For DPOs & compliance teams

Art. 15 requests with structure — and the deadline in sight

A structured intake channel for GDPR access requests: identity details, data-subject status, request scope — all captured at once. The one-month deadline starts with complete data instead of an informal mail to the wrong address.

Start template
What gets captured?

~1 Woche of clarification time saved per access request (identity + scope)

How requests arrive today

Informal, to any address

The access request lands at info@, with sales or in the support inbox — and sits there for days while the one-month deadline under Art. 12(3) GDPR is already running. From receipt, not from forwarding.

No identity verification

"Please send me all data about me" — from a Gmail address not in your system. Disclosure to the wrong person is itself a data breach; so the identity ping-pong begins.

Deadline tracking in Excel

The DPO maintains an Excel list, chases departments and calculates deadlines by hand. A missed deadline means a complaint to the supervisory authority — and fines under Art. 83(5) can sting.

How Questee fixes this

  1. 1

    Set up and link the intake channel

    Customise the "Art. 15 access request" template and link it in your privacy policy ("exercise your rights"). Requests now arrive bundled in one place — not scattered across inboxes.

  2. 2

    The data subject provides everything needed

    The form captures everything in a structured way: name, contact details, relationship (customer, applicant, newsletter), requested scope (information, copy, recipients) and identity details. Conditional logic branches by data-subject status.

  3. 3

    DPO processes with timestamp

    Every request reaches the DPO timestamped and complete via notification. Receipt date documented, deadline computable, responses exportable for the internal case file — Excel can retire.

Built for data-subject-rights processes

Structured identity details

Customer number, registered e-mail, optional document upload — identity verification starts with substance.

Timestamp per receipt

Receipt date documented automatically — deadline calculation under Art. 12(3) stands on solid ground.

Branching by data-subject status

Applicant, customer, newsletter subscriber — each group gets the matching follow-up questions.

Capture request scope

Information, data copy, recipients, retention — the data subject ticks what they want. No interpretation needed.

Export for the case file

Every request exportable as CSV/PDF — for case documentation and accountability under Art. 5(2).

Hosted in Germany

The data-subject-rights channel itself is GDPR-compliant — German servers, DPA included, no US transfer.

Intake channel instead of enterprise suite

Free to test (3 forms). Pro for ongoing operations (unlimited forms, 10,000 responses/month) — a fraction of a privacy suite.

Free

3 forms, 250 responses/month

Pro

Unlimited, 10,000 responses/month, AI included

View all plans

Answers from DPO practice

May I point data subjects to a form?
You may OFFER a form but not mandate it — Art. 12(2) GDPR obliges you to facilitate the exercise of rights, and informal requests remain valid. In practice most data subjects use the structured route voluntarily because it visibly leads to a faster answer. The win: the majority of your requests arrive complete.
How does identity verification work?
The form asks for identifiers you already know (customer number, registered e-mail, contract number). With reasonable doubts you may request additional information under Art. 12(6) GDPR — the optional document upload covers that. Important: only as much proof as necessary, no blanket ID requirement.
When does the one-month deadline start?
Upon receipt of the request (Art. 12(3) GDPR) — not when it reaches the DPO. That is exactly why the central channel pays off: the request lands at the right place immediately, with a documented timestamp. For complex cases you can extend by two months, but must justify this within the first month.
Does the form cover other data-subject rights?
Yes — you can extend the channel to rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). A selector question at the start branches to the matching block — one channel for all rights.
Isn't storing data-subject data in yet another tool risky?
Fair question — hence: hosting exclusively in Germany, Art. 28 DPA included, tenant-isolated database, encrypted transfer and configurable retention periods. You can auto-delete request data after case closure — with an audit trail.
Does this replace a privacy management suite?
For SMBs mostly: yes, for this use case. Suites like OneTrust bundle dozens of modules (consent, assessments, vendor risk) at enterprise prices. If your actual problem is unstructured intake of data-subject requests, a structured channel for €9/month solves exactly that — without an implementation project.
How do I link the channel in my privacy policy?
In the "your rights" section link the form as the preferred route ("fastest via our access request form"). The link also belongs on the contact page. Informal routes (e-mail to the DPO) remain alongside — the GDPR requires that.

Your next access request arrives complete

Start template, adapt to your processes, link in your privacy policy. Free trial, no contract.

Try template now