Who this is for: Businesses that receive data requests from EU or UK residents.
Goal: Learn how to identify, verify, and respond to Data Subject Access Requests (DSARs) using Euverify’s GDPR module.
1️⃣ What Is a DSAR?
A Data Subject Access Request (DSAR) is when an individual asks to access, correct, delete, or restrict the use of their personal data.
Under the GDPR (Articles 12–23), all individuals have these rights, and you must respond within one month of receiving the request.
Common DSAR examples include:
“I want to see what personal data you hold about me.”
“Please delete my account and all related data.”
“Update my contact details.”
“Stop using my data for marketing.”
Important: DSARs can come from anywhere — email, contact form, social media, or even verbally — so your team must be trained to recognize them.
2️⃣ Where You’ll Receive DSARs in Euverify
When you set up your GDPR module, Euverify automatically generates a Secure Request Portal for your business.
This is the link you add to your Privacy Policy during Step 4 of onboarding.
All incoming DSARs through this portal appear in your dashboard under “Requests” with:
The requester’s details
Type of request (access, rectification, erasure, restriction, etc.)
Submission date
Status (Open / In Progress / Completed)
You can assign requests to a specific staff member and update progress as you respond.
3️⃣ Legal Timeframes & Deadlines
Action | Deadline | Notes |
Acknowledge request | Within 7 days | Confirm receipt and that identity verification may be needed. |
Provide full response | Within 1 month | You can extend by another month only if the request is complex. |
Inform of extension | Within 1 month | You must explain the reason for the delay. |
Refuse request (if valid reason) | Within 1 month | Explain why and inform of right to complain to a supervisory authority. |
Tip: Always document every DSAR received — even if you later refuse it — to show accountability.
4️⃣ Step-by-Step DSAR Handling Process
Step 1 — Identify the Request
Train your team to recognize DSARs across all communication channels (email, contact form, chat, social).
If in doubt, treat it as a DSAR until confirmed otherwise.
Step 2 — Verify the Requester’s Identity
Before sharing or deleting data, confirm that the person making the request is the data subject.
Acceptable proof may include:
The same email used for their account, or
A scanned ID or official document, depending on sensitivity.
Never share personal data without verifying identity first.
Step 3 — Locate the Data
Use your internal systems and records (CRM, marketing tools, HR databases, etc.) to find all personal data related to the individual.
Common data sources:
CRM or customer database
Website accounts or order history
Marketing platforms (e.g., Mailchimp, Klaviyo)
Cloud storage or HR software
Email communications
Euverify helps you record which systems you checked and where data is stored, ensuring traceability.
Step 4 — Take Action
Depending on the request type:
Type | Action Required |
Access | Provide a copy of all personal data and explain why it’s processed. |
Rectification | Correct inaccurate or incomplete data. |
Erasure (“Right to be Forgotten”) | Delete data unless you must retain it for legal reasons. |
Restriction | Temporarily suspend data processing. |
Objection / Marketing Opt-Out | Stop using data for direct marketing or profiling. |
If you share data with third parties (e.g., payment processors), notify them to apply the same action.
Step 5 — Respond to the Request
Prepare a clear, written response that includes:
What actions you took
What data you provided or deleted
The lawful basis for any refusal
The contact details of your GDPR Representative (from Euverify)
Information on the right to lodge a complaint with a supervisory authority
Euverify helps you generate a standard DSAR response template to ensure consistency.
Step 6 — Close and Record
Once completed:
Mark the DSAR as Completed in Euverify.
Keep a record of:
Date received and completed
Request type
Actions taken
Correspondence copies
This provides proof of compliance if audited by regulators.
5️⃣ Best Practices for DSAR Management
Include the Secure Request Portal link in your Privacy Policy.
Assign a responsible person or team to manage DSARs.
Review requests weekly to avoid missing deadlines.
Keep a DSAR log with timestamps and outcomes.
Train all staff to escalate data requests immediately.
Avoid using unencrypted email for sending personal data.
Good practice: Always respond courteously — even to repeated or unreasonable requests — to demonstrate professionalism and accountability.
6️⃣ When You Can Refuse a DSAR
You may refuse a DSAR if:
The request is manifestly unfounded or excessive (e.g., repeated requests).
It involves data you are legally required to retain (e.g., invoices for tax).
Disclosure would adversely affect another person’s rights or freedoms.
If you refuse:
Explain why,
Inform the requester of their right to complain to a supervisory authority, and
Record your decision in Euverify.
✅ Summary
You’re GDPR-ready when… |
All DSARs go through your Secure Request Portal. |
Requests are verified, tracked, and responded to within one month. |
Each request is logged and auditable in Euverify. |
Your team knows how to recognize and escalate DSARs. |