Tick each step as you respond to a data subject request inside the one-month window. Capture the request, the identity check, the scope decisions, and the response sent. Print a filled copy for your DSAR log. Articles 12 & 15 GDPR.
Six-step tracker for responding to a data subject request under Articles 12 & 15 GDPR. Tick each step, capture the facts, print a filled copy for your DSAR log.
e.g. DSAR-2026-001
The 1-month clock starts here
Auto-calculated · Art. 12(3)
Email · Form · Post · In-app · DPO inbox
Acknowledge promptly. The clock has already started.
Article 12(6) — controllers must reasonably authenticate. Do not over-collect.
Known email match · prior authenticated session · government-issued ID (only when proportionate). Never collect more than necessary.
What systems hold this person's data? Clarify ambiguity in writing — the clock pauses while waiting on the subject's clarification.
Art. 12(5) lets you refuse a manifestly unfounded or excessive request, or charge a reasonable fee. Art. 12(3) allows a +2-month extension for complex cases.
Up to 3 months total from receipt
Personal data only, in a commonly used format. Redact data about other people. Get a colleague to review before sending.
PDF · CSV · JSON · plain-text email body — pick a structured, commonly used machine-readable format for portability requests
Article 12(4) — communicate the decision in writing, including the right to complain to the supervisory authority.
Email · secure-link portal · post · in-app
The CookieSentry GDPR pack ships with the documents you need on file before requests start arriving — Privacy Policy (Art. 13/14), DPA, Breach Procedure, and more. Bilingual EN + DE/PL/LT, counsel-redlinable Word + PDF.
The tracker mirrors what an EU supervisory authority will ask for during an audit when a complaint references a DSAR response: the date received, the identity check that justified disclosure, the scope decisions, the response decision, the grounds for any refusal, and the artefact sent to the subject. Filling it out as you go produces a contemporaneous record that is exactly what an auditor expects to see.
The most common procedural mistakes in our experience are two: missing the one-month deadline because the request was not recognised as a DSAR on receipt, and over-collecting identity documents to verify the requester. The tracker computes the due date for you from the moment the request lands, and the identity-method field reminds you that proportionality (Article 12(6)) caps how much you can ask for.
For the standing procedure that sits behind every individual request — including response-letter templates, refusal templates, and the country-specific supervisory-authority information you must include in any refusal under Article 12(4) — pair the tracker with the CookieSentry GDPR document pack. The Breach Procedure, Privacy Policy, and Data Retention Policy ship together; the standing DSAR procedure is on the sprint backlog and will fold into the same pack.
A standing Privacy Policy that explains the rights, a Breach Procedure, a Data Retention Policy, an Art. 28 DPA with sub-processors, and an Art. 30 ROPA — generated for your country in 10 minutes, ready for counsel redline.
Yes, fully free. No account, no email, no signup. Everything you type stays in your browser's local storage and never leaves your device. Print to PDF when you're done and the tracker doubles as your DSAR log entry.
Article 12(3) GDPR runs the clock from the day the request was received — even if you didn't recognise it as a DSAR straight away. The tracker computes the due date for you the moment you fill in the received-on field. The clock pauses while you wait on identity verification or on the subject's clarification of an ambiguous request, but only when you have asked them in writing and only on the open question.
Article 12(5)(a) lets you charge a reasonable fee or refuse outright when a request is manifestly unfounded or excessive — repetitive in particular. The threshold is high. For routine first requests the response must be free of charge. If you charge, the burden of demonstrating the unfounded or excessive nature is on you.
GDPR rights are exercised by the data subject themselves. A request from a third party (a parent, a lawyer, a partner) requires evidence that they are authorised to act on the subject's behalf. Children's requests are typically handled by the holder of parental responsibility, with the country-specific consent age (LT 14 / DE 16 / PL 16) shifting the line.
There is no fixed period in the GDPR; common practice is at least three years from closure to support the supervisory authority's audit window and any potential complaint timeline. The CookieSentry Data Retention Policy template sets this explicitly per data category.
Backups are in scope but recital 26 / common DPA guidance accepts that immediate erasure from sequential backups is impractical. You typically erase from production immediately, freeze the backup from being restored to active use, and let it age out under the normal backup retention. Document this in the response and in the breach register entry if relevant.
The full GDPR pack covers the documents an auditor expects to see on file: Privacy Policy, Cookie Policy, Data Retention, Breach Procedure, DPA, ROPA. Generate, redline with counsel, ship — bilingual EN + DE/PL/LT. Pay only after you preview every document.
Start the wizardThis tracker is a practical tool, not legal advice. The application of GDPR Articles 12–22 to a specific request depends on facts only counsel familiar with your jurisdiction can assess. Use the tracker as a contemporaneous record and supplement it with formal counsel review before refusing or extending requests with a high complaint risk.