Authorized Agent Requests

Under some privacy laws data subjects are allowed to authorize other individuals or organizations to submit data subject requests on their behalf. You can learn more about authorized agent requests in our blog post on the subject.

Some authorized agent services scrape a user's email inbox, compile a list based on the communications found there, and then send templated emails to each organization to perform a DSR. This can result in a large number of requests being submitted outside your normal Privacy Center workflow. This doc outlines two ways you can choose to handle these requests.

Directing the requester to use your self-serve Transcend Privacy Center to authenticate and submit their request ensures you properly authenticate the requestor and receive all the information needed to fully process the request.

You can have multiple Data Subject types in your Privacy Center, each with their own Authentication Method. (See: End-User Identity Verification.)

Authorized agent Privacy Center request type

For example, you can customize authentication methods for Authorized Agents to require Email Verification rather than an account login. This way authorized agents can input the email address and additional information they have on the data subject when submitting the request.

The user for whom the request was submitted will receive an email where they’ll be required to click a link and confirm the request before it can be completed.

Sample data subject request verification email

Once the email is verified, Transcend will programmatically map the verified email to a User ID or other user identifiers that may be associated with that email address and move forward with fulfilling the request across connected systems. If you wish, you can also add a manual review step to approve all requests of this type before they begin processing.

Authorized agents submit requests on behalf of another individual (the data subject). Because these requests involve third parties and legal authorization, Transcend recommends handling them through a manual review workflow using the Disabled authentication method.

The Disabled authentication method allows you to:

  • Prevent self‑serve submission from the Privacy Center
  • Clearly explain next steps to authorized agents
  • Route requests through a manual verification and approval process
Example selection of data subject options including "Authorized Agent"
Warning message displayed when selecting "Authorized Agent" data subject option

We recommend displaying clear instructions explaining how authorized agents should proceed. For example:

If you are submitting a request on behalf of someone else (Authorized Agent), please contact us at consumer-privacy@acme.com. In order to process your request, we will require a Power of Attorney (PoA), or written, signed form allowing you to submit a request on the consumer's behalf. To complete this request, we may also send an email to the consumer so they can verify their identity.

This language helps:

  • Set expectations upfront
  • Reduce incomplete or invalid requests
  • Direct agents to the correct intake channel
  • The request is initiated manually, not through the self‑serve Privacy Center
  • Authorized agents contact your privacy team directly (e.g. via email)

Your privacy team reviews:

  • Power of Attorney (PoA) or written authorization
  • Any required identity verification for the data subject

Once verified:

  1. Go to Incoming Requests in the Admin Dashboard
  2. Submit a new request on behalf of the data subject

When submitting the request:

  • Use the data subject’s identifiers (email, core identifier, etc.)
  • Do not use the authorized agent’s identifiers
  • To keep the authorized agent informed add the authorized agent’s email to CC them on all :
    • Reply‑to email address(es)
DSR submission setting of reply-to email addresses for CC'ing authorized agent on request emails

This ensures the authorized agent is CC’d on:

  • Confirmation emails
  • Status updates
  • Final resolution communications
  • Authorized agent requests should always be manually reviewed
  • Keep authorization documentation on file for audit purposes
  • Clearly distinguish between:
    • The data subject (whose data is being requested)
    • The authorized agent (who is acting on their behalf)

Following this pattern helps ensure compliance while maintaining a clear, auditable process for handling third‑party privacy requests.

When following the manual submission steps linked above, we highly reccomend you turn on the option to send an email verification link to the data subject to help verify their identity before the request is processed.

Email verification option in manual request submission