Data Subject Access Request

A Data Subject Access Request (DSAR) is a person exercising their privacy rights — to see, export, correct, or delete the data you hold on them. Pact gives you an inbox to run these end to end, with the audit trail regulators expect.

Request types

Type	Right
Access	See the data held (GDPR Art. 15)
Delete	Erasure / right to be forgotten (Art. 17)
Rectify	Correction (Art. 16)
Port	Portable export (Art. 20)

Requests can be received by email, web form, API, or phone, and that origin is recorded.

The clock

Every request starts a 30-day statutory clock. The inbox shows "days left" and surfaces overdue requests first, with a summary of how many are pending, in progress, fulfilled, rejected, and overdue — so nothing quietly blows its deadline.

Identity verification

Before any data is released, the requester must clear a verification ladder:

1. Email confirm — they click a confirmation link.
2. ID upload — a government ID is uploaded; only its SHA-256 hash is kept, the document itself is discarded.
3. Manual review — a human signs off.

Once all three are recorded, the request moves from pending to in progress automatically.

The evidence packet

Collecting a subject's data is one idempotent action. Pact assembles an evidence packet that pulls together their consent ledger and projection state, suppression entries, send history and engagement, timeline and identity records, plus a downstream-impact preview (queued sends, active enrollments) so you can see what an erasure will touch.

• Access / Port returns the packet as the export.
• Delete runs erasure: PII is nulled on events, the projection is hard-deleted, and an erasure_executed event is appended so the audit trail survives the deletion (GDPR Art. 17(3)(e)).

Every fulfillment or rejection records who acted, when, and why.

What's next