LegalGELegalGE
...

Right of Access Requests

What is the deadline for responding to a request?

A company must provide information immediately, or no later than 10 days. In exceptional cases, the deadline may be extended by another 10 days.

Can I charge a fee?

Providing information is free. Charging a fee is allowed only if the subject requests information repeatedly and a reasonable time hasn't passed since the last disclosure.

How do I mask third-party data?

It is necessary to redact documents—blacking out or blurring names, photos, or other identifiers of third parties.

What happens if I don't respond?

This is a violation of the law. The subject can appeal to the Inspector, which will lead to the company being fined.

Reading Time

2 min

Published

...

Data Subject Access Request (DSAR) Management for Companies

Under the Law on Personal Data Protection, any citizen has the right to request information about data processed about them. For companies, this implies an obligation to respond to "Data Subject Access Requests" (DSAR) within a strictly defined 10-day period. An incorrect, delayed, or incomplete response leads to fines and reputational damage. Managing DSARs is a complex process, especially when data is scattered across different systems (emails, CRM, archives) or contains third-party information that must not be disclosed.

Our service helps organizations manage incoming DSARs efficiently and legally. The service includes:

  • Request Validation: Identification—verifying if the requestor is indeed authorized (to prevent data leaks).
  • Data Discovery and Collection: Consolidating information within the organization and filtering (Redaction)—masking third-party personal data.
  • Response Preparation: Drafting a legally sound letter explaining processing purposes, legal grounds, and retention periods.
  • Refusal Justification: Finding legal grounds to refuse information disclosure (e.g., if the request is groundless or harms an investigation).
  • DSAR Procedure Implementation: Developing internal instructions for employees on how to handle requests upon receipt.

Practical example: A bank receives a request from a client asking for all audio recordings. The bank must check if the recordings contain personal information of bank employees or third parties, which must be masked. If the bank releases raw recordings, it might violate others' rights. Another scenario: A former employee requests all emails where their name is mentioned. This request can be overly broad and resource-intensive. A lawyer helps the company narrow down the request to reasonable limits.

Legal regulation is based on Articles 13 and 14 of the Law of Georgia on Personal Data Protection. The law states that information is provided free of charge, unless the request is repetitive. The company must be able to prove that it provided complete information.

Collaborating with a lawyer reduces administrative burden and risks. Our specialists act as a "filter," ensuring that only legally mandatory information is released and the company's trade secrets remain protected.

Legal.ge offers DSAR outsourcing services. Do not let a flood of requests disrupt your business. Manage the process professionally with our help.

Updated: ...

Specialists for this service

Loading...