1. Document Control

• Document Title: Data Subject Access Request Handling Procedure

• Document Identifier: PRC-ALL-005

• Version Number: v1.0

• Approval Date: <24 June 2025>

• Effective Date: <24 June 2025>

• Review Date: <24 June 2026>

• Document Owner: <Chief Privacy Officer>

• Approved By: <Data Protection Committee>

2. Purpose

The purpose of this procedure is to ensure that handles Data Subject Access Requests (DSARs) in a timely, secure, and compliant manner, in accordance with global data protection regulations and SOC 2 Privacy Criteria P1.1 and P1.2. A DSAR is a formal request made by an individual to access, correct, delete, or otherwise control their personal data held by an organization.

This procedure establishes standardized steps for intake, verification, assessment, response, and documentation of DSARs to meet obligations under laws such as GDPR, CCPA, and equivalent regulations. It also supports organizational transparency, builds trust with stakeholders, and mitigates the risk of legal non-compliance and reputational harm.

3. Scope

This procedure applies to all personal data processing activities carried out by , including data collected, stored, or processed in physical or digital format, whether directly or via third-party data processors.

It applies to:

• Customers, users, or clients who submit DSARs

• Employees, contractors, and job applicants

• Any other individuals whose personal data is held by

This procedure governs all requests including, but not limited to:

• Right to access personal data

• Right to rectification or correction

• Right to erasure (right to be forgotten)

• Right to restrict processing

• Right to data portability

• Right to object to automated decision-making

4. Policy Statement

shall honor all valid Data Subject Access Requests within statutory timeframes and in accordance with applicable privacy laws. The organization is committed to respecting individual rights and ensuring the lawful, fair, and transparent handling of personal data.

Key provisions include:

• DSARs must be acknowledged within 5 business days of receipt.

• A full response must be provided within 30 calendar days, unless an extension is justified.

• Verification of the requester’s identity must occur before processing.

• Requests that are manifestly unfounded or excessive may be rejected with written justification.

• All DSAR activities must be logged and traceable for audit and compliance purposes.

5. Safeguards

The following controls govern the secure and compliant execution of DSAR handling:

6. Roles and Responsibilities

• Chief Privacy Officer (CPO): Owns the DSAR process, ensures compliance with global laws, and provides oversight of complex or escalated cases.

• Privacy Team: Manages intake, logs cases, verifies identity, communicates with data subjects, and prepares responses.

• IT/Data Owners: Execute data searches, ensure accurate data retrieval, and assist with secure delivery of records.

• Legal Department: Provides interpretation of applicable laws and validates risk in redaction, refusal, or extensions.

• Customer Support: Acts as the first point of contact for consumer DSARs and redirects to the Privacy Team.

• Employees/Managers: Required to cooperate with data discovery when data under their control is subject to a DSAR.

7. Compliance and Exceptions

Compliance with this procedure will be assessed during quarterly privacy audits and regulatory compliance reviews. Metrics reviewed include:

• Average response time to DSARs

• Volume of DSARs received

• Percentage completed within deadline

• Number of denied or escalated requests

Exceptions (e.g., refusal of DSARs, use of the 2-month extension) must be reviewed by the CPO and documented with legal rationale. All exceptions will be analyzed annually for patterns of potential process improvements or compliance risks.

8. Enforcement

Failure to properly process DSARs may result in regulatory penalties, legal exposure, or reputational harm. Violations of this procedure may result in:

• Staff Misconduct: Disciplinary action including retraining, reprimand, or employment termination

• Third-party Breaches: Contract reviews and possible termination of vendor agreements

• Compliance Failure: Escalation to executive risk committees and audit findings requiring formal remediation

All enforcement actions are documented in the Incident and Compliance Register and reviewed by Legal and HR where applicable.

9. Related Policies/Documents

• POL-ALL-015: Data Protection and Privacy Policy

• PRC-ALL-004: Data Retention and Disposal Procedure

• POL-ALL-014: Information Classification Policy

• PRC-ALL-003: Information Asset Inventory Procedure

• ISO 27001 A.7.5, A.18.1

• SOC 2 Privacy Criteria P1.1, P1.2

• GDPR Articles 12–23

• CCPA Section 1798.100–1798.145

10. Review and Maintenance

This procedure shall be reviewed annually or whenever:

• New privacy regulations are enacted or updated

• Audit findings reveal gaps in the current process

• There is a material change to the case management system or personal data handling practices

The Chief Privacy Officer is accountable for reviewing and updating this document. Updates shall be version-controlled and published via the internal policy management system.