Under GDPR Article 15, what is the standard timeframe for responding to a Data Subject Access Request (DSAR)?

One month (30 days) from receipt of the request

When verifying the identity of a DSAR requestor, what approach does GDPR require?

Use 'reasonable measures' proportionate to the risk - avoid creating excessive barriers

Which of the following must be included in a DSAR response under GDPR Article 15? (Select all that apply)

Confirmation of whether personal data is being processed Additionally, The purposes of processing Additionally, A copy of the personal data being processed Additionally, Information about the data subject's right to lodge a complaint with a supervisory authority

Legitimate DSAR Processing

Learn what data to include from CRM, support tickets, and system logs. Master third-party redaction requirements under Article 15(4) that protect others' privacy while fulfilling the request. Understand proportionate identity verification that doesn't create unnecessary barriers for legitimate requestors.

What You'll Learn

Recognize common cybersecurity threats
Respond appropriately to security incidents
Protect sensitive information
Follow security best practices
Report suspicious activities

Training Steps

Introduction

Alice works in the Privacy Operations team at CloudServe Technologies, a B2B SaaS provider that helps businesses manage their cloud infrastructure. Her role involves handling data subject access requests (DSARs) under GDPR. Today, she will process a legitimate DSAR from a verified customer – a request that requires careful attention to deadlines, data discovery, and third-party redaction.
DSAR Receipt

Alice receives a new email in her work inbox. The subject line indicates it is a formal data subject access request. The email is from jennifer.martinez@acme-corp.com - a verified customer whose company has an active contract with CloudServe Technologies.
Identity Verification

Before processing the request, Alice must verify that the person making the request is actually Jennifer Martinez. However, GDPR requires that verification be proportionate - Alice should not create excessive barriers. Since the request came from an email address already associated with the customer account, and includes the correct customer ID, Alice has reasonable assurance of identity.
Logging the Request

Alice accesses the DSAR queue in the privacy portal. She sees Jennifer's request has been automatically logged with today's date, which starts the 30-day response clock. The system shows all the information needed to verify the requestor's identity against existing customer records.
Sending Acknowledgment

With identity verified, Alice now needs to send an acknowledgment email to Jennifer. This confirms receipt of the request and sets expectations for the response timeline. Good practice is to acknowledge DSARs promptly, even though GDPR does not strictly require it.
Data Discovery

Now Alice must search all company systems for Jennifer's personal data. GDPR requires providing all personal data held about the individual - not just obvious places like the CRM. Alice needs to check: CRM records, support tickets, billing systems, email communications, system logs, and any backups that might contain personal data.
Running Data Search

Alice enters Jennifer's email address to search across all connected systems. The privacy portal automatically queries the CRM, support ticketing system, billing platform, and access logs. The search returns data from multiple sources - some containing only Jennifer's data, and some containing data about other individuals as well.
Supervisor Call - Redaction Requirements

While reviewing the search results, Alice notices that several support tickets contain data about other ACME Corp employees who were CC'd on communications. She needs guidance on how to handle third-party data. She calls her supervisor, David Chen, to discuss the redaction requirements.
Reviewing and Redacting Data

Following David's guidance, Alice reviews the compiled data export. She identifies several pieces of information that need redaction: - Email addresses of other ACME Corp employees in support ticket threads - Names of CloudServe staff members who handled support cases - Internal ticket IDs that could expose other customers' data Alice must provide Jennifer with all her own data while protecting others' privacy.
Applying Redactions

Alice carefully reviews each data source and applies redactions to protect third-party information. The privacy portal helps by highlighting potential third-party data, but Alice must make the final decision on each redaction. She ensures that all of Jennifer's personal data remains visible while other individuals' information is properly obscured.

Knowledge Check Questions

This training includes a 6-question quiz to test your understanding of Security Awareness threats and defenses.

Under GDPR Article 15, what is the standard timeframe for responding to a Data Subject Access Request (DSAR)?
When verifying the identity of a DSAR requestor, what approach does GDPR require?
Which of the following must be included in a DSAR response under GDPR Article 15? (Select all that apply)
What should you do when a DSAR response would include personal data about other individuals?
Under GDPR, when can an organization charge a fee for responding to a DSAR?