GDPR compliance support

GDPR compliance support: data subject and consent registry, record of processing activities, data breach incidents, data subject requests, data retention policies, Data Protection Impact Assessment (DPIA), reports, and export.

Key Benefits

Data Subjects & Consents

A registry of data subjects with contacts, company, consent status, retention period, and scheduled deletion date. Data subject data export and anonymization. Consent records by type (registration, marketing, profiling, third-party transfer, analytics, cookies) with consent text, dates, and version; consent withdrawal with date recording.

Processing Activities & Retention Policies

Record of personal data processing activities (Article 30): name, description, purpose, data and subject categories, legal basis, storage period, processors, international transfers, security measures; country-specific translations. Data retention policies: data category, retention period, deletion method (deletion, anonymization, pseudonymization, archive), legal basis; translations.

Breach Incidents & Data Subject Requests (DSR)

Data breach incident register: dates, 72-hour notification deadline, affected individuals, data types, severity, status, response measures, authority and subject notification. Data Subject Requests: right of access, rectification, erasure, restriction, portability, objection, automated decisions; 30-day deadline with 60-day extension; processing, response, completion or refusal.

DPIA, Reports & Access

Data Protection Impact Assessment (DPIA): project, processing description, necessity and proportionality, risks, measures, risk level, DPO consultation, approval and review. Compliance dashboard, reports, and export to Excel/PDF. Guide with resources for GDPR implementation and translations. Access by groups and companies with separate permissions for data subjects, DSRs, consents, incidents, DPIAs, activities, policies, and reports.

Features & Capabilities

Data Subjects & Consents

  • Data subject registry: first name, last name, email, phone, company, optionally linked to a system user
  • Consent status (granted, withdrawn, expired, pending); data retention period in days; last activity date and scheduled deletion date
  • Data subject data export; data subject anonymization
  • Consent records: type (registration, marketing, profiling, third-party transfer, analytics, cookies), full consent text
  • Granted date, withdrawn date, consent expiration date; consent method, text version; IP and user agent
  • Consent withdrawal with date recording

Processing Activities & Policies

  • Data processing activities (Article 30): name, description, purpose with country-specific translations
  • Data categories and data subject categories; legal basis (consent, contract, legal obligation, vital interests, public task, legitimate interests)
  • Storage period, retention criteria, data processors; international transfers and safeguards; security measures
  • Company and responsible person
  • Retention policies: name and description with translations, data category, retention period, deletion method (deletion, anonymization, pseudonymization, archive), legal basis, automatic application

Breach Incidents & DSRs

  • Data breach incidents: number, name, description, incident and discovery dates, notification deadline
  • Number of affected individuals, data types; severity (low, medium, high, critical); status (detected, under investigation, contained, resolved, authority notified)
  • Actions taken, mitigation and prevention measures; supervisory authority and data subject notification; assignment of responsible person
  • Data Subject Requests (DSR): type (access, rectification, erasure, restriction, portability, objection, automated decisions), subject, description
  • Deadline of 30 days, 60-day extension; status (pending, in progress, completed, rejected, extended); response, sending date, reason for refusal; identity verification

DPIA, Reports & Access

  • Data Protection Impact Assessment (DPIA): number, project/system name, processing description, data types and subjects
  • Necessity and proportionality assessment; identified risks; mitigation measures; overall and residual risk level
  • Stakeholder and DPO consultation; status (draft, under review, approved, rejected, needs revision); approval and review date
  • Compliance dashboard; reports; export reports to Excel and PDF
  • Guide with resources (checklists, templates, forms, etc.) and translations; resource download
  • Access by groups and companies; permissions for data subjects, DSRs, consents, incidents, DPIAs, activities, policies, dashboard, and reports

Use Cases

Data Subject Registry and Consents

Maintain a register of individuals whose data is processed: name, contacts, company. Specify consent status, retention period, and scheduled deletion date according to policy. Record consents by type (marketing, analytics, cookies, etc.) with full text and dates. Upon consent withdrawal, mark the record as inactive and record the date. Export data subject data or perform anonymization as needed.

Record of Processing (Article 30) and Retention Policies

Maintain a register of personal data processing activities: name, description, purpose, data and subject categories, legal basis, storage period, processors, international transfers, and security measures. Use country-specific translations for multilingual policies. Separately configure data retention policies by category with a retention period and deletion method (deletion, anonymization, archive) to comply with minimization and storage limitation requirements.

Breach Incidents and Data Subject Requests

Record data breach incidents: incident and discovery dates, number of affected individuals, data types. The system calculates the supervisory authority notification deadline (72 hours). Track the status from detection to authority and subject notification; record actions taken and preventive measures. Handle Data Subject Requests (access, rectification, erasure, portability, etc.): 30-day deadline, optionally a 60-day extension, assign a responsible person, provide a response and completion or refusal with a reason.

Data Protection Impact Assessment (DPIA) and Reports

Conduct a Data Protection Impact Assessment for new projects or systems: processing description, data types and subjects, necessity and proportionality, identified risks, mitigation measures, overall and residual risk level. Consult with the DPO and stakeholders. Approve the assessment and specify the next review date. Use the compliance dashboard and reports with export to Excel/PDF for audits and management.

Access Segregation by Company

Access to the GDPR module is configured by user groups. Each group is assigned a list of companies — users only see data from those companies. Separate permissions: data subjects (view, edit, export), DSRs (view, process, approve/reject), consents, breach incidents (view, create/edit, notify, investigate), DPIAs (conduct, approve), activities and policies (edit), dashboard and reports.

Technical Details

Architecture

GDPR module: data subjects linked to a company and optionally to a system user; consent records by type with text and dates. Record of processing activities with name/description/purpose translations by country; legal basis, storage period, processors, transfers, security measures. Breach incidents with automatic 72-hour deadline; Data Subject Requests (DSR) with a 30-day deadline and 60-day extension. Retention policies with translations; DPIA with risks and approval. Compliance dashboard, reports, Excel/PDF export. Guide with resources (files) and content translations. Data in the project database.

Security

Access is managed by groups and a company list; permission checks when viewing and modifying data subjects, consents, activities, incidents, DSRs, policies, and DPIAs. Data subject data export and anonymization are permission-restricted. CSRF protection and input validation. Guide resource files are stored with access restrictions.

Scalability

Lists of data subjects, consents, activities, incidents, DSRs, policies, and DPIAs with pagination and filtering; queries linked to the company. Reports and export are handled within a typical request. Suitable for standard project deployment.

Customization

Consent types; legal bases for processing; deletion methods in retention policies; incident, DSR, and DPIA statuses. Separate group-based access permissions: data subjects, DSRs, consents, incidents, DPIAs, activities, policies, dashboard, reports. Company list for visibility restriction. Guide with resource categories (checklist, template, form, etc.) and country-specific translations.

Frequently Asked Questions

What is a data subject?

A data subject is a natural person whose data is processed. The module stores first name, last name, email, phone, and optionally a link to a company and a system user. For the data subject, consent status (granted, withdrawn, expired, pending), data retention period in days, and scheduled deletion date are specified. Data subject data export and anonymization (replacing personal data with non-identifiable data) are available.

Why a record of processing activities (Article 30)?

GDPR (Article 30) requires maintaining a record of personal data processing activities: the name and purpose of processing, categories of subjects and data, recipients, storage period, security measures, etc. The module allows maintaining such a record with a legal basis, processors, international transfers, and translations of the name/description/purpose by country for multilingual policies.

Why is the breach notification deadline 72 hours?

According to the GDPR, in the event of a personal data breach, the controller must notify the supervisory authority no later than 72 hours after becoming aware of the breach (unless it is unlikely to result in a risk to individuals' rights). In the module, when creating an incident, the discovery date is specified — the system automatically calculates the notification deadline (72 hours from the discovery date) to monitor compliance with this requirement.

What is the deadline for responding to a data subject request?

The GDPR stipulates that the response to a data subject request (access, rectification, erasure, etc.) must be provided no later than one month (30 days). In complex cases, the deadline may be extended by a further two months (60 days) with justification. In the module, each request has a default 30-day deadline; a 60-day extension is available, changing the status to "extended".

What is a DPIA?

DPIA (Data Protection Impact Assessment) is required when processing is likely to result in a high risk to the rights and freedoms of individuals (e.g., profiling, large-scale processing of sensitive data). In the module, a DPIA is conducted: project and processing description, necessity and proportionality assessment, identified risks, mitigation measures, overall and residual risk level, DPO consultation, approval, and review date.

How is access restricted by company?

Access is configured by user groups. Each group is assigned a list of companies — users see and can only work with data from those companies (data subjects, activities, incidents, DSRs, policies, DPIAs). If the company list is not specified, the group has access to all companies. Separate permissions are set for data subjects (view, edit, export), DSRs (process, approve), consents, breach incidents, DPIAs, activities, policies, dashboard, and reports.

Is there a guide and resources?

Yes. The module includes a guide with resources for GDPR implementation: checklists, templates, letter templates, forms, instructional documents, etc. Resources can be downloaded. The guide's content supports country-specific translations and optional AI-powered translation (depending on project implementation).

Related Modules

Security Awareness Training

User Cabinet & Authentication

Incident Management

Ready to Get Started?

Explore this module and enhance your organization's security posture