Here's what happens when Sarah from HR handles DSARs via email...
Day 1: DSAR arrives in info@company.ie
Sarah forwards to IT, legal, and finance teams. "Can someone help with this?"
Day 8: IT replies with 20 files
Sarah realizes she never got Finance data. Email lost in thread with 15 replies.
Day 15: Sarah on sick leave
No handover. Case sits idle. Deadline ticking.
Day 28: Sarah back, scrambles to finish
Sends partial data. Forgets to include purchase history from Finance.
Day 45: Complaint to DPC
"You missed the deadline and gave incomplete data!"
Day 60: DPC Investigation
"Show us your DSAR process and audit trail."
Sarah's inbox:
Result: β¬10,000+ DPC fine + legal costs
Day 1: DSAR arrives via portal
System auto-calculates 30-day deadline. Sarah gets email: "New DSAR #2025-003". All case details in one place.
Day 3: Sarah needs identity proof
Clicks "Request Info" β Data subject gets secure email with portal link. They upload ID document directly to the case.
Day 8: Sarah gathers data from IT, Finance
Uploads all files to case #2025-003. Adds notes: "Received server logs from IT, transaction history from Finance."
Day 15: Sarah on sick leave
Manager logs in β Sees case #2025-003 β Full timeline with all notes and documents. Takes over in 30 seconds.
Day 20: Manager completes the DSAR
Uploads final data package β Marks case "Completed" β System automatically emails subject with secure download link.
Day 21: Data subject downloads files
System logs: "Files accessed by verified user at 14:23 on 21/01/2025"
Day 60: Random DPC audit
"Show us your DSAR process."
Manager clicks "Export Case as PDF":
Result: DPC satisfied. Case closed. β¬0 fine.
It's not about volume. Even if you only get 5 DSARs a year, one badly handled case can result in a β¬10,000+ fine.
SAR Portal starts at just β¬29/month. Your first avoided fine pays for 28+ years of subscription.
Factual benefits when dealing with regulators, complaints, or audits
The Reality: GDPR Article 5(2) requires you to demonstrate compliance ("accountability principle"). The DPC can request evidence of your data protection processes at any time.
What SAR Portal Provides: Every case includes a complete, timestamped audit trail you can export as PDF. Shows when request was received, deadline calculated, data collected, subject notified, and all status changes with timestamps.
This is not legal protection - it's factual evidence of your process. You still need proper GDPR procedures, but at least you can prove what you did and when you did it.
The Scenario: Data subject complains to DPC: "Company X never responded to my DSAR!" or "They gave me incomplete data and missed the deadline!"
What SAR Portal Provides: Exportable proof that request was received on [date], response was sent on [date] with secure download link, and subject verified their email via OTP to access the files on [date] at [time]. All logged automatically.
Can't prevent false complaints, but having timestamped evidence of every action helps your case when responding to the DPC.
What DPC Looks For: Article 24 requires "appropriate technical and organisational measures" for GDPR compliance. DPC wants to see you have a consistent, documented process - not ad-hoc email handling.
What SAR Portal Provides: Standardized workflow (Open β Processing β Verified β Completed), role-based access control, secure document storage, automated deadline tracking. Shows you treat DSARs seriously.
Having a system doesn't guarantee compliance, but it demonstrates you've invested in proper processes rather than relying on scattered emails and Excel sheets.
Common Dispute: "You never gave me my data!" vs "We sent it to your email!"
What SAR Portal Provides: System logs exactly when files were uploaded, when email was sent, when subject accessed the secure download link, and what files they downloaded. No "he said, she said" - just facts.
Download logs show: "User verified via OTP from IP 86.40.x.x accessed case #2025-003 on 15/01/2025 at 14:23:18 UTC and downloaded 3 files totaling 2.4MB."
β οΈ Important: SAR Portal is a tool for managing DSARs efficiently. It is not legal advice and does not guarantee GDPR compliance. You still need proper data protection policies, staff training, and legal review. What we provide is factual evidence of your process - timestamped records of what you did and when. That evidence can be valuable during audits or complaints, but it's your responsibility to ensure your processes are compliant with GDPR requirements.
Professional DSAR management tools that scale with your business
Custom-branded public intake forms with automated deadline calculation. Subjects can submit requests 24/7 and track progress via secure OTP access.
Handle all data subject rights: Access, Erasure (Right to be Forgotten), Rectification, Restriction of Processing, Portability, and Objection. Complete workflows for each request type.
Automatic SLA calculation (30 days + 60/90-day extension handling). Email reminders at Day 20, Day 25, Day 28. Never miss a compliance deadline.
Encrypted storage with secure time-limited access links. Your data security is our priority.
Immutable audit logs for every action. Demonstrate compliance to regulators with confidence.
Role-based access with team workflows. Admin, Case Manager, Reviewer, and Read-Only roles included.
White-label solution with your company logo and colors. Maintain your brand throughout the DSAR process.
Email notifications for case updates, status changes, and information requests. Keep everyone in the loop.
Download complete case documentation as PDF. Ready for regulatory inspections or internal reviews.
Intelligent case risk scoring and analysis. Identify high-risk cases automatically and prioritize your workflow.
Smart text improvement for professional responses. AI-powered PDF redaction available at EVERY file upload pointβwhen closing cases, requesting info from subjects, or subjects submitting documents. Automatically detects third-party PII (GDPR Article 15(4)). Choose to redact or notβyou're always in control.
AI provides contextual guidance tailored to YOUR specific systems. Tell us which CRMs, email platforms, and databases you useβAI gives you step-by-step instructions like "Search Zendesk for this email" instead of generic advice.
Configure which business systems you use (Salesforce, Gmail, Shopify, WordPress, Zendesk, etc.). AI uses this to generate system-specific guidance for finding and handling personal data. Simple setup, powerful results.
Customize which personal data types to detect per your needs: standard PII (names, emails, addresses, IBAN, passport numbers), custom patterns (your customer IDs, policy numbers), and keyword allow/deny lists. Non-technical interface with AI assistance.
Need more info from the data subject? Request it through the portal with optional reference documents. Subjects receive email notifications and can securely submit their response with attachments. All exchanges tracked with full audit trail.
Place legal hold on erasure requests when litigation is pending. When ready to delete, use manual anonymization to replace personal data with anonymized valuesβpreserving data structure for analytics while protecting privacy.
Export case data to CSV for analysis or PDF for documentation. Complete audit packs include case timeline, status history, attached documents, and email logs. Perfect for regulatory inspections or internal compliance reviews.
Powered by Azure Document Intelligence for automatic text extraction from PDFs. Extract text from scanned documents, images, and native PDFs at every file upload point. Essential for AI-powered redaction and PII detection. Per-page cost tracking included.
Industry-leading redaction across 5 file types with native format preservation. Excel (preserves formulas), Word, PDF (visual black boxes), Images, and Text files. No conversion artifactsβGDPR Article 15(3) faithful reproduction. Batch processing for multiple documents with unified entity selection and progress tracking.
Advanced two-layer PII detection: Azure AI Language (50+ entity types, structural detection) + GPT-4o-mini (contextual analysis, data subject identification). Detects names, emails, phones, addresses, IBAN, credit cards, passports, SSN, PPSN, DOB. Custom regex patterns and keyword lists. Automatic third-party vs data subject classification.
Real-time AI usage dashboard with detailed cost breakdown by feature: PDF extraction (per page), PII detection, risk scoring, text improvement, and spam detection. Monthly quotas per subscription tier with clear limits. No surprise billsβyou're always in control.
Complete case lifecycle management: Open β Processing β Extended β Verified β Completed. Track every stage with automated status updates, email notifications, and timeline history.