Skip links

Data Subject Access Requests (DSARs):- Case Reviews and Eight Essential Steps

Ms. Damaris Wambua

Data Protection Associate

South-End Tech Limited

Date: 18th June, 2024

Whenever we require any services from an individual or company, more often than not we are required to provide personal data through identification or payment (Mpesa, credit/ debit cards). This data can also be transferred to other service providers. In today’s age, data is mostly collected and stored in a digital format, unlike the olden days where data was collected and stored in physical/paper format. Customers have a right to access and view data being held about them and exercise their rights with the data. This right is not absolute if it infringes on another person’s right. In a recent case mentioned below, the data subject wanted to access the information being held by their service provider and find out the identities of the people his data was supplied to.  Here is a brief summary.

On 7th June 2024, the High Court (King’s Bench Division) UK made a decision on subject access request (SAR) on an interesting case of Harrison v Cameron and ACL [2024] EWHC 1377 (KB). This was a case brought under Article 15 of the UK GDPR for an order that the defendants comply with the claimant’s subject access requests. The claimant (Mr. Harrison) was a property investor who had engaged the services of the defendant (Mr. Cameron), a land scape gardener and the owner of ACL Company, to redesign and landscape the gardens at his home but terminated his contract with the company towards the end of the project.

Mr. Harrison sued Mr. Cameron and his company Alasdair Cameron Limited (ACL). The two had spoken severally before but then Mr. Cameron decided to record two of their conversations, where Mr. Harrison threatened him and shared the recordings with 15 other people including family, friends and employees. Copies of the recordings found their way to other professional peers and competitors in the property investment industry, making Mr. Harrison lose business and incur financial losses. Mr. Harrison did not seek any compensation/ damages but sought the identities of the third parties. Mr. Cameron refused to disclose the identities of the third parties and relied on the ‘personal data of others’ exemption.

The issues the high court had to decide on were:

Whether Mr. Cameron and his company were liable to respond to Mr. Harrison’s subject access request (SARs) to disclose the names of the people the recordings/ transcripts were circulated to and if the court would order him to do so.

Whether Mr. Cameron and ACL were data controllers or if him circulating the recording to third parties is covered within the UK GDPR/DPA 2018 because the processing was purely for personal reasons.

Court’s decision:

The court ruled in favor of Mr. Cameron and his company, stating that Mr. Cameron, as a director, was not a data controller in his personal capacity, and the company had acted within its rights by withholding the names of third parties due to concerns about potential intimidation and the case was dismissed.

What rights does a data subject hold? Section 26 of the Kenyan Data Protection Act provides: Right to – be informed of the use to which their personal data being put, access their personal data, object to processing of their personal data, correction/ deletion of false data about the data subject.

In the Kenyan context, we have a case touching on data subject’s access to personal data. Harrison Kisaka vs Microfinance Bank Ltd where Mr. Kisaka had applied for a job which he was the best applicant from the interviews conducted and upon a background check, his offer for employment was withdrawn. On asking for access to his personal data it was denied to him claiming it’s private information. He lodged a claim with the ODPC and Faulu were found in violation of his right to access his data.

A data subject access request (DSAR) or a (SAR) is a request made by the data subject or their legal representative that gives them the right to access information about their personal data an organization/ company is processing about them.

The data subject has a right to access the information that is being held by a data controller/data processor and they should answer if/ how they are processing their information. The controller/processor should then answer to the data subject;

  1. why they are processing,
  2. categories of personal data,
  3. who will receive the personal data and if it’s being transferred outside the country,
  4. how they are going to use, store and the duration of storing their personal data to ensure lawful processing.
  5. If the information is not collected from the data subject, information of who gave them the information.

As companies strive to ensure data security and proper management of data subjects, they must be ready to respond to customers when they ask about the data that the company has collected about them or when they make a request about their personal data, they need to be able to correct any inaccurate information or delete their personal data when requested.

In Kenya, the right to access personal data is governed by the Data Protection Act, 2019 (DPA), which aligns with global data protection standards, including the GDPR. This request may be made in writing, however, if a formal DSAR is made verbally to a staff of the company, further guidance should be sought from the DPO or the individual designated as the DPO. Organizations should verify the identity of the individual making the request to ensure that personal data is not disclosed to unauthorized individuals.

Regulation 9 of the Data protection (general) regulations provides that data controllers and processors upon receiving a request from a data subject, they are obligated to give access to them within seven (7) days of receiving the request on the information they hold. The controller/ processor should put in place mechanisms that allow data subjects to access and examine their data. If the request was made through an electronic form, then the controller/ processor shall give a copy by electronic means and it shall be free of charge. It is important to note that DSARs are not limited to electronic data (audio recordings included) but also encompasses physical records, such as paper documents, that organizations may have in their possession.

If a data subject is dissatisfied with the response to their request, they can lodge a complaint with the Office of the Data Commissioner (ODPC) who oversees compliance with the Data Protection Act. Exemptions to this right may apply, and organizations may refuse to act on the request if it is excessive or repetitive.

Organizations can also withhold information that would adversely affect the rights and freedoms of others. It is advisable for all data controller/ processor to keep a record of the access request, how it was handled, and the response provided which can be used to justify their actions to the regulatory authority when need arises.

In conclusion, the best practice for having satisfied data subjects is; by having clear and transparent communication with the data subject throughout the  data life cycle process, conducting regular audits to ensure compliance with the data protection laws, by implementing clear policies and procedures for handling data subject requests and lastly facilitating trainings for all staff members to ensure they can recognize and escalated the request to the Data protection officer or relevant department entrusted to deal with any access requests made.

Eight Essential Steps in Handing Data Subject Access Requests (DSARs)

The following are the essential steps in handling Data Subject Access Requests (DSARs)

  1. Acknowledge Receipt: – Confirm you received the request promptly.
  2. Verify Identity: – Ensure the requester’s identity to protect data security.
  3. Clarify Request: – If necessary, seek clarification to understand the scope of the request.
  4. Gather Data: Collect all relevant personal data from your systems.
  5. Review Data: Check for any exemptions or third-party data that can’t be disclosed.
  6. Prepare Response: Compile the data in a clear and accessible format.
  7. Send Response: Deliver the information securely within the legal timeframe (usually 30 days).
  8. Document Process: Keep records of how you handled the request for compliance purposes.

Remember, transparency and efficiency are key to managing DSARs effectively!

Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email. or

This website uses cookies to improve your web experience. Privacy Policy