Data Subject Rights Request Handling
How TrialStack receives, verifies, routes, fulfils, and records data subject rights requests under GDPR.
1. Handling Procedure
- Requests are received at gitte@trialstack.com and logged on receipt.
- Requester identity is verified before any personal data is disclosed, corrected, erased, restricted, ported, or otherwise actioned.
- Requests are fulfilled within one month. A single extension of up to two additional months may be used for complex requests, with the data subject informed before the initial one-month deadline expires.
- Where TrialStack acts as processor on behalf of a customer acting as controller, the request is forwarded to the controller and actioned only on the controller’s documented instruction.
- Each request, decision, response, and resolution is recorded in the DSAR log.
2. Request Intake
TrialStack accepts rights requests by email to gitte@trialstack.com. Requests may cover access, rectification, erasure, restriction, portability, objection, or withdrawal of consent where processing relies on consent.
For each request, the DSAR log records:
| Field | Purpose |
|---|---|
| Date received | Starts the response deadline clock |
| Requester name and contact details | Identifies the request and response channel |
| Right exercised | Classifies the request type |
| Controller or processor role | Determines whether TrialStack can act directly or must route to a customer controller |
| Identity verification status | Confirms whether disclosure or action is permitted |
| Due date and extension status | Tracks the one-month deadline and any justified extension |
| Outcome and response date | Documents fulfilment, refusal, routing, or closure |
| Remediation notes | Captures SLA breaches, repeat issues, and follow-up actions |
3. Identity Verification
TrialStack verifies identity before disclosing or changing personal data. Verification should be proportionate to the data involved and may include confirming the requester’s email address, account relationship, organization, or other information already held by TrialStack.
If identity cannot be verified, TrialStack asks for the minimum additional information needed to confirm the request. The request is not fulfilled until verification is complete.
4. Controller And Processor Routing
When TrialStack is the controller for the relevant personal data, TrialStack reviews and responds to the request directly.
When TrialStack processes the relevant personal data on behalf of a customer controller, TrialStack forwards the request to the controller without undue delay and follows the controller’s documented instruction. TrialStack does not independently decide the outcome for customer-controlled data unless legally required.
5. Deadlines And Extensions
TrialStack responds to verified requests within one month of receipt. For complex or numerous requests, TrialStack may extend the deadline by up to two additional months.
Any extension must be documented in the DSAR log and communicated to the data subject within the initial one-month period, including the reason for the delay.
6. Outcomes
Each request is closed with one documented outcome:
| Outcome | When to use |
|---|---|
| Fulfilled | The requested access, correction, deletion, restriction, portability, objection, or consent withdrawal action was completed |
| Partially fulfilled | Part of the request was completed and part was limited by legal, contractual, security, or controller-instruction constraints |
| Rejected | The request could not be fulfilled, with the reason documented |
| Routed to controller | TrialStack acted as processor and forwarded the request to the relevant customer controller |
| Withdrawn or abandoned | The requester withdrew the request or did not complete required verification |
7. Review And Remediation
The DSAR log is reviewed periodically for overdue requests, extension patterns, repeated identity-verification issues, and unresolved controller-routing delays.
Any SLA breach or systemic issue must be assigned an owner, remediated, and recorded in the log.
8. Contact
Data Protection Officer
TrialStack ApS
gitte@trialstack.com
trust.trialstack.com