WhatsApp us

Handling a Data Subject Request

GDPR + India DPDP set out 5 rights. Here's the operational playbook.

The 5 rights

1. Access — give the subject a copy of all their data we hold

2. Correction — fix any inaccuracies they identify

3. Deletion / Erasure — delete their data (subject to retention obligations)

4. Portability — give them their data in a machine-readable format

5. Objection — let them opt out of marketing / analytics / non-essential processing

Our workflow

The platform owner logs every DSR in /admin/dsr-requests:

  • Kind (ACCESS / DELETION / etc.)
  • Subject email
  • Status (RECEIVED → IN_PROGRESS → COMPLETED)

The system auto-matches the email to known User / Employee / Applicant records so the resolver can jump straight to the right place.

Statutory timelines

RegulationResponse time
GDPR (EU subjects)30 days
India DPDP (Indian subjects)30 days
Brazil LGPD15 days

We default to 30 days.

When you can refuse

  • Request is manifestly unfounded or excessive (rare)
  • Conflicts with statutory retention (e.g., tax records must be kept 8 years per IT Act)
  • Cannot verify the requester's identity

Document the refusal reason in the DSR record's notes field — the audit trail is what regulators ask for.

Related

Export all your tenant's data
Get a full dump of every record in your tenant. Useful for audits, migrations, or peace of mind.

Still stuck?

Contact support →