A Data Subject Request (DSR) is a formal request made by an individual (the “data subject”) to a business or organization to access, correct, delete, restrict, or transfer their personal data. This right is protected by privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
If you process personal data — even in a B2B context — you are obligated to respond to DSRs in a timely, transparent, and legally compliant manner.
What Is a Data Subject?
A data subject is any identifiable person whose personal data is collected, stored, or processed by an organization. This includes:
- Website users
- Customers
- Leads and prospects
- Employees or contractors
- B2B contacts (e.g., professional email addresses tied to individuals)
Under GDPR, the data subject has specific rights, and a DSR is the mechanism they use to exercise those rights.
What Is a Data Subject Request (DSR)?
A DSR (also known as a Data Rights Request, DSAR – Data Subject Access Request, or Consumer Request) is a formal message from an individual requesting that a business take action on their personal data, including:
- 📥 Access — See what data is collected and why
- ✏️ Correction — Fix inaccurate or outdated personal data
- 🗑 Deletion — Request data to be erased (“Right to be Forgotten”)
- 🔒 Restriction — Temporarily pause data processing
- 🔁 Portability — Get a copy of data in machine-readable format
- 🚫 Objection — Stop data processing for specific reasons (e.g., marketing)
- ❌ Opt-Out (CCPA) — Prevent the sale or sharing of personal data
Legal Basis for DSRs
| Regulation | Scope |
|---|---|
| GDPR (EU) | Applies to any business processing data about individuals in the EU, regardless of company location |
| CCPA (California) | Grants similar rights to California residents, with a focus on sale/sharing of personal information |
| LGPD (Brazil) | Similar to GDPR in scope and enforcement |
| PIPEDA (Canada) | Supports access and correction, with sector-specific applications |
Types of Data Subject Requests
| Request Type | Description |
|---|---|
| Access Request | What data is collected, why, from whom, and how long it’s kept |
| Rectification Request | Correct inaccurate or outdated info (e.g., wrong job title) |
| Erasure Request | Delete all data relating to the subject (e.g., former customers) |
| Portability Request | Export data in CSV/JSON for use elsewhere |
| Restriction Request | Temporarily stop processing (e.g., during dispute) |
| Objection Request | Stop processing data for marketing or profiling |
| Do Not Sell Request | Under CCPA, block transfer of data to third parties for value |
How to Handle a DSR (Workflow)
- Verify Identity
Ensure the requester is who they say they are. Ask for confirming information (without collecting excessive data). - Acknowledge the Request
Confirm receipt of the request within the required timeframe (24–72 hours ideally). - Locate the Data
Search internal systems (CRMs, enrichment tools, analytics platforms, third parties). - Review the Request Type
Determine whether the request is for access, deletion, correction, etc. - Act on the Request
Complete the requested action (e.g., deleting data or providing a download link). - Respond within Deadline
- GDPR: 30 days
- CCPA: 45 days (can be extended by 45 more with notice)
- Log the Request
Maintain an audit trail of the request, actions taken, and date closed.
B2B DSRs: Are They Required?
Yes. Even in B2B lead generation, work emails tied to identifiable individuals are considered personal data under GDPR and CCPA.
For example:
- 📧
john.smith@company.comis personal data under GDPR - CUFinder must provide data access, correction, or removal upon request
- Clients using CUFinder should maintain DSR workflows for any enriched data stored or used
How CUFinder Supports DSR Compliance
CUFinder enables customers to:
- ✅ Request access to enriched data tied to individuals
- ✅ Offer removal or correction options upon data subject request
- ✅ Integrate a compliant privacy policy and contact form
- ✅ Maintain logs for DPA compliance
- ✅ Meet legal obligations under GDPR, CCPA, and similar frameworks
Risks of Ignoring DSRs
| Risk Area | Consequences |
|---|---|
| 🧾 GDPR fines | Up to €20M or 4% of annual global turnover |
| 💸 CCPA fines | Up to $7,500 per violation |
| 🤝 Reputational harm | Negative press and loss of customer trust |
| 📉 Operational risk | Loss of business due to non-compliance |
| ⚖️ Litigation | Individual lawsuits or class actions (especially under CCPA) |
Best Practices for Managing DSRs
✅ Set up a dedicated request form on your website
✅ Use a privacy management tool or CRM flag for tracking DSRs
✅ Limit the amount of manual processing via automation
✅ Train staff on DSR handling and identity verification
✅ Review vendor contracts and ensure they support DSR fulfillment
✅ Log all DSRs for audit trail and internal tracking
Cited Sources
- Wikipedia: General Data Protection Regulation
- Wikipedia: California Consumer Privacy Act
- Wikipedia: Privacy law
- Wikipedia: Personal data
Related Terms
- GDPR
- CCPA
- Data Breach
- Consent Management
- Privacy Policy
- CRM Enrichment
- Publicly Available Data
- Data Processing Agreement
FAQ
What is a DSR?
A DSR is a formal request from an individual to access, delete, correct, or export their personal data held by a business under privacy laws like GDPR or CCPA.
Does GDPR require DSR response?
Yes — under GDPR, you must respond to a DSR within 30 days, and be able to provide, correct, or erase the requested data.
Can B2B contacts submit DSRs?
Yes. GDPR applies to any personal data, including business email addresses tied to identifiable individuals.
What is the difference between a DSR and a DSAR?
They are often used interchangeably. DSR (Data Subject Request) is the umbrella term, while DSAR (Data Subject Access Request) is a specific type of DSR for accessing data.
How does CUFinder support DSRs?
CUFinder offers tools for users and clients to request data access or deletion, maintains opt-out mechanisms, and signs compliant DPAs with enterprise customers.