What should we provide when we respond to a DSAR?

An individual is entitled only to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is essential that you establish whether the information requested falls within the definition of personal data.

In addition to a copy of their personal data, you must also provide individuals with the following information:

  1. the purposes of your processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient you disclose the personal data to;
  4. your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  5. the existence of their right to request rectification, erasure or restriction or to object to such processing;
  6. the right to lodge a complaint with the ICO or another supervisory authority;
  7. information about the source of the data, where it was not obtained directly from the individual;
  8. the existence of automated decision-making (including profiling); and
  9. the safeguards you provide if you transfer personal data to a third country or international organisation.

This FAQ is in these categories:

Share this page