GDPR DSAR Workflow Intake, Clock, Rights, and Evidence

Open one case record as soon as a request under GDPR data subject rights is received through privacy, support, sales, HR, security, product, or another official controller channel. Article 12 requires the controller to facilitate rights requests and communicate in a concise, transparent, intelligible, and easily accessible form.

Keep the requester's original wording separate from the team's classification. A single message can combine access, erasure, objection, portability, correction, or automated-decision concerns, and the workflow should avoid narrowing the request before a reviewer has scoped it.

Do not turn identity verification into a default document-collection step. Article 12 allows additional information where the controller has reasonable doubts about the identity of the person making the request, and Article 11 addresses situations where the controller cannot identify the data subject from the data it holds.

The workflow should record why identity is already reliable or why extra information is necessary. The extra information requested should be tied to the data at issue, the channel used, and the risk of disclosing or changing personal data for the wrong person.

Map the request to the GDPR right before collecting data. Access requests under Article 15 require confirmation whether personal data is processed, access to that personal data, specified processing information, and a copy of personal data undergoing processing where applicable. Other rights may require correction, deletion assessment, restriction, portability export, objection handling, or review of solely automated decisions.

The search scope should mirror how the controller actually stores and retrieves personal data. Include active systems, archives where searchable, support tools, HR systems, product logs, billing data, processor platforms, and retention locations that may contain personal data about the data subject.

The DSAR record should show the Article 12 timing position at all times. The controller must provide information on action taken without undue delay and in any event within one month of receipt. A two-month extension is available where necessary because of request complexity or number, but the data subject must be told within one month of receipt and given the reasons for the delay.

Use the clock record to manage processor requests, internal exports, legal review, redactions, and final delivery. Do not treat internal backlogs, tool limitations, or unclear ownership as an extension reason unless the recorded facts fit the GDPR standard.

Most requests should close with action taken and a clear response. If the controller does not take action, Article 12 requires notice without delay and at the latest within one month, including reasons and information about complaint and judicial-remedy options.

Fees and refusals need their own evidence path. Article 12 allows a reasonable fee or refusal only where requests are manifestly unfounded or excessive, in particular because of repetitive character, and the controller bears the burden of demonstrating that character.

The controller remains accountable for the DSAR response, but processors often hold records, logs, exports, deletion controls, or support evidence needed to answer. Article 28 requires processor terms to include assistance, by appropriate technical and organisational measures where possible, for the controller's obligation to respond to Chapter III rights requests.

Close the workflow only when the response package and evidence file align. The evidence file should prove how the request was handled; the data-subject response should contain only the response content that is appropriate to disclose.