Blog

DSAR Under GDPR and CCPA – Understanding the Key Differences

Richard Marley
June 25, 2021
6 minutes read
309

Data protection is one of the key concerns of organisations these days. For the same reason, data protection laws have increased in different parts of the world. A study reveals that only 10% of the global population had data protected until last year. The study further states that approximately 65% of the population’s data will be secured by the end of the year 2023. The Cisco Consumer Privacy Survey shows that 84% of people are concerned about data privacy in the digital world and want more control over how their data is being used. Given the rising concerns of end-users, law-making bodies have enforced certain data protection regulations that provide consumers with the right to disclose their data. Arguably the European General Data Protection Regulation (GDPR) gives Data Subject Access Request (DSAR) to the residents. Similarly, there are many other regulations for data privacy like the California Consumer Privacy Act (CCPA), PIPEDA in Canada and LGPD in Brazil. Let’s take a look at the key differences of DSAR under GDPR and CCPA.

What are the Seven Principles of GDPR?

The General Data Protection Regulation (GDPR) is responsible for the data protection and privacy of individuals belonging to the European Union (EU). It sets out the following seven key principles:

Fairness, lawfulness and transparency
Data minimisation
Storage information
Accuracy
Purpose limitation
Security
Accountability

What is DSAR?

DSARs are not new since companies and government authorities have been using them for many years now. However, data protection and privacy regulations imposed several changes that make it convenient for consumers to request data access. A DSAR is a request from a data subject to your firm. As per regulatory requirements, you are obligated to provide all the information as soon as possible.

Article 15 of GDPR states,

“A data subject should have the right of access to personal data which have been collected concerning him or her and to exercise that right easily and at reasonable intervals, to be aware of and verify the lawfulness of the processing.”

According to Title 1.81.5 of CCPA,

(a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.

(b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.

(c) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited.

DSAR Under GDPR and CCPA

Under GDPR and CCPA, the DSAR has the following differences and similarities:

DSAR – The Key Considerations

With DSAR, there are some common expectations. A few of them are:

A company will respond to the request or take action
The response will include all the information
Action will occur in a defined period

For companies, one of the fundamental requirements is to maintain a record that a response was provided on the request. Companies must track the date of the receipt and the date of response.

Businesses have a certain time limit to respond to DSARs. As per GDPR, firms must get back to the request within 30 days. On the other hand, the CCPA has imposed a 45-day restriction for the responses. Other timelines include:

10 business days for confirming the receipt of the request
15 business days for responding to opt-out requests
90 business days for informing vendors to not sell consumer information
Two years for maintaining the log of the requests

DSAR – The Key Exceptions

There are some exceptions to DSAR for organisations under certain circumstances. A common exception under GDPR is the disproportionate effort. Companies cannot use DSAR exceptions for not responding to the requests.

California Consumer Privacy Act (CCPA) allows organisations to delete requests. For instance, if a consumer requests a deletion before the warranty period ends, the company is allowed to do that.

In simpler words, there are many exceptions of DSAR and they vary according to the jurisdictions, laws of the state and many other factors.

DSAR Checklist for Organisations

Here’s how businesses can opt for responding to DSARs:

A system that can efficiently receive and process all the requests
Verification of identities of data subjects upon receiving requests
Data collection and review of the processed requests
Remediation plans
Plans for delivering the requested information

Can businesses refuse to respond to DSAR? Yes, under certain circumstances, companies can turn down a request. Here are some of these reasons:

Searchable and accessible format of personal information is not maintained
Compliance is the purpose for processing personal information
Information is not used for commercial reasons
The data is used for national security or law enforcement
The data subject has made multiple requests for disrupting the system

Key Takeaways

Data protection and privacy are the major concerns of law enforcing bodies and organisations. Different regions of the world have imposed various regulations like GDPR in the EU, CCPA in California, LGPD in Brazil, etc. The Data Subject Access Request (DSAR) provides consumers with the right to access their data. Under CCPA and GDPR, the DSAR provides visibility and control to the data subjects. Although there are certain exceptions of DSAR under certain situations, data subjects still have the liberty to request access, deletion or closure of their personal information.

Got questions about data protection and privacy? Our experts are always there to assist you.

Talk to Experts

Disclaimer: No warranty is herein provided that the information contained in this document is accurate, up-to-date, and/or complete. In no circumstance(s), does such information constitute legal or any other advice. Any person who intends to use, rely, pass-on, or re-publish the information contained herein in any way is solely responsible for the same. We suggest to verify the information and/or obtain expert advice independently if required.

Latest News

News
Danish Gambling Operator Reports Tipwin to the Police for AML Failings
What is DSAR?
DSAR Under GDPR and CCPA
DSAR Checklist for Organisations
Key Takeaways
Then danish gambling operator Spillemyndigheden has reported Tipwin to the police for violating the Danish Money Laundering act

According to the sources, Spillemyndigheden, the government office based in Odense, Denmark, has reported to the police that the business has failed to create risk assessments of retail bets with a lack of written policies on its retail offerings.

It is also worth mentioning that the operator also lacks complete business procedures and controls for the offerings based on land or in regards to money laundering until 25 May 2022.

In the official statement of the regulator to the police, it stated all the shortcomings of Tipwin in compliance with the anti-money laundering standards. It stated: “Spillemyndigheden notes that the rules on risk assessment, policies and business procedures are absolutely fundamental in the Money Laundering Act. By failing to prepare a risk assessment, Tipwin has not had a useful tool that has provided an overview and understanding of where and to what extent Tipwin is exposed to money laundering or terrorist financing, and what measures are in place are necessary to mitigate the risks involved.”

This clearly states that the german based gambling operator, Tipwin is exposed to the illicit crimes of money laundering and terrorist financing and has failed to comply with the AML regulations. The Danish regulator also focused on the lack of preparation from the operator on assessments of risks which are fundamental components of the anti-money laundering act.

Spillemyndigheden also added: “Preparing a risk assessment of the company’s business model is a very fundamental means of limiting the risk of money laundering. Tipwin has thus also not had policies and operational procedures that stem from the risk assessment. By failing to prepare a risk assessment, the Gambling Authority has therefore handed over the case to the police investigation.”

The authority also launched an injunction on the breach of rules and procedures in regard to the online casino and betting operations. With the main emphasis on money laundering, the regulator released a statement last month which reminded businesses in the industry of the obligations. It mentioned the regulations most firms are complied with, which are in order to prohibit the financial interactions with individuals, groups, legal bodies or countries.

In addition, Spillemyndigheden issued a 3 months deadline to Tipwin to sort out the situation.

Suggested Read: Danish Gaming Regulator Sanctions Unibet Over AML Violations

DSAR Under GDPR and CCPA – Understanding the Key Differences

What are the Seven Principles of GDPR?

What is DSAR?

DSAR Under GDPR and CCPA

DSAR – The Key Considerations

DSAR – The Key Exceptions

DSAR Checklist for Organisations

Key Takeaways

Crown and Star Casinos – A Stain on Australia’s Reputation

Australia’s Anti-Money Laundering Regime

How Casinos and Businesses Can Secure their Operations

What Shufti Pro Offers

Let’s prove your

customer’s identity

with Shuftipro.

Let’s prove your customer’s

identity with Shuftipro.