Checklist Legal/Compliance GDPR

GDPR Data Subject Request Response Checklist

This checklist ensures compliant handling of Data Subject Access Requests (DSARs) and other data subject rights requests under the General Data Protection Regulation (GDPR). Organizations must respond to verifiable requests within strict timeframes while meeting specific content and security requirements. Use this checklist to validate each phase of request receipt, verification, compilation, and delivery to maintain regulatory compliance and avoid substantial fines.

  • Verify request legitimacy and identity of requester (GDPR Article 12(2)) – Confirm the data subject has provided sufficient information to be identified and obtain evidence of identity where necessary.
  • Log receipt date of data subject request (GDPR Article 12(3)) – Document the exact date the request was received to establish the 30-day response deadline.
  • Designate responsible department/individual (GDPR Article 12(1)) – Assign clear ownership for handling the request and ensure accountability.
  • Search all systems and data repositories (GDPR Article 15(3)) – Conduct comprehensive search across all locations where personal data is stored, including backup systems and archives.
  • Compile all personal data held on the subject (GDPR Article 15(1)) – Gather all information processed about the individual in a clear, accessible format.
  • Identify all data processing purposes (GDPR Article 15(1)(c)) – Document the purposes for which each category of personal data is being processed.
  • Document processing recipients and third parties (GDPR Article 15(1)(d)) – List all recipients of personal data, including processors, controllers, and third-party recipients.
  • Disclose retention period or deletion criteria (GDPR Article 15(1)(e)) – Explain how long personal data will be retained or the criteria for determining retention periods.
  • Assess and claim legal exemptions (GDPR Article 12(3), Article 15(4)) – Identify any lawful grounds for denying or limiting the request, such as trade secrets or legal privilege.
  • Redact third-party personal data appropriately (GDPR Article 15(4)) – Remove information about other data subjects unless it cannot be separated, and document redactions.
  • Obtain approval from Data Protection Officer/Legal (GDPR Article 39) – Require sign-off from DPO or legal team before responding, particularly for complex or sensitive cases.
  • Prepare response in clear, plain language (GDPR Article 12(1)) – Ensure communication is concise, transparent, and understandable to the data subject without technical jargon.
  • Provide data in commonly used, machine-readable format (GDPR Article 15(3)) – Deliver information in formats such as CSV, JSON, or PDF (not proprietary formats).
  • Transmit response securely to confirmed address (GDPR Article 12(1)) – Use encrypted channels and confirm delivery to the verified contact information provided.
  • Respond within 30-day deadline (or 60-90 day extension) (GDPR Article 12(3)) – Meet the deadline or document justified extension reasons and notify the requester.
  • Document refusal or partial denial with specific grounds (GDPR Article 12(4)) – If denying the request, provide detailed reasoning referencing specific Articles and allow for appeals.
  • Retain copies of request and response (GDPR Article 5(1)(e)) – Archive all documentation for compliance audits and potential disputes.
  • Track compliance metrics and closure date (GDPR Article 12(3)) – Record response date and confirm the data subject has received the information before closing the case.