A Data Subject Access Request (DSAR) is a formal request from an individual exercising their rights under [GDPR art. 15–22] — to access their data, have it erased, receive a portable copy, restrict its use, or object to processing. Under [GDPR art. 12(3)], you must respond within 30 days of receipt. For complex requests, a two-month extension is permitted if you notify the requester within the original 30 days.
Logging a request
DSARs typically arrive by email to your privacy contact address. When one arrives:
- Open DSAR in the dashboard sidebar.
- Click New request.
- Enter the requester's email, the kind of request, and the date received — the date the email arrived, not today. The 30-day deadline runs from that date.
- Save.
Request kinds
| Kind | What you must do |
|---|---|
| Access | Provide a copy of all personal data you hold about them |
| Erasure | Delete their data, subject to lawful retention obligations |
| Portability | Export their data in a structured, machine-readable format |
| Restriction | Pause all non-essential processing while a dispute is pending |
| Objection | Stop processing for a specific purpose, e.g. marketing |
| Rectification | Correct inaccurate data |
Responding
Open the request from the inbox. You will see the request detail and remaining days. When you have prepared the response:
- Click Respond.
- Log the response date and a brief note — what you sent, which data categories were included, any lawful exemptions applied.
- Update the status to Responded or Closed.
Keep this log accurate. It is your accountability record under [GDPR art. 5(2)] if a regulator asks for evidence of compliance.
Overdue and escalated requests
Requests with three or fewer days remaining turn amber. Requests past the deadline turn red. An overdue DSAR is an accountability risk that can trigger an AEPD inquiry.
If a request requires the two-month extension, notify the requester in writing within the original 30-day window (giving the reason), then add an escalation note with the new deadline date.
72-hour breach linkage
If a personal data breach occurs, miniterms checks open DSAR requests at page load and emits an alert to Dekimu Hub's incident log. This linkage is automatic — no action is required. It ensures that a breach affecting a data subject whose DSAR is still open is surfaced in the same incident view.
miniterms tracks DSAR deadlines but does not automatically draft or send responses. Response content is your responsibility as data controller.