DSAR
A data subject access request (DSAR) is a visitor asking what you hold about them, or asking you to change or delete it. The GDPR gives these rights under Articles 15 to 22 and sets a 30-day response window. OptSens gives you a public intake form, a tracker with deadlines, and an activity log for each request.
Turn it on
DSAR handling is a plan feature. Enable Data Subject Requests in Privacy Settings, then a public intake form becomes available for your domain. Open the DSAR page in the dashboard and use Copy form link to get the public URL you publish in your privacy policy or footer.
Request types
The intake form and the dashboard support the six GDPR rights:
| Type | What the visitor is asking |
|---|---|
| Data access | A copy of their personal data |
| Data deletion | Erasure of their personal data |
| Rectification | Correction of inaccurate data |
| Data portability | Their data in a machine-readable format |
| Restrict processing | A limit on how their data is used |
| Objection | To stop a specific processing activity |
How a request flows
- A visitor submits the public form, or you create a request from the dashboard. Public submissions verify the requester's email first.
- The request lands in the dashboard with a status and a deadline. New requests start as pending.
- You move it to In progress, then Completed, or you Reject it. You reply to the visitor through your own email. OptSens tracks the request, you send the data.
- Every step is written to an activity log on the request.
Deadlines
Each request carries a deadline. The GDPR window is 30 days. For a complex case you can extend a request once by an additional 60 days, with a reason recorded. Requests past their deadline are flagged overdue, and the dashboard shows running counts of total, pending, in-progress, completed and overdue.
Working through requests
- Search by email or request ID and filter by status.
- Select several requests and mark them completed or rejected, or delete them, in one action.
- Add internal notes that only your team sees.
- Export the full request list as CSV for your records.
Linking a request to consent history
To answer an access request, you often need the visitor's consent history. The consent logs page has a DSAR search to look up a visitor's consent records by consent ID, user ID or country, then generate a consent proof PDF for them.
Programmatic handling
The new-request and submission events are available over webhooks
(dsar.created), and a visitor's consent records can be deleted through the
REST API for the right to erasure. See the API reference for the endpoints.
Notifications
When a request comes in through the public form, OptSens can notify your team
through the dsar.created webhook, and nothing sits unanswered against the 30-day clock.