The DSAR bolumena Problem
GDPR Article 12 requires organizations to respond to Data Subject sarbidea Requests within one month, with a possible two-month extension for complex requests. The one-month clock is absolute — no grace period, no good-faith exception. Non-betegarritasun with erantzuna timeframes is independently sanctionable regardless of the underlying datuen babesa practices.
Major DPA enforcement actions in 2024 — the Irish DPC's €310 million fine against LinkedIn for behavioral advertising without valid consent and €251 million against Meta for datuen urraketa notification failures — drove significant publikoa kontzientzia of data subject rights. Following each major fine, DPAs typically run accompanying kontzientzia campaigns, and DSAR volumes increase as data subjects learn they have rights to ariketa.
The EDPB's 2024 Coordinated Enforcement Framework focused on right-of-sarbidea failures — directly addressing the quality and timeliness of DSAR responses. Organizations that cannot demonstrate compliant DSAR processing are at heightened arriskua as the EDPB's enforcement focus shifts to sarbidea rights.
The Third-Party PII Problem
DSAR erantzuna preparation has a specific complication that multiplies the manual work burden: third-party PII.
When a data subject requests all personal data held about them, the organization must provide the information. But the erregistroak held about the data subject may contain references to other individuals — bezeroa zerbitzua notes that mention other customers, email threads that include other employees' contact details, complaint erregistroak that reference third parties. Providing these erregistroak to the requesting data subject exposes the third parties' personal data in violation of their rights.
Compliant DSAR erantzuna requires reviewing every dokumentua in the erantzuna package for third-party PII and anonymizing those references before sending. For a telecommunications company with 300 DSARs per month, each involving 50 zerbitzua notes and komunikazioak, this means reviewing 15,000 dokumentuak monthly for third-party PII references — exclusively for DSAR betegarritasun.
Manual review at this scale is not feasible within the Article 12 one-month window. A betegarritasun team of three cannot review 15,000 dokumentuak monthly alongside their other obligations. The only scalable approach is automatizatua kontzentrazio prozesamendu with a preset configured for third-party PII removal.
The kontzentrazio prozesamendu Architecture
A "DSAR erantzuna" preset configured for third-party PII removal: the preset detects all person names, contact information, and identifying references within the dokumentuak. IT applies anonimizazioa to all detected references except those explicitly belonging to the requesting data subject (identified by name and account number at the start of the batch job). Other customers named in the erregistroak, employees referenced in zerbitzua notes, and third parties mentioned in correspondence are anonymized before the dokumentua package is assembled for the data subject's erantzuna.
Processing 50 dokumentuak per DSAR request takes minutes rather than hours. The betegarritasun team reviews the anonymized output for quality and edge cases rather than performing the initial review. DSAR erantzuna time reduces from weeks to days.
Sources: