TLDR:
A Data Subject Request (DSR), also called a Data Subject Access Request (DSAR), is a request by an individual exercising their rights under GDPR, KVKK, CCPA, or similar privacy laws. DSRs trigger time-bounded obligations on the controller to provide access, correction, deletion, portability, or restriction of processing of the individual’s personal data.
Rights Covered by DSRs
Under GDPR, individuals can request: access (Article 15—copy of their personal data plus processing information), rectification (Article 16—correction of inaccurate data), erasure / “right to be forgotten” (Article 17—deletion under specific conditions), restriction (Article 18—pausing processing during disputes), portability (Article 20—structured, machine-readable export), objection (Article 21—particularly to marketing), and rights regarding automated decision-making (Article 22). KVKK Article 11 provides analogous rights under Turkish law.
Response Requirements
Controllers must respond to DSRs within one month (extendable by two months for complex requests), in writing or electronically in a commonly used format, free of charge for the first request (subsequent requests can incur reasonable fees), after verifying the requester’s identity. Refusals must be justified with reference to specific exemptions, and individuals must be informed of their right to lodge complaints with supervisory authorities.
Operational Implementation
Effective DSR handling requires: a documented intake process (web form, email, postal address), identity verification procedures (proportionate to data sensitivity), data inventory and mapping (knowing where personal data lives across all systems and vendors), automated DSR tooling (especially for high-volume consumer products—OneTrust, Securiti, Transcend), vendor coordination (data processors must support controller DSR fulfillment), and audit logging of requests and responses. For founders, DSR processes should be designed before consumer launch—retrofitting DSR capabilities across many systems is significantly more expensive than building them in.