Back to FICA Toolkit

Data Subject Access Request (DSAR) Guide

Practical guide to handling data subject requests under POPIA

A practical guide to handling Data Subject Access Requests (DSARs) under the Protection of Personal Information Act (POPIA). This guide covers the rights of data subjects, the process for responding to requests, and the grounds for refusal.

1. What is a DSAR Under POPIA?

  • A DSAR is a request by a data subject (or their authorised representative) to a responsible party to access their personal information held by that organisation
  • Section 23 of POPIA grants data subjects the right to request confirmation of whether a responsible party holds their personal information, and to request access to that information
  • DSARs are processed in accordance with the Promotion of Access to Information Act (PAIA), as referenced in Section 23 of POPIA
  • The responsible party must provide the information in a reasonable format and in a generally understandable form

2. Data Subject Rights

  • Right to access: Data subjects may request access to their personal information held by a responsible party (Section 23)
  • Right to correction: Data subjects may request correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully (Section 24)
  • Right to deletion: Data subjects may request destruction of personal information that the responsible party is no longer authorised to retain (Section 24)
  • Right to object: Data subjects may object to the processing of their personal information on reasonable grounds relating to their particular situation (Section 11(3))
  • Right to complain: Data subjects may submit a complaint to the Information Regulator if they believe their rights have been infringed (Section 74)

3. How to Process a DSAR

  • Step 1: Receive and log the request - record the date received, the identity of the requester, and the nature of the request
  • Step 2: Verify the identity of the requester - confirm that the person making the request is the data subject or their authorised representative. VerifyNow can assist with identity verification at this stage
  • Step 3: Locate all relevant personal information held about the data subject across your systems and records
  • Step 4: Assess whether any grounds for refusal apply (see Section 5 below)
  • Step 5: Respond to the request within 30 days as prescribed by PAIA (Section 25(1) of PAIA)
  • Step 6: Provide the information in the format requested by the data subject, where reasonably possible

4. DSAR Response Template Structure

  • Reference number and date of the original request
  • Confirmation of the requester's identity verification
  • Description of the personal information held (categories and sources)
  • The purpose for which the information is being processed
  • Third parties or categories of third parties to whom the information has been or may be disclosed
  • If the request is refused: clear reasons for refusal citing the applicable PAIA or POPIA provision, and information about the right to appeal to the Information Regulator

5. Grounds for Refusal

  • Section 18 of POPIA provides exemptions where processing is not subject to certain conditions (e.g., processing purely for personal or household purposes, or for journalistic, literary, or artistic expression)
  • PAIA grounds for refusal may apply, including protection of third-party privacy, commercial confidentiality, or legal privilege (Sections 63-70 of PAIA)
  • Requests that are manifestly unfounded or excessive may be refused, but the responsible party bears the burden of demonstrating this
  • A prescribed fee may be charged for access to records under PAIA, but this must not be used as a barrier to access
  • Always provide written reasons for any refusal and inform the data subject of their right to lodge a complaint with the Information Regulator

6. Record Keeping for DSARs

  • Maintain a log of all DSARs received, including the date, requester details, nature of request, and outcome
  • Record the steps taken to verify the identity of each requester
  • Keep copies of all correspondence and responses provided
  • Document any refusals and the reasons given
  • Track response timelines to ensure compliance with the 30-day deadline
  • Retain DSAR records for a reasonable period in case of complaints or regulatory enquiries