Skip to Content
FeaturesData subject access requests

Data subject access requests

Data subject access requests (DSAR) allow individuals to exercise their privacy rights under regulations such as the GDPR, CCPA, and other data protection laws. With CookieHub’s DSAR feature, you can embed a request form on your website and manage incoming requests through a secure portal in your dashboard.

The DSAR feature provides a complete workflow for receiving, tracking, and fulfilling privacy requests — from initial submission through email verification, data gathering, automated deadline reminders, and secure delivery of requested information.

DSAR is available as an add-on to your CookieHub subscription. The portal is enabled per account.

How it works

  1. Widget placement — You embed the DSAR widget on your website (typically on a privacy policy or contact page). The widget displays a form where visitors can submit privacy requests.
  2. Request submission — A data subject fills out the form with their name, email, relationship to your organization, and the type of request. The request is created with an unverified status.
  3. Email verification — The data subject receives a verification email and clicks the link to confirm their identity. The request status changes to pending and a 30-day response deadline begins.
  4. Request management — The request appears in your DSAR portal. You work through the systems checklist, gathering or processing data from each of your configured systems (e.g., Shopify, Stripe, your CRM).
  5. Fulfillment — Once all systems have been processed, you complete the request. Any uploaded files are bundled into an encrypted ZIP and the data subject receives an email with a secure download link.

Request types

Data subjects can submit one or more of the following request types:

  • Access — Request a copy of personal data you hold about them
  • Erasure — Request deletion of their personal data
  • Rectification — Request correction of inaccurate personal data
  • Portability — Request their data in a portable, machine-readable format
  • Restriction — Request that you limit how their data is processed
  • Objection — Object to the processing of their personal data
  • Automated decision-making — Request information about or challenge automated decisions made about them
  • Other — Any other privacy-related request

Status lifecycle

Each DSAR request moves through the following statuses:

StatusDescription
UnverifiedRequest has been submitted but the data subject has not yet verified their email address.
PendingEmail verified (or manually verified by an admin). A 30-day response deadline is now active.
CompletedThe request has been fulfilled and the data subject has been notified. The disclosure file remains downloadable until it expires.
RejectedThe request has been rejected with a reason provided to the data subject.

Completed or rejected requests can be reopened, which returns them to pending status with a new 30-day deadline.

Deadlines

When a request is verified, the response deadline is set to 30 days from the verification date. If you need more time, you can extend the deadline:

  • GDPR (EU) — Maximum 90 days from submission
  • CCPA/CPRA (US) — Maximum 75 days from submission

The data subject is notified by email when a deadline is extended.

Automatic reminders

To help you stay ahead of deadlines, account owners receive automated email reminders:

  • 7, 3, and 1 days before the response deadline
  • Daily overdue notices if the deadline passes (sent at most once per calendar day)

Data subjects also receive an email 3 days before their disclosure download link expires, but only if they have not yet downloaded it.

On-behalf requests

The DSAR widget supports requests submitted on behalf of another person. This is useful when a parent, legal guardian, attorney, or authorized agent submits a request for the data subject. The form collects both the data subject’s information and the requester’s details, including their name, email, and relationship to the data subject.

For on-behalf requests, both the data subject and the requester must verify their email before the request becomes actionable. This ensures that a request is only processed when both parties have confirmed their involvement.

Localization

The widget supports 50+ languages, and the language is stored with each request. All emails sent to the data subject (verification, status updates, completion notifications, expiry warnings) are delivered in the same language they used when submitting the form.

Data delivery

When a request is completed:

  1. All files uploaded during processing are collected and bundled into an encrypted ZIP file.
  2. The ZIP file is stored securely and a disclosure record is created.
  3. The data subject (and the requester, if applicable) receives an email with a secure download link.
  4. The download link expires after a configurable period (default 180 minutes).
  5. After the file retention period passes, the disclosure is automatically purged from storage.

File retention and download link validity can be configured in DSAR settings.

Compliance records

For each request, CookieHub maintains two distinct logs to support your compliance obligations:

  • Audit log — Every action taken on the request, including who performed it, when, and from where. Useful for internal review and security investigations.
  • Instruction log — A Controller-to-Processor record (aligned with GDPR Article 28 and 30) that captures every directed action — manual verification, deadline extension, rejection, completion, or reopen — along with its legal basis and a compliance note.

Getting started

Last updated on
ReportsGoogle Tag Manager