Data Subject Access Request (DSAR) Management for Companies
Under the Law on Personal Data Protection, any citizen has the right to request information about data processed about them. For companies, this implies an obligation to respond to "Data Subject Access Requests" (DSAR) within a strictly defined 10-day period. An incorrect, delayed, or incomplete response leads to fines and reputational damage. Managing DSARs is a complex process, especially when data is scattered across different systems (emails, CRM, archives) or contains third-party information that must not be disclosed.
Our service helps organizations manage incoming DSARs efficiently and legally. The service includes:
- Request Validation: Identification—verifying if the requestor is indeed authorized (to prevent data leaks).
- Data Discovery and Collection: Consolidating information within the organization and filtering (Redaction)—masking third-party personal data.
- Response Preparation: Drafting a legally sound letter explaining processing purposes, legal grounds, and retention periods.
- Refusal Justification: Finding legal grounds to refuse information disclosure (e.g., if the request is groundless or harms an investigation).
- DSAR Procedure Implementation: Developing internal instructions for employees on how to handle requests upon receipt.
Practical example: A bank receives a request from a client asking for all audio recordings. The bank must check if the recordings contain personal information of bank employees or third parties, which must be masked. If the bank releases raw recordings, it might violate others' rights. Another scenario: A former employee requests all emails where their name is mentioned. This request can be overly broad and resource-intensive. A lawyer helps the company narrow down the request to reasonable limits.
Legal regulation is based on Articles 13 and 14 of the Law of Georgia on Personal Data Protection. The law states that information is provided free of charge, unless the request is repetitive. The company must be able to prove that it provided complete information.
Collaborating with a lawyer reduces administrative burden and risks. Our specialists act as a "filter," ensuring that only legally mandatory information is released and the company's trade secrets remain protected.
Legal.ge offers DSAR outsourcing services. Do not let a flood of requests disrupt your business. Manage the process professionally with our help.
Updated: ...
