DSAR requests
The DSAR requests page is where you manage incoming data subject access requests. From here you can view, search, and filter all requests, and take actions to fulfill or reject them. To access it, navigate to the DSAR section in your dashboard.
Only account owners can access the DSAR portal.
Request list
The request list shows all DSAR requests for your account with the following information:
- Name and email of the data subject
- Request type(s) — access, erasure, rectification, etc.
- Status — color-coded badges showing unverified, pending, completed, or rejected
- Due date — countdown showing how many days remain before the response deadline
- Date submitted
Searching and filtering
You can narrow down the request list using:
- Search — Search by data subject name or email address (works on encrypted fields, no decryption required)
- Filter by domain — Show requests for a specific domain
- Filter by type — Show only requests of a specific type (e.g., access, erasure)
- Filter by status — Show only requests with a specific status
- Sort — Sort by date created, status, or due date
The list is paginated with 12 requests per page.
Request details
Click on a request to open the detail view. This shows the full information about the request:
- Data subject — Name, email, and their relationship to your organization (visitor, customer, employee, former employee, applicant, or other)
- Request types — The specific privacy rights being exercised
- Request details — The message provided by the data subject
- Dates — Submission date, verification date, and response deadline
- Source URL — The page where the request was submitted from
- Country — The data subject’s country (provided during submission or detected automatically)
For on-behalf requests, the requester’s details are also displayed, including their name, email, and relationship to the data subject (parent, lawyer, agent, family member, or other). On-behalf requests require both the data subject and the requester to verify their email before the request becomes pending.
Resending verification emails
If the data subject (or the requester, for on-behalf requests) did not receive the verification email or the link expired, you can resend it from the request detail page. Resends are throttled to prevent accidental flooding.
Systems checklist
Each request includes a systems checklist based on the DSAR systems that were active when the request was created. The checklist shows:
- The system name (e.g., “Shopify”, “Stripe”)
- The instructions for how to process the request in that system (snapshotted at the time of request creation; supports Markdown formatting)
- A completion toggle to mark the system as done
- A file upload area for attaching relevant data exports
Work through each system, following the instructions to gather, export, correct, or delete the data subject’s information as appropriate for the request type. Mark each system as complete when finished.
File uploads
You can upload one file per system. These files typically contain data exports or confirmation documents related to the request.
- Click the upload area next to a system to select a file
- Maximum file size is configurable in DSAR settings (default 50 MB)
- To replace a file, remove the existing one first and upload a new one
- Uploaded files are encrypted before being stored
You can preview an uploaded file by downloading it from the system row — the file will be decrypted on the fly and streamed to your browser.
When the request is completed, all uploaded files are bundled into an encrypted ZIP file and delivered to the data subject.
Resolution notes
Each request has a resolution note field where you can write a message to include in the completion or rejection email sent to the data subject. The note auto-fills from resolution templates based on the request types, and auto-saves as you type.
You can edit the note at any time before completing or rejecting the request.
Actions
The following actions are available on the request detail page:
Complete request
Marks the request as fulfilled and delivers the data to the data subject.
When you complete a request:
- All uploaded files are collected and bundled into an encrypted ZIP file.
- A disclosure record is created with a file hash for audit purposes.
- The data subject receives an email containing your custom message, the resolution note, and a secure download link.
- If the request was submitted on behalf of someone, the requester also receives a notification.
- Any remaining staged files are cleaned up.
The download link expires after the configured download link validity period, and the disclosure file is retained for the configured file retention period.
Extend deadline
Extends the response deadline if you need more time to fulfill the request. The maximum deadline depends on the applicable regulation:
- GDPR (EU) — Up to 90 days from the original submission date
- CCPA/CPRA (US) — Up to 75 days from the original submission date
The data subject is notified by email when the deadline is extended.
Reject request
Rejects the request with a reason. When you reject a request:
- The status is set to rejected
- Staged files are cleaned up
- The data subject receives an email with your resolution note explaining the rejection
Verify identity
Manually verifies the data subject’s identity, moving the request from unverified to pending status. This is useful when:
- The data subject contacts you through another channel to confirm their identity
- The verification email was not delivered or expired
- You have other means of confirming the requester’s identity
Once verified, the 30-day response deadline begins.
Add note
Adds an internal note to the request’s audit trail. Notes are visible only to account owners and are not sent to the data subject. Use notes to record decisions, communications, or other information relevant to the request.
Reopen request
Returns a completed or rejected request to pending status with a new 30-day deadline. This is useful when:
- You need to provide additional data after completing a request
- A rejection was made in error
- The data subject provides additional information that changes how the request should be handled
Consent token
When a data subject submits a DSAR through the widget, CookieHub automatically captures the consent token stored in their browser at the time of submission. This is the same token that identifies the visitor in your domain’s consent log, so it acts as a bridge between the DSAR and the proof-of-consent records held for that domain.
If the request carries a consent token, a Consent ID row appears in the request detail page. The token is displayed as a truncated code, with the full value available on hover and via a copy button. When the request is tied to a domain you own, the consent ID becomes a clickable link that opens that domain’s consent log page in a new tab, pre-filtered to the token.
Looking up proof of consent
Consent log lookups are fulfilled as downloadable exports that you search locally. The workflow is:
- Click the Consent ID link on the DSAR request detail page. This opens the consent log page for the relevant domain.
- A banner at the top of the consent log page displays the token and a Copy button, so you don’t need to return to the DSAR tab to grab it.
- Request a consent log export for the relevant date range and download the ZIP.
- Search the exported files for the token (e.g., using a text editor’s find function or grep) to locate the matching consent records.
If the domain is no longer attached to your account, the consent token is still displayed as copyable text on the DSAR request — only the clickable link is omitted.
Disclosure history
Once a request has been completed, the request detail page shows a history of all disclosure files that have been generated for it. Each entry includes the file size, the date it was created, when (or if) it was downloaded by the data subject, and its expiry date. If you reopen and re-complete a request, a new disclosure entry is added to the history.
Audit log
Every action taken on a request is recorded in the audit log, which appears on the request detail page. Each entry includes:
- The action that was performed
- A timestamp of when it occurred
- The user who performed the action
- The IP address and browser used
The audit log provides a complete history of how each request was handled, which is useful for internal review and security investigations.
Instruction log
Alongside the audit log, each request has an instruction log that records every Controller-directed action — manual verification, extension, rejection, completion, and reopen — together with its legal basis and a compliance note. This log is structured to support GDPR Article 28 and 30 requirements (Processor obligations and records of processing activities).
Automatic reminders
Account owners receive email reminders to help meet response deadlines:
- Deadline reminders — at 7, 3, and 1 days before the deadline
- Overdue reminders — daily, once the deadline has passed (sent at most once per calendar day)
Data subjects receive a reminder email 3 days before their disclosure download link expires, but only if they have not yet downloaded the file.
Data subject experience
When a data subject submits a request through the DSAR widget, they interact with the following pages:
- Verification page — After submitting the form, the data subject receives an email with a verification link. Clicking the link confirms their identity and activates the request.
- Request status page — The data subject can view the current status of their request, including whether it is pending, completed, or rejected. From this page they can also request a new verification email if needed.
- Download page — When a request is completed, the data subject can download their data through a secure link. The file is decrypted on the server and streamed directly to the browser.
All emails sent to the data subject are delivered in the language they used when submitting the request.
These pages are hosted by CookieHub and do not require any additional setup on your part.