--- title: "EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/dsar-workflow" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/dsar-workflow" author: "Sorena AI" description: "Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR" - "DSAR workflow" - "data subject access request" - "Article 12" - "Article 15" - "data subject rights" - "one month response" - "Article 16" - "Article 17" - "Article 20" - "Article 21" - "Article 22" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records. *Artifact Guide* *EU GDPR* ## GDPR DSAR Workflow Intake, Clock, Rights, and Evidence Use this workflow to capture a data subject request, confirm identity only where justified, scope the right being exercised, run the one-month response clock, and close with a response, extension notice, refusal, or evidence-backed no-data outcome. Built for privacy, legal, support, HR, product, security, data governance, and vendor-management teams that need one operating record for GDPR Chapter III rights. A GDPR DSAR workflow should not be a generic ticket queue. It should preserve the original request, identify the data subject and controller role, route the request across Articles 15 to 22, protect the one-month response deadline in Article 12, document any extension or refusal, coordinate processor evidence where needed, and leave a record showing how the controller handled the request. ## 1. Open the DSAR intake record Open one case record as soon as a request under GDPR data subject rights is received through privacy, support, sales, HR, security, product, or another official controller channel. Article 12 requires the controller to facilitate rights requests and communicate in a concise, transparent, intelligible, and easily accessible form. Keep the requester's original wording separate from the team's classification. A single message can combine access, erasure, objection, portability, correction, or automated-decision concerns, and the workflow should avoid narrowing the request before a reviewer has scoped it. - Capture case ID, receipt timestamp, intake channel, requester contact, apparent data subject, controller entity, accountable owner, reviewer, and default one-month due date. - Store the original request text, attachments, envelope metadata, language used, and any stated account, employee, device, transaction, or customer identifiers. - Classify the requested right or rights: access, rectification, erasure, restriction, portability, objection, automated-decision review, or mixed request. - Flag immediate handoffs: HR data, customer account data, child-related data, special category data, security logs, processor-held data, or data that may involve another person's rights and freedoms. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 12 sets the controller's obligation to facilitate and communicate about rights requests under Articles 15 to 22. ## 2. Confirm identity without over-collecting Do not turn identity verification into a default document-collection step. Article 12 allows additional information where the controller has reasonable doubts about the identity of the person making the request, and Article 11 addresses situations where the controller cannot identify the data subject from the data it holds. The workflow should record why identity is already reliable or why extra information is necessary. The extra information requested should be tied to the data at issue, the channel used, and the risk of disclosing or changing personal data for the wrong person. - Record existing identity signals such as authenticated session, verified email, employee account, customer ID, support history, signed channel, or prior verified relationship. - If identity is uncertain, ask only for additional information necessary to confirm the identity for this request and record the reason for asking. - If the controller cannot identify the data subject from available data, record the no-match result and what additional information would make identification possible. - Keep identity proof, verification notes, and access permissions separate from the response export so unnecessary identity material is not reused or disclosed. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 11 and 12(6) support targeted identity handling when the controller cannot identify the data subject or has reasonable identity doubts. ## 3. Scope the right and the systems to search Map the request to the GDPR right before collecting data. Access requests under Article 15 require confirmation whether personal data is processed, access to that personal data, specified processing information, and a copy of personal data undergoing processing where applicable. Other rights may require correction, deletion assessment, restriction, portability export, objection handling, or review of solely automated decisions. The search scope should mirror how the controller actually stores and retrieves personal data. Include active systems, archives where searchable, support tools, HR systems, product logs, billing data, processor platforms, and retention locations that may contain personal data about the data subject. - Access: prepare confirmation, data copy, purposes, categories, recipients or recipient categories, retention period or criteria, rights information, complaint information, source information where not collected from the data subject, and automated-decision information where relevant. - Rectification, erasure, and restriction: identify the relevant records, processing purpose, retention status, recipients that may need notification, and any reason the requested action cannot be completed. - Portability and objection: check whether the request concerns data and processing conditions covered by the relevant Article 20 or Article 21 path before promising an export or stopping processing. - Automated decision-making: identify whether the request concerns a decision covered by Article 22 and preserve the logic, significance, and envisaged-consequence review materials where relevant. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 15 to 22 define the rights that a DSAR workflow must route, including access, rectification, erasure, restriction, portability, objection, and automated-decision rights. ## 4. Run the one-month response clock The DSAR record should show the Article 12 timing position at all times. The controller must provide information on action taken without undue delay and in any event within one month of receipt. A two-month extension is available where necessary because of request complexity or number, but the data subject must be told within one month of receipt and given the reasons for the delay. Use the clock record to manage processor requests, internal exports, legal review, redactions, and final delivery. Do not treat internal backlogs, tool limitations, or unclear ownership as an extension reason unless the recorded facts fit the GDPR standard. - Clock fields: receipt date, default due date, response owner, legal reviewer, data owners, processor owners, response target, and escalation date. - Extension fields: complexity or number of requests, affected systems or processors, reason for delay, date notice sent to the data subject, and revised deadline. - Communication fields: response channel, electronic-response preference where the request was electronic, plain-language review, and secure-delivery method. - Delay control: escalate before the deadline when identity verification, processor response, redaction, or rights-and-freedoms review threatens timely closure. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 12(3) sets the one-month response rule and the two-month extension mechanism for complex or numerous requests. ## 5. Decide response, extension, fee, or refusal Most requests should close with action taken and a clear response. If the controller does not take action, Article 12 requires notice without delay and at the latest within one month, including reasons and information about complaint and judicial-remedy options. Fees and refusals need their own evidence path. Article 12 allows a reasonable fee or refusal only where requests are manifestly unfounded or excessive, in particular because of repetitive character, and the controller bears the burden of demonstrating that character. - Response decision: what action was taken, which records or systems were included, what was excluded, what was redacted, and who approved the final package. - Extension decision: why the request is complex or numerous, what work remains, when the extension notice was sent, and what revised target is being managed. - No-action decision: factual basis, GDPR right involved, legal reviewer, data-subject notice, complaint language, judicial-remedy language, and approval timestamp. - Fee or refusal decision: evidence that the request is manifestly unfounded or excessive, administrative-cost basis if a fee is charged, and the controller's burden-of-proof record. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 12(4) and 12(5) govern no-action notices, complaint and remedy information, fees, refusals, and the controller's burden of proof. ## 6. Coordinate processors and preserve evidence The controller remains accountable for the DSAR response, but processors often hold records, logs, exports, deletion controls, or support evidence needed to answer. Article 28 requires processor terms to include assistance, by appropriate technical and organisational measures where possible, for the controller's obligation to respond to Chapter III rights requests. Close the workflow only when the response package and evidence file align. The evidence file should prove how the request was handled; the data-subject response should contain only the response content that is appropriate to disclose. - Processor evidence: documented instruction, vendor contact, request date, response date, systems searched, export format, no-data confirmation, deletion or restriction confirmation, and unresolved gaps. - Search evidence: repositories searched, search criteria used, data owners contacted, retention constraints, archives checked, and quality-control review. - Disclosure evidence: redaction rationale, third-party rights-and-freedoms review, secure-transfer proof, language or accessibility considerations, final response text, and delivery timestamp. - Reopening triggers: follow-up request, new identifier, late processor response, missed system, correction from the data subject, complaint escalation, or evidence that the original response was incomplete. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 24 and 28 support accountable controller measures and processor assistance for responding to GDPR Chapter III rights requests. *Recommended next step* *Placement: before sources* ## Use this guide to operationalize DSAR intake and response Sorena can help convert GDPR rights-request intake, identity checks, one-month clock management, processor handoffs, response review, and evidence records into a repeatable DSAR workflow. - [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about DSAR intake, identity checks, rights scope, response timing, extensions, refusals, and evidence using the cited GDPR source. - [Talk through DSAR operations](/contact.md): Review your GDPR DSAR workflow, processor handoffs, evidence file, and response bottlenecks with Sorena. ## Primary sources - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding GDPR source for Article 11 identification limits, Article 12 request modalities and timing, Articles 15 to 22 data-subject rights, Article 24 accountability, and Article 28 processor assistance. - Quote: "The controller shall provide information on action taken" ## Related Topic Guides - [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence. - [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live. - [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence. - [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs. - [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records. - [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence. - [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records. - [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties. - [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence. - [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence. - [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks. - [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required. - [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits. - [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. - [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks. - [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records. - [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f). - [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together. - [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence. - [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors. - [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable. - [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures. - [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers. - [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields. - [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers. - [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis. - [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence. - [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not. - [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance. - [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers. - [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits. - [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability. - [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. - [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/dsar-workflow