Request Types
SAR Portal supports all GDPR data subject rights. Understanding each type helps you process requests correctly.
Access Request (Article 15)
The right to access personal data
What the Subject Can Request
- Confirmation that you process their data
- A copy of their personal data
- Information about how their data is used
- Details of data sources and recipients
Your Obligations
- Respond within 30 days
- Provide data in commonly used electronic format
- First copy is free; may charge for additional copies
- Must not adversely affect rights of others
Processing Steps
- Verify subject’s identity
- Search all relevant data systems
- Compile personal data found
- Redact third-party information
- Prepare response package
- Send to subject securely
Erasure Request (Article 17)
The right to be forgotten
Valid Grounds for Erasure
- Data no longer necessary for original purpose
- Subject withdraws consent
- Subject objects and no overriding legitimate grounds
- Data processed unlawfully
- Legal obligation to erase
- Data collected from children for online services
Exemptions (When You May Refuse)
- Freedom of expression and information
- Legal obligations requiring retention
- Public health purposes
- Archiving in public interest
- Establishment or defense of legal claims
Processing Steps
- Verify the request is valid
- Check for exemptions
- Identify all data to be deleted
- Delete from all systems
- Notify any third parties
- Confirm deletion to subject
Rectification (Article 16)
The right to correct inaccurate data
What Can Be Corrected
- Factually incorrect information
- Outdated information
- Incomplete information (by adding data)
Processing Steps
- Identify the data in question
- Verify the correct information
- Update your records
- Notify third parties if shared
- Confirm changes to subject
Objection (Article 21)
The right to object to processing
Types of Objection
- General processing - Based on legitimate interests
- Direct marketing - Must always be honored
- Research/statistics - Unless necessary for public interest
Your Response
- For direct marketing: Stop immediately
- For other processing: Demonstrate compelling legitimate grounds
- May continue if grounds override subject’s interests
Restriction (Article 18)
The right to limit processing
When Restriction Applies
- Subject contests data accuracy (pending verification)
- Processing is unlawful but subject prefers restriction to erasure
- You no longer need data but subject needs it for legal claims
- Subject has objected (pending verification of legitimate grounds)
What Restriction Means
- Store the data but don’t process it
- May process with consent or for legal claims
- Mark data as restricted in your systems
Portability (Article 20)
The right to receive data in portable format
Requirements
- Data provided by the subject
- Processing based on consent or contract
- Processing carried out by automated means
Your Obligations
- Provide in structured, commonly used format (e.g., CSV, JSON)
- Machine-readable format
- Free of charge
- Transmit directly to another controller if requested
What to Provide
- Data actively provided by subject
- Data observed from subject’s activity
- NOT inferred or derived data
Automated Decision (Article 22)
Rights related to automated decision-making
When This Applies
- Decisions made solely by automated processing
- That produce legal effects or significantly affect the subject
- Including profiling
Subject’s Rights
- Not be subject to such decisions
- Obtain human intervention
- Express their point of view
- Contest the decision
Exemptions
- Necessary for contract
- Authorized by law
- Based on explicit consent
Other Requests
Use this category for requests that don’t fit standard types:
- Combined requests (access + deletion)
- General privacy inquiries
- Complaints about data handling
- Requests for information about processing
Handling Multiple Request Types
If a subject makes multiple requests:
- Create one case per request type, OR
- Create one case and note all request types
- Address each right individually
- Ensure all are completed within deadline
Request Type Quick Reference
| Type | Article | Must Respond In | Can Charge? |
|---|---|---|---|
| Access | 15 | 30 days | Free (first copy) |
| Erasure | 17 | 30 days | No |
| Rectification | 16 | 30 days | No |
| Objection | 21 | 30 days | No |
| Restriction | 18 | 30 days | No |
| Portability | 20 | 30 days | No |
| Automated | 22 | 30 days | No |
All deadlines can be extended by 2 months for complex requests with notification to the subject.