GDPR4All
Sign inFree Assessment

DSR Management

Handle Data Subject Requests — access, erasure, portability, rectification, and objection

6 min readUpdated 26 February 2026
Client AdminCompliance OfficerDPO

The GDPR grants individuals a comprehensive set of rights over their personal data. When someone exercises one of these rights, your organisation receives a Data Subject Request (DSR) and is legally obligated to respond within strict time limits. GDPR4All's DSR Management module helps you log, track, and respond to these requests systematically, ensuring nothing falls through the cracks and every deadline is met.

The Data Subject Rights

The GDPR establishes eight fundamental rights that individuals can exercise. Understanding each right is essential for handling requests correctly:

Right of Access (Article 15)

Individuals have the right to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with information about the purposes, categories, recipients, retention periods, and safeguards for international transfers.

Right to Rectification (Article 16)

Individuals can request that inaccurate personal data be corrected or that incomplete data be completed. You must respond without undue delay.

Right to Erasure — "Right to Be Forgotten" (Article 17)

In certain circumstances, individuals can request that their personal data be deleted. This right is not absolute — it applies when the data is no longer necessary, consent has been withdrawn, the individual objects and there are no overriding legitimate grounds, or the data was unlawfully processed.

Right to Restriction of Processing (Article 18)

Individuals can request that you limit how their data is processed. This applies when accuracy is contested, processing is unlawful but the individual prefers restriction over erasure, you no longer need the data but the individual needs it for legal claims, or the individual has objected and verification of legitimate grounds is pending.

Right to Data Portability (Article 20)

Individuals have the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. This applies when processing is based on consent or contract and is carried out by automated means.

Right to Object (Article 21)

Individuals can object to processing based on legitimate interests, public interest, or direct marketing. For direct marketing, the objection is absolute — you must stop immediately. For other grounds, you must demonstrate compelling legitimate grounds that override the individual's interests.

Rights Related to Automated Decision-Making (Article 22)

Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. They can request human intervention, express their point of view, and contest the decision.

Right to Information (Articles 13 and 14)

While not typically received as a "request", organisations must proactively provide information about their data processing through privacy notices. This right underpins all others.

Creating a DSR

Navigate to Compliance > DSRs and click New Request to log a data subject request. The form is divided into four sections:

Requester Information

  • Requester name — the name of the individual making the request.
  • Requester email — their contact email address.
  • Requester phone — an optional phone number for follow-up.

Request Details

  • Request type — select from: ACCESS, ERASURE, PORTABILITY, RECTIFICATION, OBJECTION, RESTRICTION, or AUTOMATED_DECISION_MAKING. Choose the type that best matches the individual's request.
  • Description — a detailed description of what the individual is asking for.
  • Priority — set to LOW, MEDIUM, or HIGH based on the urgency and sensitivity of the request.
  • Due date — automatically calculated as 30 days from the request date. If the request is complex or you have received a large number of requests, you can extend the deadline to 90 days by ticking the Extend deadline checkbox.

Processing Information

  • Assigned to — the team member responsible for handling the request.
  • Internal notes — notes visible only to your team, not shared with the data subject. Use this for tracking your investigation progress and internal discussions.
  • Due date extended — a checkbox that extends the standard 30-day deadline to 90 days. You must inform the individual within the original 30-day period if you are invoking this extension, and you must explain the reasons for the delay.

Response

  • Response details — document how you responded to the request and what information or actions were provided.
  • Rejection reason — if the request is refused (e.g., because an exemption applies), document the reason here. This is only shown when the request status is set to REJECTED.

Deadline Tracking

Meeting response deadlines is one of the most operationally challenging aspects of DSR management. GDPR4All provides robust deadline tracking to help you stay on schedule.

30-Day Standard Deadline

By default, you have one calendar month (typically 30 days) from receipt of the request to respond. GDPR4All calculates this deadline automatically and displays a countdown on both the DSR list page and the individual DSR detail page.

90-Day Extended Deadline

For complex requests or when you receive a high volume of requests, the GDPR allows you to extend the deadline by a further two months (making it 90 days in total). To use this extension in GDPR4All, tick the Extend deadline checkbox on the DSR form. The countdown timer will automatically adjust to reflect the new deadline.

Remember: you must inform the individual within the original 30-day period that you are taking additional time and explain why.

Visual Indicators

  • Approaching deadline — requests nearing their deadline are highlighted with amber indicators on the list page.
  • Overdue — requests that have passed their deadline are flagged in red. An overdue alert banner appears on the DSR list page, similar to the breach module's 72-hour alerts.
  • Stat cards — the DSR list page displays summary cards showing the total number of requests, active requests, overdue requests, and completed requests.

Status Workflow

DSR requests progress through a defined set of statuses:

  1. Received — the request has been logged and acknowledged.
  2. In Progress — your team is actively working on fulfilling the request.
  3. On Hold — the request is paused, typically because you are awaiting identity verification or additional information from the requester.
  4. Completed — the request has been fulfilled and the response sent to the individual.
  5. Rejected — the request has been refused because an exemption applies or the request is manifestly unfounded or excessive.
  6. Cancelled — the individual has withdrawn their request.

Status transitions follow a logical sequence — for example, a request cannot move directly from Received to Completed without passing through In Progress. This ensures a proper audit trail.

Tips for Effective DSR Management

  • Verify identity before responding — before disclosing any personal data in response to an access request, verify that the requester is who they claim to be. Releasing data to the wrong person would itself be a data breach. Ask for reasonable proof of identity but do not request excessive documentation.
  • Document your response thoroughly — record what data you provided (or why you did not), what actions you took, and when the response was sent. This documentation is your defence if the individual complains to the supervisory authority.
  • Know your exemptions — not every request must be fulfilled. Legal professional privilege, national security, preventing crime, and protecting the rights of others are all legitimate reasons to refuse or limit your response. Document your reasoning carefully.
  • Involve your DPO — for complex or sensitive requests, consult your Data Protection Officer. In GDPR4All, DPOs have specific permissions to update internal notes and reassign DSR requests across the organisations they oversee.
  • Track response times — use the dashboard and stat cards to monitor your average response times. If you are consistently approaching the 30-day deadline, consider whether your processes need improvement or whether you need additional resources.
  • Communicate with the requester — even if you need more time, acknowledge the request promptly and keep the individual informed of progress. Silence breeds complaints.
  • Link to your ROPA — when processing an access request, consult your ROPA to identify all the systems and processes where the individual's data might be held. A comprehensive ROPA makes access requests significantly easier to fulfil.

Data subject rights are at the heart of the GDPR. Handling requests professionally, promptly, and transparently is not just a legal obligation — it builds trust with the individuals whose data you hold.

Related Articles

Records of Processing Activities (ROPA)

How to create, manage, and export your processing activity records under Article 30

7 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Consent Management

Create consent records, track their lifecycle, and manage withdrawals

5 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Reports & Alerts

Monitor your compliance score, track deadlines, and stay on top of overdue items

5 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Was this article helpful?

Previous

DPIA Workflows

Next

Document Generator