LET'S TALK
← All work
GDPR Art 12(3)CCPA §1798.130CPRAVCDPAQuebec Law 25DSAR OpsDeep Prototype

DSARQueue — Subject Access Request Backlog

24 active DSARs across GDPR, CCPA, CPRA, VCDPA, and Quebec Law 25. Per-request statutory clock (GDPR Art 12(3) 30-day, CCPA 45-day, Quebec 30-day), request type, identity-verification status, 6-stage workflow, and the analyst assignment. One request is already OVER deadline (Twilio gap from RtbfFlow) and the response is documented.

DSARQueue — Subject Access Request Backlog preview
Open live →

What it is

The shape behind every DSAR-ops backlog (OneTrust, Transcend, DataGrail, WireWheel). Scale 5 regulations into one queue with a single sort key: days remaining on the statutory clock.

What’s in it

  • 24 active requests across 5 regulations:
    • GDPR (30-day deadline + 2× 30-day extension under Art 12(3))
    • CCPA (45-day + 45-day extension under §1798.130)
    • CPRA — including the §1798.121 “limit use of sensitive PI” right
    • VCDPA Virginia (45 days)
    • Quebec Law 25 (Loi 25 §27 — 30 days)
  • 8 request types — access, portability, erasure, rectification, correction, objection, opt-out (sale/share), limit-use sensitive PI.
  • 6-stage workflow with explicit Art mapping per stage:
    1. intake + ID verification (Art 12(6) / §1798.140(z))
    2. scope + record discovery (Art 15(1)(a-h))
    3. sub-process fan-out (Art 17(2) / §1798.105(c))
    4. apply retention exceptions (Art 17(3) / §1798.105(d))
    5. analyst review + redaction (Art 12(1))
    6. deliver + close (Art 12(3))
  • Edge cases seeded:
    • DSAR-09167 — over deadline (Twilio gap, ICO disclosure assessed, defense documented)
    • DSAR-09208 — third-party request with unverified authorized agent (clock paused)
    • DSAR-09211 — minor’s account (parental verification required)
    • DSAR-09213 — subject not found after 3 verification attempts (“no PI held” response prepared)
    • DSAR-09171/09185 — CCPA opt-out 15-day deadline auto-honored via GPP pipeline
  • Sorts by days-remaining-on-clock — the most urgent always at the top.

Why this shape

The Art 12(3) clock is non-negotiable. Every privacy-ops team needs a single view of the backlog with per-request countdown. DSARQueue prototypes that exact view, with the 6-stage workflow that maps to specific regulatory articles. The over-deadline row + the defense documentation pattern is the second-most-important thing — auditors and regulators want to see that the program knows when it failed.

How it ships

Single HTML file, ~19KB. Zero dependencies. 24 requests × 5 regulations × 6 stages + clock math + filter chips in 200 lines of vanilla JavaScript.

Open the tool →