John Doe DSAR Scenario

Sample Access Request

Request to access to personal data according to Art. 15 GDPR

 

Dear HR Manager:

I am John Doe, and I am a former employee of Enron. I have worked for Enron from 1997 until 2001.

I am hereby requesting access according to Article 15 GDPR. Please confirm whether or not you are processing personal data (as defined by Article 4(1) and (2) GDPR) concerning me.

In case you are, I am hereby requesting access to the following information pursuant to Article 15 GDPR:

  1. all personal data concerning me that you have stored, including any potential pseudonymized data on me as per Article 4(5) GDPR;
  2. the purposes of the processing;
  3. the categories of personal data concerned;
  4. the recipients or categories of recipient to whom the personal data have been or will be disclosed;
  5. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  6. where the personal data are not collected from the data subject, any available information as to their source;
  7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.

In case you are processing anonymized data concerning me, please not only inform me about that but also explain the procedure used in an easily understandable way.

If you are transferring my personal data to a third country or an international organization, I request to be informed about the appropriate safeguards according to Article 46 GDPR concerning the transfer.

[Please make the personal data concerning me, which I have provided to you, available to me in a structured, commonly used and machine-readable format as laid down in Article 20(1) GDPR.]

My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

As laid down in Article 12(3) GDPR, you have to provide the requested information to me without undue delay and in any event within one month of receipt of the request. According to Article 15(3) GDPR, you have to answer this request without cost to me.

I am including the following information necessary to identify me in the following annex:

If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.

 

Thank you in advance.

Yours sincerely,

John Doe

 

Receiving a Data Subject Access Request

John Doe has submitted a data subject access request (DSAR) to his former employer, Enron. In his request, John has asked for all his personal data that Enron has stored as per article 4(5) GDPR and the purposes of the processing.

Upon receiving an access request, a company must first confirm whether or not they are processing personal data regarding the individual. Then they must provide a copy of the personal data that they are processing. As a last step, they need to provide information regarding the processing (such as the purposes of processing, the recipients and the categories of personal data processed).

After Enron receives this request, they proceed to verify the identity of John Doe and determine whether his request is specific and clear. According to the ICO (Information Commissioner's Office), a controller may ask the data subject to specify the information or processing activities that their request relates to, if it is not clear. The time limit to respond to the access request is then paused until clarification is received by the controller.

Consequently, Enron’s legal department sends a link to John Doe to verify his identity and asks him to be more specific and to give a detailed overview of how he could be found in the system by for instance providing variations of his name, nickname(s), last name(s) etc.

John Doe has verified his identity and has sent the following list to clarify his request:

My name can be written as follows:
- John Doe
- J. Doe
- John X.
- John X. Doe
- John Xavier Doe
- Mr. Doe
- Javier Doe
- John Smith (as I was married for 2 years and took my ex-wife’s last name)

I was also known under the following nicknames and aliases:
- John Xavier
- Mr. J

I worked at the following departments:
- Finance (from 1997 to 1998)
- Sales (from 1998 to 2001)

I worked on the following projects:
- Barcelona Project
- Astron
- Madrid

I worked with the following clients:
- Graphon
- Prime Eight
- Omega X

My addresses:
- 2100 Southbridge Parkway, Birmingham 35209 AL
- 350 Second Street, Bryan Texas 77808

E-mail addresses:
- John.doe@gmail.com
- John.doe@work.com
- Johnxavierdoe1@gmail.com
- John1101ba@gmail.com
- Zydemo1@xs4all.nl
- John.doe@zylabdev.onmicrosoft.com

Other important data:
- SSN 002-28-28-52
- Birthday: 12-12-1971

 

Verify Identity

The first step in responding to an access request is to verify the identity of the data subject. This is extremely important as any DSAR requested by an unauthorized person will result in a breach.

Unfortunately, there is no single correct way to verify the identity of a requester. This is up to your company and your procedures. It also matters who is making the request. If you do not already possess a copy of the passport or ID of the requester, then it would be disproportionate to ask for such a document to verify their identity. Asking for a copy of an ID or passport can also cause risks of identity theft and data breaches. You will then need to have extra security measures in place to protect such personal data.

While responding to an access request, your company must still adhere to the GDPR’s overarching principles such as data minimization and confidentiality. You should therefore not retain new personal data, such as a copy of ID or passport, for the sole purpose of verifying the requester’s identity. The verification process must be proportionate, effective and efficient.

Therefore, it would be better to choose a different method to verify the identity, such as verifying a link through email or providing their username and other relevant personal data.

Example: In order to verify John Doe’s identity, Enron sends a link to John through email which he can use to verify his identity.

Determine Data Sources

The time limit for responding to an access request begins once the data subject’s identity is verified and the request is clarified. Once it is established in which period John Doe worked for Enron and in which departments, it can be determined which data sources i.e., mailboxes and communications need to be uploaded to ZyLAB ONE and searched.

Example: Enron creates a list of all the managers involved in the departments where John Doe has worked and the projects he has worked on. In addition, they establish who the managers and employees were of the HR department in the period when John Doe worked for Enron. Once these names are listed, all their mailboxes and potentially hard disks from 1997-2002 can be collected and uploaded to ZyLAB ONE.

Managers of Finance & Sales Department from 1997 – 2001:
- Robert Harris
- Richard Shapiro
- Richard Sanders
- Sara Shackleton
- Flora Sanders

HR managers and staff of 1997 – 2002
- Jeff King
- Craig Dean
- John Griffith

Which data sources are needed:
- Mailboxes of the above managers and staff from 1997 – 2002
- HR hard disks from 1997 – 2002
- SharePoint data of John Doe’s projects
- John Doe’s old work laptop