
A DSAR process workflow
that takes minutes
Collect DSAR requests
using a simple form
on your website
Your dedicated Enzuzo DSAR form makes it easy for customers or users to submit data subject requests in one place on your website.
Select a DSAR form template (GDPR or CCPA)
Depending on which region you collect data from, you can select from two DSAR forms, one generic for GDPR compliance and other privacy laws.
The other template is specifically for California residents, which is called a Do Not Sell My Information page. You may have seen one on North America’s biggest websites. A Do Not Sell My Information page and form is to comply with CCPA.
The form includes a built-in data subject access request collection form, which ties directly into our DSAR workflow in the Enzuzo dashboard for easy data processing.
Add link to website footer or privacy policy
Once you’ve created your DSAR form, you can link to it directly in your footer or elsewhere on your websites like your privacy policy or cookie banner, making customer DSAR data collection quick and easy.
Data subject request submissions in one place
Privacy laws like GDPR and CCPA have deadlines for completing data subject access requests to avoid being fined.
We automatically flag each DSAR depending on the privacy law you must comply with, making sure you're processing data subject access requests on time.
Get reminded as the due dates approach, and minimize the risk of privacy fines.
.png)
Your customers choose their
DSAR request type
Your customers can choose from four different DSAR request types, including marketing unsubscribes, delete their personal data and more.

Marketing unsubscribe
Remove the customer from all email marketing lists like marketing emails, SMS or newsletters.

Delete personal data
Delete customers' personal data from third-party tools like CRMs and email service providers.


Get copy of personal data
Request a copy of the personal information or data your business has about the customer.

Do not sell or share data
Request that their personal data is not sold or shared with any other business or organization.
.png)
Next, process data subject requests in a few easy steps
Requests are then streamlined into one simple dashboard. Complete data subject requests quickly and on time with a few clicks.
1. Receive data subject access request
2. Quickly verify your subject’s identity
We verify your customer's identity and location, so you only process data requests from confirmed customers. Identity verification ensures you don't leak any personal information to the wrong person.
The person who is the receipt of the request is normally the DPO or Data Protection Officer is in charge of processing DSARs that are submitted to your business. If you don’t have a dedicated DPO, then you can appoint a person within the company to handle DSAR fulfillment.
We automate basic data mapping, and have direct integrations with Shopify so we can surface which information you have on your data subject.
3. Automated DSAR due date reminders
Privacy laws like GDPR and CCPA have deadlines for completing data subject access requests to avoid being fined. We automatically flag each DSAR, whether it’s GDPR compliance or CCPA compliance you need to worry about.
Get reminded as the due dates approach, and minimize the risk of privacy fines. Depending on the privacy law, you must comply with making sure you are processing data subject access requests on time.
4. Complete requests in a timely manner
Quickly process data subject access requests, and ensure customer data that is deleted, stays deleted. In one click, you can generate compliance reports to show your business is compliant. Save time and money on administrative costs
Easy compliance with GDPR, CCPA, PIPEDA and other privacy laws
Automate customer data deletion
Under GDPR these are known as 'special categories of personal data' and includes information about a person's: race, ethnicity, political views, religion, spiritual or philosophical beliefs, biometric data for ID purposes, health data and more. This sensitive personal information can put your business at risk if ever exposed or accessed by someone outside of your organization. This makes customer data deletion essential for minimizing the risk of expensive privacy fines.
1-click compliance reporting
Generate CCPA and GDPR compliance reports in seconds from the Enzuzo dashboard. The report will show number of DSAR requests completed and which privacy law they fall under.
Ensure customer data stays deleted
Grow trust and transparency with personal data removal. Data privacy management will ensure that when you delete customer data, it stays deleted throughout your various processes and technology tools. Customer data retention can actually put your business at risk, especially if it’s unused data which is why it’s essential to stay on top of data deletion best practices.
.png)
"Well, that was about the easiest set up of a privacy policy, terms of service and cookie banner I've ever used!"
— Janet, Goodson Tools
Data subject request FAQs
What is a Data Subject Access Request (DSAR)?
The phrase “data subject access request” might sound complicated and technical, but when you strip it back, a DSAR is simply a request from an individual that you hold personal data on. The individual requesting data is known as the data subject. Consumers often want to access their data, hence the term data subject access request.
Read more in our ultimate guide to DSARs.
How long should a DSAR take?
In 2004, the Court of Justice of the European Union (ECJ) ruled on the process and timescales for responding to a personal data subject access request (DSAR) in Maatschap Toeters and M.C. Verbeck v. Productshcap Vee en Vlees (Case C-171/03). The legal ruling declared what time periods should be considered when determining how long a DSAR response should take. Article 12 of the General Data Protection Regulation (GDPR) stipulates that a personal data controller or data privacy manager must process and respond to a DSAR without unnecessary delay and, in any case, within one month after receiving the data request.
While the GDPR applies to EU residents and anyone who does business with EU organizations, the California Consumer Privacy Act (CCPA) has also established similar data privacy regulations, clearly outlining the procedures and processes that should be followed when processing and responding to personal data access requests. The CCPA stipulates that a business responding to a DSAR that has been verified and passed must disclose the personal information gathered about the consumer in the 12-month period prior to the receipt of the access request.
If the data access requests are too many or complex, your organization can formally request the data subject for more time to process and respond to each of the requests. But you need to explain why you want an extension of time for responding to them. Keep in mind that you are still expected to process the information requests and offer a full response within the one-month period of receiving the requests. Failure to offer a complete response within 40 days makes you liable for a significant fine and other legal penalties related to the breach in data subject privacy and lack of compliance with the law. Failing to respond to DSARs can also tarnish your organization’s reputation.
Who can submit a DSAR?
In most cases, you’ll find that the person making a data subject access request is the data subject themselves. Sometimes, they may appoint someone to make the request on their behalf.
A data subject (or someone making the request on their behalf) doesn’t need to be a customer of your eCommerce store for their request to be valid. They may be a current or ex-employee, corporate partner or sponsor, supplier, contractor, or anyone else that believes you may hold personal data on them.
What does a DSAR cover?
A data subject access request (DSAR) is a request sent by a data subject to a data controller asking to be provided with a copy of their personal data being collected by the controller and a detailed description of how, and for what purposes, the data is being collected. However, a general complaint or query by the data subject about the usage of their personal data isn’t considered a DSAR.
For instance, if an individual data subject asks you why they are receiving marketing messages or where you got their name from, it’s not a DSAR. But if they specifically ask for a copy of the personal data you hold for them and proof of how you are using it, then it’s considered a DSAR. Please note that DSAR doesn’t necessarily have to be formally titled a “data subject access request” or "data subject request" for it to be considered a DSAR.
It can come from any source and be sent to any department within your organization and still be valid. So, don’t always expect it to be officially addressed to your Data Protection Department. It can even be sent through email or social media. In short, there isn't a formal DSAR process that the subject should follow when submitting a request.
What does a Data Subject Access Request look like?
There’s no uniform way for someone to submit a data subject access request. There’s a deliberately low barrier to making one, so that there’s no burden on someone to use a specific system or make their information request via a medium that they’re uncomfortable with.
Your data subject access requests could come via email, phone, live chat, social media DMs, letter, and more. It’s up to the individual or their representative to choose a medium that makes sense for them when making a request for personal, sensitive information.
Can you refuse to respond to a DSAR?
In line with guidance shared from the Information Commissioner’s Office (ICO) about the GDPR and DSARs, you’re within your rights to not respond if the data request is:
- Manifestly unfounded — for example, the request is malicious, part of a targeted campaign of disruption, or made with a suggestion that it’ll be redacted in exchange for a discount or product.
- Manifestly excessive — for example, there’s a series of overlapping requests, multiple requests for the same thing over a short period of time, or resource reasons why your team can’t manage a large scale response.
What happens if I don’t respond to a DSAR?
Failure to respond to a subject access request within the time frame could lead to legal action and fines. Companies can experience serious legal consequences if they fail to comply with GDPR law.
How much does a DSAR cost?
According to article 12(5) of the GDPR, the process of requesting access to personal data is supposed to be free. However, you are allowed to charge a small amount for the DSAR if the subject makes excessive requests that are repetitive or unfounded. Even then, you, as the data controller, bear the largest burden of proof and legal responsibility. The small DSAR charge is meant to deter subjects who want to frustrate you or delay your normal business operations by submitting annoying information requests.
How to make a Data Subject Request?
Making a DSAR is a simple process because the subjects can use any format accepted by the data controller, including emails, direct messages, letters, phone calls, and social media messages. Subject rights include requesting to see and update their personal information that has been collected by companies. Individuals can also request that their information be removed from the company's data inventory.
However, the request needs to be clearly labeled as a personal data request and have the date of submission, the subject’s name, including an alias if available, and any other data used by the organization to identify the individual.
The data request also needs to have the subject’s latest contact details and a full list of the personal data they want to access. The individual must also indicate how they would like to receive the response.
After the data request has been received, companies need to ensure that they respond to the individuals within 40 days to stay in compliance with data privacy laws. Using DSAR management software can help automate the process and ensure that your organization doesn't breach personal privacy laws or infringe on data subject rights.