DSARs: How to understand your obligations beyond data

Photo: Adam Berry/Getty Images

UK and EU courts are increasingly saying that it’s not enough to point to a privacy notice to satisfy the extra GDPR requirements.

What matters

Controllers should understand when they have to disclose individual recipients of data, extra requirements for complex technical data, and explanations of automated decision-making, to know when they can rely on a privacy notice alone.

What matters next

Organizations can get ahead by updating privacy notices and processing records,

Free Trial

Register for free to keep reading.

To continue reading this article and unlock full access to GRIP, register now. You’ll enjoy free access to all content until our subscription service launches in early 2026.

Unlimited access to industry insights
Stay on top of key rules and regulatory changes with our Rules Navigator
Ad-free experience with no distractions
Regular podcasts from trusted external experts
Fresh compliance and regulatory content every day

Topics

Latest News

UK regulator warns of record surge in FCA impersonation scams

The subtle signals of trust: BarkerGilmore’s Guide to GC gravitas

FINRA disciplinary action update 2025/31

Topics

Latest News

Key facts about HMT policy statement on appointed representatives regime

Closures leave UK with one of Europe's lowest densities of bank branches

NHS whistleblower loses appeal in case where 90,000 emails were deleted

Topics

Latest News

200 Swedish municipalities and regions affected in ransomware attack

South Korea steps closer to introducing stablecoin regulation

McKinsey tech trends report points to rapidly scaling AI

Topics

Latest News

Margaret Ryan is new SEC enforcement chief

Podcast: Matt Galvin on leveraging AI and data analytics in compliance programs

GRIP Extra: JP Morgan to settle 1MDB claims for $330m, CVS Caremark fined $290m for Medicare fraud