GDPR grants individuals specific rights over their personal data. When a data subject exercises one of these rights, your organization must respond within strict timeframes. LowerPlane’s DSR module helps you track incoming requests, manage the response workflow, and maintain an auditable record of every request handled.

Data Subject Rights

GDPR establishes the following rights that data subjects can exercise:
RightArticleDescriptionResponse Deadline
Right of AccessArt. 15Obtain a copy of their personal data and information about how it is processed30 days
Right to RectificationArt. 16Correct inaccurate personal data30 days
Right to ErasureArt. 17Request deletion of their personal data (“right to be forgotten”)30 days
Right to Restrict ProcessingArt. 18Limit how their data is processed30 days
Right to Data PortabilityArt. 20Receive their data in a structured, machine-readable format30 days
Right to ObjectArt. 21Object to processing based on legitimate interest or direct marketingWithout undue delay
The 30-day response deadline begins from the day you receive the request, not from when you verify the requester’s identity. Start processing requests immediately upon receipt.

Creating a DSR

1

Navigate to GDPR > DSR

Open the Data Subject Requests section from the GDPR module.
2

Click Create Request

Start a new DSR record when you receive a data subject request through any channel (email, web form, letter, phone).
3

Enter request details

Record the request type, data subject’s name and email, the date received, and any specific details about what is being requested.
4

Verify the requester's identity

Before responding, verify that the person making the request is who they claim to be. Record the verification method used.
5

Assign an owner

Designate a team member to handle the request and ensure timely completion.

DSR Workflow

Each DSR follows a structured workflow within LowerPlane:
StatusDescription
ReceivedRequest has been logged but not yet started
Identity VerificationVerifying the requester’s identity
In ProgressActively working on fulfilling the request
Pending ReviewResponse prepared, awaiting internal review
CompletedRequest has been fulfilled and response sent
DeniedRequest was denied with documented justification
ExtendedDeadline extended (maximum additional 2 months for complex requests)

Handling Each Request Type

Access Requests (Article 15)

The data subject wants a copy of their personal data. You must provide:
  • All personal data you hold about the individual
  • The purposes of processing
  • Categories of data and recipients
  • Retention periods
  • Information about their rights
  • The source of the data (if not collected directly)
Prepare a standard data export template that covers all required information. This speeds up the response process and ensures consistency across requests.

Deletion Requests (Article 17)

The data subject wants their data erased. Before complying, verify whether any exemption applies:
  • Legal obligation to retain the data (e.g., tax records)
  • Ongoing contractual necessity
  • Public interest in the area of public health
  • Archiving purposes in the public interest
  • Establishment, exercise, or defense of legal claims
If an exemption applies, document it and inform the data subject.

Rectification Requests (Article 16)

The data subject wants to correct inaccurate data. Update the data in all systems where it is stored and notify any third parties who received the original data.

Portability Requests (Article 20)

The data subject wants their data in a machine-readable format. Provide data in a commonly used format (CSV, JSON, XML). This right only applies to data processed by automated means based on consent or contractual necessity.

Deadline Management

LowerPlane tracks deadlines automatically:
  • Deadline calculation — The 30-day deadline is calculated from the date the request is logged.
  • Reminder notifications — Owners receive reminders at configurable intervals before the deadline.
  • Overdue alerts — Requests past their deadline are flagged prominently in the dashboard.
  • Extension tracking — If extended, the new deadline is calculated and tracked.
Missing a DSR deadline is a GDPR violation that can result in complaints to the supervisory authority and potential fines. Treat deadline management as a critical operational process.

Denying a Request

You may deny a DSR in limited circumstances:
  • The request is manifestly unfounded or excessive (e.g., repetitive requests)
  • An exemption applies (legal obligation to retain data, legal claims defense)
  • You cannot verify the requester’s identity
When denying a request, you must:
  1. Document the specific reason for denial.
  2. Inform the data subject of the denial and the reasons.
  3. Inform the data subject of their right to lodge a complaint with a supervisory authority.
  4. Record the denial in LowerPlane for audit purposes.

DSR Reporting

The DSR dashboard provides metrics for management and audit reporting:
  • Total requests received — Broken down by type and period
  • Average response time — Mean days from receipt to completion
  • Requests within SLA — Percentage completed within the 30-day deadline
  • Open requests — Currently in progress with deadline countdown
  • Denied requests — Count and reasons for denial

DSR as Compliance Evidence

Your DSR handling records serve as evidence for:
GDPR ArticleRequirement
Articles 15-22Demonstrating you fulfill data subject rights
Article 12Transparent communication with data subjects
Article 24Accountability — proving compliance through documented processes
Even if you receive zero DSRs, having a documented and operational DSR process is a compliance requirement. Auditors and supervisory authorities want to see that you have the capability to respond, not just that you have responded.