Artifact GuideEU GDPR

GDPR DSAR Workflow Data Subject Rights Intake, Response, and Evidence

Use this workflow to triage a GDPR rights request, confirm identity only where needed, define the request scope, run the one-month response clock, and record the response or refusal basis.

Built for privacy, support, legal, security, product, HR, data governance, and processor-management teams that need one operating record for Article 12, Article 15, and Article 28 handoffs.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
1

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

A GDPR data subject access request should move through one controlled record: capture the request, confirm the requester and relevant data subject, classify the right being exercised, preserve the one-month response clock, gather controller and processor evidence, and close with the response, extension notice, or reasoned refusal. The workflow below focuses on EU GDPR Articles 12, 15, 24, and 28 without adding country-specific derogations or authority-specific procedures.

Section 1

Open the DSAR record at intake

Treat every rights request as a time-sensitive controller workflow, even when it arrives through support, sales, HR, security, privacy, or a supplier mailbox. Article 12 requires the controller to facilitate rights under Articles 15 to 22 and to communicate in a concise, transparent, intelligible, and easily accessible form.

The intake record should separate the requester's words from the team's interpretation. Capture what was requested, when it was received, which channel received it, which data subject it appears to concern, and which products, accounts, employee records, systems, vendors, or countries may hold responsive data.

  • Create one DSAR case ID, receipt timestamp, requester contact, intake channel, accountable controller owner, and backup reviewer.
  • Classify the right requested: access, rectification, erasure, restriction, portability, objection, automated-decision review, or a mixed request requiring more than one response path.
  • Preserve the original request text and any attachments, then record the team's scope interpretation separately.
  • Start with the one-month response deadline from receipt, then update the record only if a grounded extension, refusal, or identity-check pause is justified by the facts.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 12 sets the communication, facilitation, and one-month response framework for GDPR rights requests.
Section 2

Confirm identity and request scope before collecting data

Identity checks should be targeted. Article 12 allows additional information where the controller has reasonable doubts about the identity of the person making the request, but the workflow should avoid collecting extra identity data by default.

Scope the request before extracting records. For an access request, Article 15 covers confirmation whether personal data is processed, access to that data, specified processing information, transfer safeguards where relevant, and a copy of personal data undergoing processing. If the request is broader or unclear, record the likely rights involved and the systems to search.

  • Identity check: record why identity is already confirmed or why additional information is necessary and proportionate for this request.
  • Data-subject match: link the request to account IDs, employee IDs, customer records, device IDs, email addresses, or other identifiers already held by the controller.
  • Scope map: list the products, systems, repositories, vendors, retention locations, and business owners that may contain personal data for the data subject.
  • Access package: prepare the Article 15 elements separately from private working notes, legal analysis, third-party data, and security-sensitive material that may need review before disclosure.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 12(6) supports targeted identity confirmation, and Article 15 defines the core access response elements.
Section 3

Run the one-month clock and document extensions or refusals

The default rule is response without undue delay and in any event within one month of receipt. Article 12 allows a two-month extension where necessary because of request complexity or number, but the data subject must be told within one month of receipt and given the reasons for the delay.

Refusals and fees are narrow paths, not routine workload controls. Article 12 allows a reasonable fee or refusal where a request is manifestly unfounded or excessive, especially because of repetitive character, and the controller bears the burden of demonstrating that character. If no action is taken, the controller must explain the reasons and the possibility of complaint and judicial remedy within one month.

  • Clock record: receipt date, default due date, response owner, reviewer, and any date the data subject was asked for necessary identity information.
  • Extension record: complexity or number of requests, reason for delay, date extension notice was sent, and revised internal target date.
  • No-action record: factual basis for not acting, legal review, notice to the data subject, complaint and judicial-remedy language, and approval owner.
  • Fee record: why the request is excessive or manifestly unfounded, administrative-cost basis, data-subject communication, and alternative response options considered.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 12(3) through 12(6) sets the one-month response rule, two-month extension conditions, refusal notice duty, fee/refusal standard, and identity-check rule.
Section 4

Coordinate rights handling across controllers, processors, and internal owners

The controller owns the response, but processors may hold the data, logs, exports, deletion tooling, or account state needed to answer the request. Article 28 requires processor terms to include assistance, by appropriate technical and organisational measures where possible, for the controller's obligation to respond to Chapter III data-subject rights.

Make the processor handoff operational before a live request arrives. The DSAR runbook should specify vendor contacts, evidence formats, secure transfer method, escalation time, deletion or return limits, and how the controller reviews processor-provided data before sending anything to the data subject.

  • Controller owner: approves request scope, response position, extension, refusal, fee, and final response package.
  • System owner: exports responsive personal data, confirms retention state, and flags data that belongs to another person or requires review before disclosure.
  • Processor owner: sends documented instructions to suppliers, tracks supplier response dates, and confirms Article 28 assistance obligations are available.
  • Security or legal reviewer: checks delivery channel, redactions, third-party rights and freedoms, confidentiality constraints, and high-risk disclosure issues.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 24 supports accountable controller measures, and Article 28 requires processor assistance for responding to Chapter III data-subject rights.
Section 5

Close with a response package and reusable evidence file

Close the DSAR only when the response and evidence file tell the same story. For an access request, the response should address confirmation, access to personal data, Article 15 processing information, copy format where applicable, transfer safeguards where relevant, and any lawful limits applied.

Keep evidence for the handling of the request separately from the personal-data export. The evidence file should prove the controller met the response workflow, while the export or response content should be limited to what is appropriate for the data subject.

  • Response evidence: final response text, delivery date, delivery channel, language or accessibility considerations, reviewer approval, and any secure-transfer proof.
  • Search evidence: systems searched, owners contacted, processor requests, export dates, no-data findings, retention constraints, and quality checks.
  • Decision evidence: identity-check rationale, scope decisions, extension notice, refusal or fee basis, redaction rationale, and Article 15 response checklist.
  • Reopening triggers: duplicate or follow-up request, missed system, late processor response, correction from the data subject, new account identifier, or complaint escalation.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Articles 12 and 15 define response content, format expectations, timing, and the controller's access-response duties.
Recommended next step

Use this guide to operationalize DSAR handling

Sorena can help convert your GDPR rights-request intake, processor escalation, response review, and evidence retention steps into a repeatable workflow tied to Article 12, Article 15, and Article 28.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about DSAR intake, identity checks, response clocks, extensions, refusals, and processor assistance using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through DSAR operations

Review your GDPR rights-request workflow, processor handoffs, evidence file, and response bottlenecks with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Articles 12 and 15 define response content, format expectations, timing, and the controller's access-response duties.
"The controller shall provide a copy"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.