DSAR Process for Law 25: Step-by-Step Workflow

Objective: Capture and acknowledge the request, begin verification 1.1 Receive the Request Requests can arrive through multiple channels: • Dedicated privacy email (recommended: privacy@company.com) • Web form on your privacy page • General customer service channels • Mail or in-person 1.2 Log Immediately Create a case record with: • Unique case ID • Date and time received • Channel received through • Requester name and contact information • Type of request (access, deletion, correction, portability) 1.3 Acknowledge Receipt Send acknowledgment within 1-2 business days including: • Case reference number • Confirmation of what was requested • Expected timeline (up to 30 days) • Next steps (identity verification if needed) 1.4 Initial Assessment Determine: • Is this a valid DSAR under Law 25? • What type of request is it? • Who needs to be involved in fulfilling it? • Are there any immediate red flags?

Objective: Confirm requester identity before processing 2.1 Choose Verification Method Based on risk and data sensitivity: • Low risk: Knowledge-based questions • Medium risk: Email/phone verification to registered contact • High risk: Government ID with data minimization 2.2 Request Verification Send clear instructions: • What you need from them • Why you need it • How to provide it securely • Deadline to respond 2.3 Process Verification • Review submitted information • Document verification steps taken • If verification fails, explain why and offer alternatives • If unable to verify, provide written explanation 2.4 Edge Cases • Requester cannot verify: Explain in writing why request cannot proceed • Third-party requests: Require proper authorization documentation • Minors: Follow Law 25 requirements for parental consent Important: The 30-day clock continues during verification. Don't wait to start other preparation.

Objective: Find all personal information about the requester 3.1 Identify Data Sources Search all systems where personal data may exist: • Customer databases and CRM • Email systems (sent/received) • HR systems (if employee) • Marketing platforms • Support ticket systems • Finance/billing systems • Physical files • Backup systems • Third-party processors 3.2 Conduct Searches • Search by all known identifiers (name, email, ID numbers) • Check for aliases or name variations • Include attachments and metadata • Document what was searched and when 3.3 Contact Third Parties If data has been shared with processors: • Request relevant data from each • Set clear deadlines for their response • Document communications 3.4 Compile Results • Gather all data into a single working file • Note the source of each piece of data • Flag any potential exemptions or concerns Tip: Maintain a data map to make future requests faster and more complete.

Objective: Prepare data for disclosure, apply lawful exemptions 4.1 Review for Exemptions Law 25 allows withholding information in certain cases: • Information about other individuals • Legally privileged communications • Confidential commercial information • Law enforcement investigations • Information that could cause serious harm 4.2 Apply Redactions For each redaction: • Document what was redacted • Note the legal basis • Record who made the decision • Keep unredacted copy secure 4.3 Format for Disclosure • Organize data logically • Use plain language explanations • Include data dictionary if technical terms used • For portability: provide machine-readable format 4.4 Quality Check Before proceeding: • Is the response complete? • Are all redactions justified? • Is the format accessible? • Would a reasonable person understand it?

Objective: Create final response package 5.1 Draft Cover Letter Include: • Reference to original request • Summary of what's included • Explanation of any data not provided (with legal basis) • Information about their rights if dissatisfied • Contact for questions 5.2 Compile Response Package • Cover letter • Personal data compilation • Data dictionary/glossary if needed • Information about sources and uses • Third-party disclosure list 5.3 For Deletion Requests Include: • Confirmation of what was deleted • List of systems from which data was removed • Notification that third parties were informed • Any data retained (with explanation why) 5.4 For Portability Requests Provide: • Data in structured, machine-readable format (CSV, JSON, XML) • Documentation explaining the format • Secure transfer method 5.5 Internal Review • Legal review for completeness • Privacy officer sign-off • Final quality check

Objective: Securely deliver response, document completion 6.1 Choose Delivery Method Secure options: • Encrypted email with password sent separately • Secure download portal with expiring link • Registered mail for physical documents • In-person pickup for highly sensitive data 6.2 Deliver Response • Send on or before Day 30 • Request delivery/read confirmation • Retain proof of delivery 6.3 Handle Extensions (If Needed) If you need more time: • Must notify requester before Day 30 • Explain why extension is needed • Can extend maximum 10 additional days • Document justification 6.4 Close the Case • Record completion date • Note delivery method and confirmation • Archive all documentation • Update any process improvements identified 6.5 Retention Keep all DSAR records for minimum 2-3 years: • Original request • All communications • Search documentation • Redaction decisions • Final response • Delivery confirmation

Deletion Requests Law 25 provides a right to deletion when: • Information is no longer necessary for original purpose • Consent has been withdrawn • Collection was unlawful Your process should: 1. Verify deletion right applies 2. Identify all locations where data exists 3. Execute deletion across all systems 4. Notify third parties who received the data 5. Confirm deletion to the requester 6. Document what was deleted Exceptions to Deletion: • Legal obligation to retain • Ongoing contractual requirement • Public interest purposes • Defense of legal claims Portability Requests Law 25 requires data in transferable format. Your process should: 1. Extract all data provided by the requester 2. Format in structured, commonly used format 3. Provide technical documentation 4. Offer direct transmission to another controller if feasible 5. Ensure secure delivery

What to Document (Every Request) • Request details and receipt date • Verification steps and outcome • Systems searched • Data found (or confirmation of no data) • Redactions applied with justification • Response content • Delivery method and confirmation • Timeline and any extensions Why Documentation Matters • Demonstrates compliance if audited by CAI • Protects against complaints • Enables process improvement • Required for defense of decisions Retention Period Keep complete DSAR files for at least 2-3 years, including: • All correspondence • Internal notes and decisions • Evidence of searches performed • Final response package • Delivery confirmation

Roles and Responsibilities Privacy Officer / Person in Charge • Overall accountability • Final approval of responses • Escalation point for complex cases • Liaison with regulators Case Manager • Day-to-day case handling • Coordination across departments • Timeline management • Communication with requester Data Owners • Search and collect from their systems • Provide context for data found • Support redaction decisions Legal • Review exemption decisions • Advise on complex requests • Approve final responses IT • Technical search support • Secure delivery setup • Format conversion for portability Assign Clear Ownership Each request should have one assigned case manager responsible for driving it to completion within the deadline.