GDPR Basics for Non-Experts

This guide explains GDPR data subject requests in plain English. You don’t need to be a lawyer to handle DSARs properly—just understand the basics and let SAR Portal help with the rest.

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU law that gives people control over their personal data. If your business operates in the EU or handles EU citizens’ data, GDPR applies to you.

Key Concepts

The 8 Data Subject Rights

GDPR gives people 8 rights over their personal data. SAR Portal helps you handle requests for all of them.

1. Right of Access (Article 15)

“What data do you have about me?”

The person can ask for:

• Confirmation you have their data
• A copy of all their personal data
• Information about how you use it

Your obligations:

• Search all your systems for their data
• Provide a copy within 30 days
• Redact other people’s data before sending

2. Right to Erasure (Article 17)

“Delete my data”

Also called the “Right to be Forgotten.” The person can request you delete their data.

When you MUST delete:

• They withdraw consent
• Data is no longer needed
• They object and you have no overriding interest
• Data was processed unlawfully

When you can REFUSE:

• Legal obligation to keep it
• Public health reasons
• Legal claims defense
• Freedom of expression

3. Right to Rectification (Article 16)

“My data is wrong—fix it”

People can request you correct inaccurate data or complete incomplete data.

Examples:

• Wrong spelling of name
• Outdated address
• Incorrect date of birth
• Missing information

Your obligations:

• Verify the correction is accurate
• Update within 30 days
• Notify anyone you’ve shared the data with

4. Right to Restriction (Article 18)

“Stop using my data (but don’t delete it)”

A temporary “freeze” on processing while something is resolved.

When this applies:

• They dispute accuracy (freeze while you verify)
• Processing is unlawful but they want restriction instead of deletion
• You don’t need it but they need it for legal claims
• They’ve objected and you’re evaluating their objection

What restriction means:

• You can store the data
• You can’t use it for anything else
• Must get consent before lifting restriction

5. Right to Data Portability (Article 20)

“Give me my data in a format I can take elsewhere”

They can request their data in a machine-readable format to transfer to another service.

Applies to:

• Data they provided to you
• Data processed by automated means
• Based on consent or contract

Format:

• Commonly CSV, JSON, or XML
• Must be “structured, commonly used, and machine-readable”

6. Right to Object (Article 21)

“Stop processing my data”

People can object to certain types of processing.

Automatic right to stop:

• Direct marketing (must stop immediately)

Can object, but you can override if:

• You have “legitimate grounds” that override their interests
• Processing is for legal claims

7. Rights Related to Automated Decisions (Article 22)

“A computer made a decision about me—I want a human review”

If you make significant automated decisions (no human involvement), people can:

• Request human intervention
• Express their point of view
• Contest the decision

Examples:

• Automated credit scoring
• Algorithmic hiring decisions
• Automated insurance pricing

8. Right to be Informed (Articles 13-14)

“Tell me what you’re doing with my data”

You must proactively tell people:

• Who you are
• What data you collect
• Why you collect it
• How long you keep it
• Their rights

This is handled through your Privacy Policy, not through SAR Portal.

The 30-Day Deadline

Timeline

Extensions

For complex requests, you can extend to 90 days, but you must:

1. Notify the person within the first 30 days
2. Explain why you need more time
3. Document the complexity

Valid reasons for extension:

• Large volumes of data across many systems
• Need to consult with other parties
• Technical complexity

When You Can Refuse

You’re not required to fulfill every request. You can refuse if:

1. Manifestly Unfounded

The request has no basis:

• Clearly made in bad faith
• Intended to harass or cause disruption

2. Manifestly Excessive

The request is unreasonable:

• Repetitive requests for the same data
• Disproportionate effort required

3. Can’t Verify Identity

You must verify the person is who they claim:

• Request additional ID if needed
• Don’t hand data to the wrong person

4. Exemptions Apply

Certain exemptions exist:

• Legal privilege
• Legal claims
• Regulatory requirements

Penalties for Non-Compliance

GDPR has serious penalties:

Beyond fines:

• Regulatory investigations
• Reputational damage
• Compensation claims from individuals
• Loss of customer trust

How SAR Portal Helps

SAR Portal handles the complexity so you can focus on your business:

Automated Tracking

• Deadline countdown and warnings
• Status tracking through workflow
• Automatic audit logging

AI-Powered Processing

• Detect personal data in documents
• Identify third-party data to redact
• Speed up document review

Compliance Documentation

• Complete audit trail
• Timestamped records
• Evidence for regulators

Team Collaboration

• Assign roles and permissions
• Review and approval workflows
• Centralized case management

Open SAR Portal →

Quick Reference Card

When Someone Contacts You

1. Identify the request type (access, deletion, correction, etc.)
2. Log it immediately in SAR Portal
3. Verify their identity if needed
4. Gather relevant data from your systems
5. Process and redact third-party information
6. Respond within 30 days
7. Document everything for compliance

Red Flags to Watch For

⚠️ Approaching deadline - Prioritize immediately ⚠️ Complex request - Consider extension ⚠️ Identity concerns - Request verification ⚠️ Third-party data - Must be redacted ⚠️ Legal implications - Consult legal team

What to Include in Your Response

Learn More

Disclaimer