request can and should be rejected.  

If the data subject failed to verify their email or identity for requests where identity verification is appropriate, we’ll first send a reminder email and then reject the request after 45 days. If a request is a duplicate, that’s another circumstance when we can reject the request. If there is no user found, we’d reject the request in that case as well (although we have a special workflow for opt-outs of targeted advertising; see above). 

Here’s what we send data subjects when it’s clear that a request should be rejected: 

In order to protect your privacy, your request has been rejected.  

Reasons why your request could have been rejected include (but are not limited to):  

  • Email not verified  
  • Duplicate request  
  • No user found  
  • Proof of identity discrepancy  

If you believe this notice to be an error, please submit a new request and ensure you include the following requirements:  

  • All data provided is accurate  
  • Email verification is complete  
  • Proof of identity (if applicable) contains all required information  

Rejected Due to Lack of Governing Law 

We honor DSARs from any jurisdiction, even if there are no governing privacy laws giving consumers the right to submit a DSAR. However, if there were a jurisdiction without a privacy law that we wished to exclude, here’s what we would say: 

We are unable to process your request at this time because you've submitted the request from a jurisdiction not covered by a privacy law. If you believe this message is in error, please try and submit your request again. 

A Special Note About Rejections 

It bears repeating: Although you have the right to reject manifestly unfounded or excessive (i.e., vexatious) DSARs, we recommend doing so only with the guidance of legal counsel. We’re not going to provide a template response for this type of rejection—it really should be handled with care and tailored attention.  

Simplify Your DSAR Workflow with Data Privacy Software 

You can use the example email copy provided here to communicate with data subjects. But that ignores the need to thoroughly document your responses, maintain the security and privacy of communications, and actually carry out all of the work involved in executing a DSAR, like finding and modifying the relevant data in accordance with the request. 

Data privacy software can make this process significantly easier. Responding to DSARs manually is manageable when you’re only getting one every few months, but as that number ticks up, your risk does too. 

Osano can help. Our Subject Rights Management module makes it easy to:  

  • Intake and centralize requests 
  • Coordinate with different data store owners 
  • Manage DSARs across different jurisdictions with different subject rights 
  • Analyze and report on DSARs 
  • Leave a thorough paper trail proving your compliance 

Plus, we guarantee your compliance—if you receive a fine as a result of our platform, we’ll cover it up to $500k as part of our “No Fines, No Penalties” Guarantee. 

Whether you’re just dipping your toes into the world of subject rights or you’re a veritable DSAR guru, book some time with our experts. We’re happy to chat about how Osano can support your compliance. 

Frequently Asked Questions About DSAR Response Letters 

How long do I have to respond to a DSAR? 

It depends on the governing law and the specific request type. Opt-out requests under the CCPA have to be carried out in 15 days, for instance. Other request types must be fulfilled within 45 days. Requests made under the GDPR must be fulfilled within 30 days. 

Can I reject a DSAR request? 

Yes, but only under limited circumstances. Duplicate requests can be safely rejected. Additionally, “manifestly unfounded or excessive” requests can be rejected, but you should only do so with the guidance of legal counsel. In all cases, you should thoroughly document the rationale for your rejection. 

Do I need to verify a requester’s identity? 

Sometimes. For requests to opt out of sale/sharing and requests to limit the use of sensitive information, it is NOT compliant to require identity verification. Other requests should require verification proportional to the request type and scope. 

Do I have to honor every DSAR request? 

You are only required to honor DSARs from data subjects protected by a governing data privacy law to which you are subject. If, for example, you don’t meet the threshold to be subject to the CCPA, you don’t technically have to comply with requests from that jurisdiction. Or, if a data subject resides in a jurisdiction without a privacy law, you don’t have to comply with their requests either. However, it’s a best practice to honor all DSAR requests. 

Written by:

Osano
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Osano on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide