DAT-011 Data Subject Rights Fulfilment
Description
Technical and procedural mechanisms exist to fulfil data subject rights requests within legally mandated timeframes. Supported rights include: access (Art.15), rectification (Art.16), erasure (Art.17), restriction (Art.18), portability (Art.20), and objection (Art.21). Requests are logged, tracked, and completed or refused with documented justification.
Rationale
Data subject rights are enforceable legal entitlements. Inability to fulfil them on time constitutes a GDPR violation and is a material enterprise sales risk for SaaS products handling EU personal data.
Framework Mappings (7)
| DSP-11 | Personal Data Access, Reversal, Rectification and Deletion | full |
| GDPR-Art.15 | Right of Access | full |
| GDPR-Art.16 | Right to Rectification | full |
| GDPR-Art.17 | Right to Erasure (Right to be Forgotten) | full |
| GDPR-Art.18 | Right to Restriction of Processing | full |
| GDPR-Art.20 | Right to Data Portability | full |
| GDPR-Art.21.1 | Right to Object — Legitimate Interests and Public Tasks | full |
Evidence (2)
Data subject rights request log showing all requests received, the right invoked, response timeline, outcome, and any documented refusals.
Example: DSR tracker (Jira / OneTrust / spreadsheet) — listing all requests from the last 12 months with: request date, right invoked (access / erasure / portability / rectification / restriction / objection), response sent date, outcome, and any extensions or refusals with reasons
Test: Request the DSR log for the last 12 months. Verify: (1) all requests were responded to within 30 days (or 90 days with documented extension), (2) no request was refused without a documented legal justification, (3) erasure requests were confirmed as completed (including backups where applicable), (4) portability requests were fulfilled in a machine-readable format (e.g. JSON, CSV).
Data subject rights procedure documenting how each right is operationalised, verification steps, internal handoff processes and escalation paths.
Example: Data Subject Rights Fulfilment Procedure (Confluence), approved by DPO, with step-by-step workflows for: access, erasure, portability, rectification, restriction and objection — including identity verification steps, response templates, and SLA timers
Test: Request the DSR procedure. Verify: (1) a documented process exists for each of the six GDPR rights, (2) identity verification steps are defined, (3) internal handoff points (e.g. from support to engineering for erasure) are clearly specified, (4) procedure references the 30-day statutory deadline, (5) approved by DPO within 24 months.
Questions (2)
Does your organisation have documented processes and technical mechanisms to fulfil all six GDPR data subject rights (access, rectification, erasure, restriction, portability, objection) within the statutory 30-day timeframe?
Each right should have a documented workflow, identity verification step, and defined internal handoff. A request tracking log must demonstrate requests are actioned within 30 days (or 90 days with documented extension).
Which data subject rights can your organisation fulfil without requiring manual engineering intervention?
Self-service or tooling-assisted fulfilment for access, portability and erasure is the expected standard for mature SaaS products. Rights that require manual engineering effort introduce delay and error risk.