DSAR Fulfillment Procedure (PRV-PROC-001)
1. Purpose
The purpose of this procedure is to describe the systematic process for fulfilling Data Subject Access Requests (DSARs) from users exercising their privacy rights under GDPR, CCPA, PIPEDA, and other applicable privacy regulations, ensuring timely, accurate, and compliant responses to user data requests.
2. Scope
This procedure applies to all data subject rights requests including access, correction, erasure, restriction, portability, objection, opt-out of sale or sharing, and limiting use of sensitive personal information requests from video streaming platform users. It covers requests received through all channels including user interfaces, email, postal mail, and third-party representatives, and includes specific handling requirements for PIPEDA access requests from Canadian users and CPRA sensitive personal information limitation requests.
3. Overview
This procedure ensures systematic handling of user privacy rights requests through automated systems and human review, providing users with comprehensive responses within regulatory timeframes while protecting platform security and other users’ privacy rights.
4. Procedure
| Step | Who | What |
|---|---|---|
| 1 | User | Submit data subject rights request through platform privacy center, email, or postal mail with required identification and request details. |
| 2 | Privacy Portal | Automatically acknowledge request receipt within 24 hours, assign unique case number, and provide estimated response timeline based on request type. |
| 3 | [Privacy Department/Team Name] | Verify user identity using multi-factor authentication, government ID verification, or other approved methods to prevent unauthorized access. |
| 4 | Privacy Analyst | Categorize request type (access, deletion, correction, portability, opt-out of sale/sharing, limit sensitive PI use, etc.) and assess scope including systems, data types, and time periods involved. For sensitive personal information limitation requests, identify all current uses and secondary processing activities. |
| 5 | Technical Team | Execute automated data retrieval across all platform systems including user accounts, content, viewing history, and interaction data. |
| 6 | Privacy Analyst | Review retrieved data for completeness, accuracy, and third-party data requiring special handling or redaction for privacy protection. For PIPEDA requests, include explanation of how information has been used and list of third parties to whom information has been disclosed. |
| 7 | Legal Review | Assess legal basis for any data retention, evaluate potential conflicts with other legal obligations, and approve response strategy. |
| 8 | [Privacy Department/Team Name] | Prepare user response including data package, explanations of processing activities, and clear information about rights and options. For PIPEDA requests, include usage explanations and third-party disclosure information. Apply reasonable fees for extensive PIPEDA requests if applicable. |
| 9 | Quality Assurance | Verify response completeness, accuracy, and compliance with regulatory requirements before delivery to user. |
| 10 | User Communication | Deliver response to user within regulatory timeframes (30 days GDPR/PIPEDA, 45 days CCPA) through secure delivery method with receipt confirmation. Provide alternative formats for users with disabilities as required by PIPEDA. |
| 11 | Technical Implementation | Execute approved actions including data deletion, access restrictions, data corrections, opt-out processing, or limitation of sensitive personal information use based on user request and legal review. For sensitive PI limitation requests, update data processing systems to restrict use to necessary services only. |
| 12 | Documentation | Complete case documentation including request details, actions taken, legal basis, and user communication for audit and compliance purposes. |
| 13 | Compliance Challenge Handling | Process any user challenges to PIPEDA compliance through dedicated complaint mechanism, investigate concerns, and provide resolution within reasonable timeframes with escalation to Privacy Commissioner if unresolved. |
5. Standards Compliance
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 1-2 | GDPR | Art. 12 |
| 1-2 | PIPEDA | Principle 9 |
| 1-2 | PCI DSS v4.0 | Req. 7.1.1 |
| 3 | GDPR | Art. 12.6 |
| 3 | PIPEDA | Principle 9 |
| 3 | PCI DSS v4.0 | Req. 8.1.1 |
| 6, 8 | PIPEDA | Principle 9 |
| 6, 8 | PCI DSS v4.0 | Req. 3.3.1 |
| 8-10 | GDPR | Art. 15-22 |
| 8-10 | PCI DSS v4.0 | Req. 7.1.2 |
| 10 | CCPA | § 1798.130 |
| 10 | PIPEDA | Principle 9 |
| 11 | GDPR | Art. 17, 19 |
| 11 | PCI DSS v4.0 | Req. 3.2.1 |
| 13 | PIPEDA | Principle 10 |
6. Artifact(s)
A comprehensive DSAR case record containing user request details, identity verification, data retrieval logs, legal assessment, user response package, implementation confirmation, and compliance documentation stored in the privacy management system with appropriate access controls and retention schedules. For PIPEDA requests, includes usage explanations, third-party disclosure information, fee calculations (if applicable), alternative format provisions, and compliance challenge documentation.
7. Definitions
Data Subject Access Request (DSAR): Formal request from an individual to exercise their privacy rights regarding personal data processing.
Identity Verification: Process to confirm the identity of the requesting individual to prevent unauthorized data disclosure.
Data Portability: Right to receive personal data in a structured, commonly used, and machine-readable format.
Third-Party Data: Personal data of other individuals that may be included in the requesting user’s data requiring special privacy protection.
Regulatory Timeframes: Legal deadlines for responding to data subject rights requests (30 days GDPR/PIPEDA, 45 days CCPA with possible extensions).
Secure Delivery Method: Encrypted transmission or secure portal access ensuring confidential delivery of personal data to verified users.
PIPEDA Access Request: Request under PIPEDA Principle 9 for access to personal information, including how it has been used and to whom it has been disclosed.
Usage Explanation (PIPEDA): Description of how personal information has been and is being used as required under PIPEDA access requests.
Third-Party Disclosure List (PIPEDA): Information about organizations to whom personal information has been disclosed as required for PIPEDA access requests.
Reasonable Fee (PIPEDA): Fee that may be charged for extensive access requests under PIPEDA, calculated based on actual costs of providing access.
8. Responsibilities
| Role | Responsibility |
|---|---|
| [Privacy Department/Team Name] | Manage DSAR workflow, verify user identity, coordinate cross-functional response, ensure regulatory compliance including PIPEDA requirements, and ensure timely delivery with usage explanations and third-party disclosure information. |
| Technical Team | Execute automated data retrieval, implement user-requested changes, maintain systems supporting privacy rights fulfillment, and provide technical documentation for PIPEDA usage explanations. |
| [Legal Department/Team Name] | Assess legal basis for data retention, evaluate conflicting obligations, provide guidance on complex privacy rights requests, and oversee PIPEDA compliance challenge resolution process. |
| Quality Assurance | Verify response accuracy and completeness, ensure regulatory compliance including PIPEDA requirements, verify alternative format provisions, and identify process improvement opportunities. |
| User Support | Provide user assistance with DSAR submission, clarify request scope, handle follow-up questions about privacy rights, and manage initial intake of PIPEDA compliance challenges. |
| Data Protection Officer | Oversee DSAR process compliance including PIPEDA accountability, serve as regulatory contact, ensure privacy rights procedures meet legal requirements, and authorize reasonable fees for extensive PIPEDA requests. |