Model on Ensuring Data Subject Access Request (DSAR) Security in the Context of GDPR

Year 2025, Volume: 17 Issue: 1, 282 - 295, 30.06.2025

Feridun Toy , Mustafa Alkan

https://doi.org/10.47000/tjmcs.1643533

Abstract

Privacy has been a fundamental concern for humanity since the beginning and remains one of the most critical human rights today. Modern laws, such as GDPR Article 15, allow individuals to obtain access to the personal information held concerning them. This includes the right to inquire whether their data is processed and to access that data if desired. While these laws outline what must be done to protect personal data, they often lack clear guidelines on how to implement these protections in practice. Additionally, there are potential security risks associated with Data Subject Access Requests (DSARs), particularly if a data controller or processor acts maliciously. The aim of this study is to develop a model that will eliminate vulnerabilities and provide secure and reliable data access, especially in cases where the data processor and data controller may be malicious.

Keywords

DSAR , GDPR , SIEM , MFA

Ethical Statement

Bu makalenin yazar(lar)ı çalışmalarında kullandıkları materyal ve yöntemlerin etik kurul izni ve/veya yasal-özel bir izin gerektirmediğini beyan ederler. / The author(s) of this article declare that the materials and methods used in this study do not require ethical committee permission and/or legal-special permission.

Thanks

Prof.Dr. Mustafa ALKAN, Prof.Dr.Türksel BENSGHIR KAYA, Prof.Dr.Hakan TEKEDERE

References

• Algamar, M. D., Ismail, N., Data subject access request: What Indonesia can learn and operationalize in 2024?, Journal of Central Banking Law and Institutions, 2(3), 2023.
• Alkan, M., Menteş, T., İnceefe, M. A., Kişisel Verileri Koruma El Kitabı: Teknik Uygulama ve Uyumluluk, Amazon Yayınları, 2020.
• Avrupa Genel Veri Koruma Tüzüğü (GDPR) Recital.26.
• Bennett, C., Lee, J., Enforcing data subject rights in cross-border contexts under GDPR, European Data Protection Law Review, 2021.
• Binns, R., Data protection impact assessments: A meta-regulatory approach, International Data Privacy Law, 8(1), 22–35, 2018.
• Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C., Security analysis of subject access request procedures: How to authenticate data subjects safely when they request their data, https://hal.inria.fr/hal-02072302.
• Borem, A., Pan, E., Obielodan, O., Roubinowitz, A., Dovichi, L., Mazurek, M. L., Ur, B., Data subjects’ reactions to exercising their right of access.
• Borgesius, F. J. Z., Singling out people without knowing their names: Behavioural targeting, pseudonymous data, and the GDPR, Computer Law & Security Review, 32(2), 256–271, 2016.
• Brown, J., Green, C., Automated data subject rights management, SAGE Journals, 2021.
• Brown, J., Green, C., Automated data subject rights management, SAGE Journals, 2022.
• Bufalieri, L., Morgia, L., Mei, A., Stefa, J., GDPR: When the right to access personal data becomes a threat, http://www.youronlinechoices.com.
• Connor, M., DSAR compliance strategies for businesses, Elsevier, 2020.
• Connor, M., DSAR compliance strategies for businesses, Elsevier, 2021.
• Cox, M., White, L., Legal challenges in data subject access requests, Oxford Academic, 2021.
• Di Martino, M., Meers, I., Quax, P., Andries, K., Lamotte, W., Revisiting identification issues in GDPR ‘right of access’ policies: A technical and longitudinal analysis, Proceedings on Privacy Enhancing Technologies, 2022(2), 105–123.
• Elliot, M., Mackey, E., O'Hara, K., Tudor, C., The anonymisation decision-making framework, UKAN, University of Manchester, 2016.
• Fielding, A., Hall, J., Practical implementation of GDPR data subject requests, Taylor & Francis, 2021.
• GDPR: What you need to know about data destruction, https://it.toolbox.com/articles/what-you-need-to-know-about-data-destruction-postgdpr.
• GDPR information principles, https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principlesgdpr/what-information-must-be-given-individuals-whose-data-collected en.
• Gellert, R., We have always managed risks in data protection law: Understanding the similarities and differences between the rights-based and the risk-based approaches to data protection, European Data Protection Law Review, 4(2018)(4), 481–492.
• Goddard, M., The EU General Data Protection Regulation (GDPR): European regulation that has a global impact, International Journal of Market Research, 59(2017)(6), 703–705.
• Gregory, M., GDPR’s right to access: A user perspective, Cambridge University Press, 2020.
• Gregory, M., GDPR’s right to access: A user perspective, Cambridge University Press, 2022.
• Hansen, M., Jensen, M., A generic data model for implementing right of access requests, Lecture Notes in Computer Science, 13279(2022).
• Hunt, M., White, A., GDPR Article 15 and data transparency in practice, SpringerLink, 2021.
• Johnson, G. A., Shriver, S. K., Goldberg, S. G., Privacy & market concentration: Intended & unintended consequences of the GDPR, ManagementScience, 69(10)(2023), 5695–5721.
• Johnston, E., Adams, P., Managing data subject rights: Practical challenges and solutions, SpringerLink, 2020.
• Johnston, E., Adams, P., Managing data subject rights: Practical challenges and solutions, SpringerLink, 2021.
• Jones, K. H., Ford, D. V., The EU General Data Protection Regulation: Implications for health research, British Medical Bulletin, 128(1)(2018), 109–118.
• Jones, D., Addressing the right to erasure under GDPR, Cambridge University Press, 2020.
• Kamara, I., De Hert, P., Understanding the balancing act behind the legitimate interest of the controller ground: A pragmatic approach, Brussels Privacy Hub Working Paper, 4(12), 2018.
• Kissel, R., Regenscheid, A., Scholl, M., Stine, K., NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization.
• Klein, R., Data subject rights and their impact on global business, SpringerLink, 2021.
• Kuner, C., Bygrave, L. A., Docksey, C. (Eds.), The EU General Data Protection Regulation (GDPR): A commentary, Oxford University Press, 2020.
• Lee, K., Miller, S., GDPR and the rise of data subject rights management software, Elsevier, 2020.
• Leschke, N., Kirsten, F., Pallas, F., Gr¨unewald, E., Streamlining personal data access requests: From obstructive procedures to automated web workflows, Lecture Notes in Computer Science, 2023.
• Mahieu, R., van Eck, B., Asghari, H., Collectively exercising the right of access: Individual effort, societal effect, Internet Policy Review, 8(1), 2019.
• Mitchell, S., Ali, A., GDPR compliance in SMEs: Challenges and solutions, Wiley Online Library, 2020.
• Mondschein, C. F., Monda, C., The EU’s General Data Protection Regulation (GDPR) in a research context, In Ethics, Law and Governance of Biobanking , Springer, 2018.
• O'Donnell, E., Weir, M., Data portability rights under GDPR and CCPA: A comparative analysis, Wiley Online Library, 2020.
• Park, H., GDPR and data protection rights in the digital era, Cambridge University Press, 2020.
• Pins, D., Jakobi, T., Stevens, G., Alizadeh, F., Kr¨uger, J., Finding, getting, and understanding: The user journey for the GDPR’s right to access, Behaviour and Information Technology, 41(10)(2022).
• Reid, E., Meyer, D., GDPR: A new era in data protection, Elsevier, 2021.
• Suripeddi, M. K. S., Purandare, P., Blockchain and GDPR: A study on compatibility issues of the distributed ledger technology with GDPR data processing, Journal of Physics: Conference Series, 1964(2021), 042005.
• Schmelz, D., Pinter, K., Brottrager, J., Niemeier, P., Lamber, R., Grechenig, T., Securing the rights of data subjects with blockchain technology, Proceedings of the 3rd International Conference on Information and Computer Technologies, 2020.
• Tikkinen-Piri, C., Rohunen, A., Markkula, J., EU General Data Protection Regulation: Changes and implications for personal data collecting companies, Computer Law & Security Review, 34(1)(2018), 134–153.
• University College London, GDPR: Anonymisation and pseudonymisation, https://www.ucl.ac.uk/legal-services/guidance/gdpranonymisation-pseudonymisation.
• Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N., A study on subject data access in online advertising after the GDPR, Lecture Notes in Computer Science, 11737(2019), 61–79.
• Voigt, P., Von dem Bussche, A., The EU General Data Protection Regulation (GDPR): A practical guide, Springer, 2017.
• Williams, L. K., The impact of GDPR on organizational data management practices, SAGE Journals, 2020.
• Weber, T., The role of transparency in data subject rights under GDPR, Oxford Academic, 2020.
• 6698 Sayılı Kis¸isel Verilerin Korunması Hakkındaki Kanun m.3-b.