# GDPR Data Subject Rights & DSAR Handling

> Learn how Secure Privacy's DPO service handles GDPR data subject rights requests — covering all six GDPR rights, response timelines, exemptions, and DSAR best practices.

- Canonical: https://support.secureprivacy.ai/article/managing-dsar-through-your-dpo
- Product: DPO as a Service
- Category: DPO Operations
- Published: 2026-03-09T20:27:00+00:00
- Updated: 2026-03-22T00:48:33.686+00:00
- Reading time: 4 minutes

---

Under GDPR, individuals have the right to access, correct, delete, and restrict the use of their personal data. These requests — known as **Data Subject Access Requests (DSARs)** — must be handled within strict legal timeframes. Your **Secure Privacy DPO** ensures your organization can respond to all types of data subject rights requests correctly, on time, and with proper documentation.

## Who Is This For?

-   Data Protection Officers and privacy managers handling GDPR compliance
    
-   Legal and compliance teams managing data subject rights workflows
    
-   HR and IT teams responsible for locating and processing personal data in response to DSARs
    
-   Organizations subject to GDPR looking to streamline their DSAR handling process
    

## GDPR Data Subject Rights: Full Overview

GDPR grants individuals six core rights over their personal data. The table below summarizes each right, the applicable GDPR article, and what it requires of your organization.

<table style="min-width: 75px;"><colgroup><col style="min-width: 25px;"> <col style="min-width: 25px;"> <col style="min-width: 25px;"></colgroup><tbody><tr><th colspan="1" rowspan="1"><p>Right</p></th><th colspan="1" rowspan="1"><p>GDPR Article</p></th><th colspan="1" rowspan="1"><p>Description</p></th></tr><tr><td colspan="1" rowspan="1"><p>Right of Access</p></td><td colspan="1" rowspan="1"><p>Article 15</p></td><td colspan="1" rowspan="1"><p>Individuals can request a copy of their personal data and information about how it is processed</p></td></tr><tr><td colspan="1" rowspan="1"><p>Right to Rectification</p></td><td colspan="1" rowspan="1"><p>Article 16</p></td><td colspan="1" rowspan="1"><p>Individuals can request correction of inaccurate or incomplete personal data</p></td></tr><tr><td colspan="1" rowspan="1"><p>Right to Erasure</p></td><td colspan="1" rowspan="1"><p>Article 17</p></td><td colspan="1" rowspan="1"><p>Individuals can request deletion of their personal data in certain circumstances (the "right to be forgotten")</p></td></tr><tr><td colspan="1" rowspan="1"><p>Right to Restriction</p></td><td colspan="1" rowspan="1"><p>Article 18</p></td><td colspan="1" rowspan="1"><p>Individuals can request that processing of their personal data be restricted under specific conditions</p></td></tr><tr><td colspan="1" rowspan="1"><p>Right to Data Portability</p></td><td colspan="1" rowspan="1"><p>Article 20</p></td><td colspan="1" rowspan="1"><p>Individuals can receive their personal data in a structured, commonly used, machine-readable format</p></td></tr><tr><td colspan="1" rowspan="1"><p>Right to Object</p></td><td colspan="1" rowspan="1"><p>Article 21</p></td><td colspan="1" rowspan="1"><p>Individuals can object to processing based on legitimate interests or for direct marketing purposes</p></td></tr></tbody></table>

## GDPR DSAR Response Timeline

Organizations must respond to Data Subject Access Requests within **one month** of receipt. For complex or numerous requests, this deadline can be extended by a further two months — but the data subject must be notified of the extension within the initial one-month period, along with the reason for the delay.

## How Your DPO Manages DSAR Handling

Your Secure Privacy DPO supports every stage of the DSAR response process:

1.  **Request validation:** Verify the identity of the requester and determine which data subject right applies.
    
2.  **Scope assessment:** Define the scope of the request and identify all relevant internal data sources.
    
3.  **Exemption review:** Advise on applicable exemptions under GDPR, such as legal privilege or third-party rights.
    
4.  **Response preparation:** Guide your team in preparing a complete, compliant response.
    
5.  **Quality review:** Review the final response before it is sent to the data subject to ensure accuracy and compliance.
    
6.  **Documentation:** Ensure the request, decision-making process, and response are fully documented for audit purposes.
    

## DSAR Best Practices for GDPR Compliance

### Acknowledge requests promptly

Send an acknowledgment as soon as a DSAR is received. This confirms receipt and starts the clock on your one-month response window.

### Use a centralized DSAR tracking system

Manage all incoming requests through a single platform to avoid missed deadlines and ensure consistent handling. Secure Privacy's built-in DSAR tracking tools support this directly.

### Train staff to recognize and escalate DSARs

Any employee may receive a data subject request — not just the privacy team. Ensure all staff know how to identify a DSAR and who to escalate it to immediately.

### Document all refusals and exemption decisions

If a request is refused or an exemption applied, document the legal basis and reasoning clearly. This is critical for demonstrating GDPR accountability if the decision is challenged.

### Track and manage all requests through Secure Privacy

Use the [Secure Privacy DSAR management tools](https://support.secureprivacy.ai/article/managing-data-subject-access-requests-dsars-in-secure-privacy) to log, assign, and track every data subject request from receipt to resolution.

## Frequently Asked Questions

### What is the GDPR deadline for responding to a DSAR?

Organizations must respond within one month of receiving the request. This can be extended by two further months for complex or high-volume cases, provided the data subject is informed of the extension within the initial one-month period.

### Can an organization refuse a data subject request?

Yes, in certain circumstances. GDPR provides exemptions — for example, where disclosure would adversely affect the rights of third parties or where a legal privilege applies. Any refusal must be documented with the legal basis clearly stated, and the data subject must be informed of their right to complain to a supervisory authority.

### What is the difference between a DSAR and a DPIA?

A DSAR (Data Subject Access Request) is a request made by an individual exercising their rights over their own personal data. A DPIA (Data Protection Impact Assessment) is an internal process carried out by an organization to assess the privacy risks of a specific data processing activity before it begins.

### How does Secure Privacy help manage GDPR data subject requests?

Secure Privacy provides built-in DSAR forms, request tracking, and workflow tools to help organizations handle data subject rights requests on time and with a complete audit trail. Your DPO also provides direct support at each stage of the response process.

## See Also

-   [Setup DSAR Forms in Secure Privacy](https://support.secureprivacy.ai/article/managing-data-subject-access-requests-dsars-in-secure-privacy)
    
-   [Secure Privacy Pricing Plans Overview](https://support.secureprivacy.ai/article/secure-privacy-pricing-plans--consent-management-platform)
    
-   [Secure Privacy Volume Discounts | Custom Consent Storage Pricing](https://support.secureprivacy.ai/article/secure-privacy-volume-discounts--custom-consent-storage-pricing)
