Sceau
How it worksDataScope checkWhy SceauCompliance serviceKnowledge centreResearchAboutContact
ENFRNLDE
Book a demo Log in

Knowledge centre

Data subject requests: deadlines, identity checks and evidence

A practical guide to access, erasure, rectification and objection requests without losing the audit trail.

Executive summary

DSRs need deadlines, identity verification and search evidence.Extensions and refusals should be documented.The office must balance rights with legal duties and exemptions.

Data subject requests are operationally awkward because they combine legal judgment, identity verification, deadlines, document search, exemptions and careful communication.

A good workflow starts by classifying the request, verifying the person where needed, calculating the deadline, assigning owners, collecting evidence and recording the response or refusal rationale.

The office should be able to show not only what it answered, but how it searched, who reviewed the response, whether an extension was used and why any data was withheld.

Who this applies to

This guide is for offices handling access, rectification, erasure, restriction, portability, objection or related GDPR requests.

  • Client access requests
  • Former-client erasure requests
  • Employee and candidate requests
  • Requests involving AML records or legal files
  • Requests where identity or authority is uncertain

Legal and supervisory context

GDPR rights are operationally sensitive because the office must respond properly without exposing third-party data, privileged information or records that must legally be retained.

The workflow should therefore combine deadline tracking with professional review and evidence of the search and decision.

What the office must actually do

The office should turn the obligation into a repeatable workflow with named owners, deadlines, evidence and reviewable decisions.

  • Classify the request.
  • Verify identity or authority where needed.
  • Calculate the deadline.
  • Search systems and files.
  • Apply exemptions or retention duties.
  • Prepare and approve the response.
  • Close with evidence.

What good evidence looks like

The file should show the request, identity check, deadline, search scope, response, extension or refusal rationale and closure evidence.

Common mistakes supervisors find

  • Starting the deadline clock late.
  • Responding before identity is verified.
  • Deleting records subject to AML or legal retention duties without review.
  • Failing to document search scope.

Practical checklist

  • Log request.
  • Verify identity.
  • Assign owner.
  • Calculate deadline.
  • Search evidence.
  • Review exemptions.
  • Send and record response.
How Sceau operationalizes this
  • Tracks DSR deadlines.
  • Records identity verification and scope.
  • Supports extension, refusal and closure actions.
  • Keeps response evidence in the GDPR workspace.

FAQ

Can we refuse an erasure request because of AML retention?

Sometimes records must be retained for legal obligations. The reason should be reviewed and documented.

Does the one-month deadline always apply?

GDPR gives a standard response period with possible extension in certain cases; the workflow should calculate and record this.

Should DSRs be handled by email only?

Email may be part of the communication, but the evidence trail should be kept in a controlled register.

Official references

From knowledge to compliance

Reading is a start. Sceau turns these obligations into a workflow that runs itself and proves itself.

Book a demo