Under GDPR, individuals have the right to access, correct, delete, and restrict the use of their personal data. These requests — known as Data Subject Access Requests (DSARs) — must be handled within strict legal timeframes. Your Secure Privacy DPO ensures your organization can respond to all types of data subject rights requests correctly, on time, and with proper documentation.
Who Is This For?
Data Protection Officers and privacy managers handling GDPR compliance
Legal and compliance teams managing data subject rights workflows
HR and IT teams responsible for locating and processing personal data in response to DSARs
Organizations subject to GDPR looking to streamline their DSAR handling process
GDPR Data Subject Rights: Full Overview
GDPR grants individuals six core rights over their personal data. The table below summarizes each right, the applicable GDPR article, and what it requires of your organization.
Right |
GDPR Article |
Description |
|---|---|---|
Right of Access |
Article 15 |
Individuals can request a copy of their personal data and information about how it is processed |
Right to Rectification |
Article 16 |
Individuals can request correction of inaccurate or incomplete personal data |
Right to Erasure |
Article 17 |
Individuals can request deletion of their personal data in certain circumstances (the "right to be forgotten") |
Right to Restriction |
Article 18 |
Individuals can request that processing of their personal data be restricted under specific conditions |
Right to Data Portability |
Article 20 |
Individuals can receive their personal data in a structured, commonly used, machine-readable format |
Right to Object |
Article 21 |
Individuals can object to processing based on legitimate interests or for direct marketing purposes |
GDPR DSAR Response Timeline
Organizations must respond to Data Subject Access Requests within one month of receipt. For complex or numerous requests, this deadline can be extended by a further two months — but the data subject must be notified of the extension within the initial one-month period, along with the reason for the delay.
How Your DPO Manages DSAR Handling
Your Secure Privacy DPO supports every stage of the DSAR response process:
Request validation: Verify the identity of the requester and determine which data subject right applies.
Scope assessment: Define the scope of the request and identify all relevant internal data sources.
Exemption review: Advise on applicable exemptions under GDPR, such as legal privilege or third-party rights.
Response preparation: Guide your team in preparing a complete, compliant response.
Quality review: Review the final response before it is sent to the data subject to ensure accuracy and compliance.
Documentation: Ensure the request, decision-making process, and response are fully documented for audit purposes.
DSAR Best Practices for GDPR Compliance
Acknowledge requests promptly
Send an acknowledgment as soon as a DSAR is received. This confirms receipt and starts the clock on your one-month response window.
Use a centralized DSAR tracking system
Manage all incoming requests through a single platform to avoid missed deadlines and ensure consistent handling. Secure Privacy's built-in DSAR tracking tools support this directly.
Train staff to recognize and escalate DSARs
Any employee may receive a data subject request — not just the privacy team. Ensure all staff know how to identify a DSAR and who to escalate it to immediately.
Document all refusals and exemption decisions
If a request is refused or an exemption applied, document the legal basis and reasoning clearly. This is critical for demonstrating GDPR accountability if the decision is challenged.
Track and manage all requests through Secure Privacy
Use the Secure Privacy DSAR management tools to log, assign, and track every data subject request from receipt to resolution.
Frequently Asked Questions
What is the GDPR deadline for responding to a DSAR?
Organizations must respond within one month of receiving the request. This can be extended by two further months for complex or high-volume cases, provided the data subject is informed of the extension within the initial one-month period.
Can an organization refuse a data subject request?
Yes, in certain circumstances. GDPR provides exemptions — for example, where disclosure would adversely affect the rights of third parties or where a legal privilege applies. Any refusal must be documented with the legal basis clearly stated, and the data subject must be informed of their right to complain to a supervisory authority.
What is the difference between a DSAR and a DPIA?
A DSAR (Data Subject Access Request) is a request made by an individual exercising their rights over their own personal data. A DPIA (Data Protection Impact Assessment) is an internal process carried out by an organization to assess the privacy risks of a specific data processing activity before it begins.
How does Secure Privacy help manage GDPR data subject requests?
Secure Privacy provides built-in DSAR forms, request tracking, and workflow tools to help organizations handle data subject rights requests on time and with a complete audit trail. Your DPO also provides direct support at each stage of the response process.