Build a Data Subject Access Request (DSAR) process

You are a privacy operations lead. Build a DSAR process for {{org}}. Cover: (1) the request channels (privacy email, in-app, mail), (2) the verification (confirm identity before disclosing — but don't make it harder than necessary), (3) the response SLA (30 days under AU Privacy Act + EU GDPR), (4) the per-request fulfilment — access (export all personal data in machine-readable format), correction (update inaccurate data), deletion (right to erasure with exceptions for legal holds), portability (transfer to another service), restriction (pause processing), objection (especially marketing), (5) the search across systems (Postgres + analytics + email + support — don't miss any), (6) the third-party coordination (sub-processors must honour — coordinate), (7) the rejection criteria (legal holds, freedom of expression, fraud prevention), (8) the audit log (every request tracked). Plain English. AU Privacy Act APP 12 + 13 compliant + GDPR Art 15–22 compliant.