Data subject access request (DSAR) intake process

dsar-inboxDomain: data-privacyType: process

Description

Data subject access requests (DSARs) are operationally the most demanding piece of most modern privacy regulations: a person you have never met asks for everything you have on them, you have a fixed window (typically 30-45 days depending on jurisdiction) to verify it is actually them, and then you have to produce a complete and machine-readable response. A working DSAR system handles the cycle end-to-end: intake form or inbox, identity-verification flow proportional to the sensitivity of the data, internal lookup across whatever data stores have grown up around the product, response template and machine-readable export, audit log, and the calendar that tracks the regulatory clock on each request. Vendors fulfill different slices of this. The hard part is usually not the intake; it is the internal lookup across data stores the platform has accumulated, especially when a request arrives in a contested context (former employees, plausibly-pretextual outside parties, multi-product accounts); the operational difficulty there is documentation depth, not the regulatory shape.

Required by (14 regulations)

CCPA/CPRA
12-month lookback; verifiable consumer request; response within 45 days (extendable to 90).
Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102
CPA
6-1-1306 — 45-day response.
Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3
DPDPA
Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023
GDPR
Articles 15-22 — 30-day response (extendable to 90 with notice); identity verification.
Regulation (EU) 2016/679 of the European Parliament and of the Council
LGPD
Article 18 — response within 15 days.
Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)
PIPA
Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)
PIPEDA
S.C. 2000, c. 5 (Personal Information Protection and Electronic Documents Act)
PIPL
Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)
Privacy Act
Privacy Act 1988 (Cth), No. 119 of 1988
PDPL
Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023
Thailand PDPA
KVKK
UAE Data Protection Law
VCDPA
Section 59.1-577 — 45-day response.
Va. Code §§59.1-575 to 59.1-585

Fulfilled by (4)

onetrust · full · low effort · $$
transcend · full · low effort · $$
didomi · partial · medium effort · $$
In-house build · high effort
Requires identity-verification flow + cross-system data-discovery; usually under-resourced when built in-house.

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

DSAR intake form
request-tracking system
response templates
verification logs
response-time SLA dashboard

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Description

Required by (14 regulations)

CCPA/CPRA

12-month lookback; verifiable consumer request; response within 45 days (extendable to 90).

Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

CPA

6-1-1306 — 45-day response.

Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

DPDPA

Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

GDPR

Articles 15-22 — 30-day response (extendable to 90 with notice); identity verification.

Regulation (EU) 2016/679 of the European Parliament and of the Council

LGPD

Article 18 — response within 15 days.

Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

PIPA

Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

PIPEDA

S.C. 2000, c. 5 (Personal Information Protection and Electronic Documents Act)

PIPL

Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)

Privacy Act

Privacy Act 1988 (Cth), No. 119 of 1988

PDPL

Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

Thailand PDPA

KVKK

UAE Data Protection Law

VCDPA

Section 59.1-577 — 45-day response.

Va. Code §§59.1-575 to 59.1-585

Fulfilled by (4)

onetrust · full · low effort · $$

transcend · full · low effort · $$

didomi · partial · medium effort · $$

In-house build · high effort

Requires identity-verification flow + cross-system data-discovery; usually under-resourced when built in-house.

ClearLaunch does not accept payment from vendors. Methodology.