GDPR Implementation¶
The General Data Protection Regulation (GDPR) requires organizations to implement data subject rights, lawful basis tracking, and processing records. Dxtra provides workflows and tools to support these requirements.
GDPR Scope
Applies to: Processing of EU/EEA residents' personal data, regardless of organization location.
Key Timelines: 30 days for rights requests (extendable to 60 days), 72 hours for breach notification to supervisory authorities.
Data Subject Rights¶
Dxtra supports the following GDPR rights through the Transparency Center and dashboard:
Right to Access (Article 15)¶
Data subjects can request information about their personal data and how it is processed.
- Request submitted via Transparency Center or dashboard
- Identity verification tracked before processing
- Request status tracked through resolution
Right to Rectification (Article 16)¶
Data subjects can request correction of inaccurate personal data.
- Rectification requests logged with description of required changes
- Handlers notified for manual review
- Resolution tracked via status updates
Right to Erasure (Article 17)¶
Data subjects can request deletion of their personal data ("right to be forgotten").
- Erasure request triggers notification to handlers
- Integration with data processors for deletion propagation
- Status tracking through completion
Right to Data Portability (Article 20)¶
Data subjects can receive their data in a portable format or have it transferred to another controller.
- Data Copy -- Export personal data in structured format
- Data Transfer -- Transfer data to specified controller
Right to Object (Article 21)¶
Data subjects can object to processing, including profiling and tracking.
- No Profile -- Object to automated profiling
- No Track -- Object to tracking activities
- Preferences stored and propagated to integrations
Right to Restriction (Article 18)¶
Restriction requests handled via the "Other" request type with description specifying restriction requirements.
Legal Basis Management¶
Processing purposes require documented legal basis per GDPR Article 6.
Supported Legal Bases¶
| Legal Basis | GDPR Citation | Use Case |
|---|---|---|
| Consent | Article 6(1)(a) | Marketing, optional features |
| Contractual necessity | Article 6(1)(b) | Order processing, account management |
| Legal obligation | Article 6(1)© | Tax records, regulatory compliance |
| Legitimate interests | Article 6(1)(f) | Fraud prevention, security |
| Vital interests | Article 6(1)(d) | Emergency situations |
| Public interest | Article 6(1)(e) | Government/public sector |
Regional Citation References¶
Dxtra includes legal basis citations for 40+ jurisdictions:
- EU GDPR -- Article 6(1)(a-f) citations
- UK GDPR -- Equivalent UK regulation citations
- EEA states -- Norway, Iceland, Liechtenstein
- Adequacy countries -- Switzerland, Japan, South Korea, etc.
- US state laws -- CCPA/CPRA, VCDPA, CPA, UCPA, etc.
- Other jurisdictions -- Brazil (LGPD), China (PIPL), India (DPDP), etc.
Configuring Processing Purposes¶
In the Dxtra dashboard, navigate to Purposes to configure each processing purpose with:
- Clear name and description of the processing activity
- Legal basis selection (from the six Article 6 options)
- Retention period (how long data is kept)
- Usage period (active processing duration)
- Whether the processing is essential for service delivery
Consent Management¶
For consent-based processing, Dxtra provides consent form templates and tracking.
Consent Workflow¶
- Configure consent form from templates in the dashboard
- Link consent to processing purposes
- Publish form to the Transparency Center
- Track data subject consent values
- Handle consent withdrawal requests
Article 30 Records¶
GDPR Article 30 requires records of processing activities. Dxtra tracks this through processing purposes, processing activity logs, and data processor configurations.
See GDPR Article 30 for detailed record-keeping guidance.
Rights Request Permissions¶
Access to rights requests is controlled by user role:
| Role | Permissions |
|---|---|
| Data Subject | Submit and view own requests |
| Admin / Owner | Full access to all requests |
| Business Owner | View and update requests |
| Data Protection Officer | View and update requests |
| Data Controller | View and update requests |
| Agency Reseller | View and update client requests |
| Auditor / Regulator | Read-only access |
Response Timeline Tracking¶
GDPR requires response within 30 days (extendable to 60 days for complex requests).
The dashboard shows request creation date and current status. Calculate remaining time from the creation date to meet compliance deadlines.
Implementation Checklist¶
- Configure data controller profile with DPO contact
- Define processing purposes with legal basis
- Set up consent forms for consent-based processing
- Enable Transparency Center for rights requests
- Configure integrations for data processor tracking
- Test rights request workflow end-to-end
- Train team on request handling procedures
Related Documentation¶
- GDPR Article 30 -- Processing records requirements
- Data Retention -- Retention policy configuration
- Incident Response -- Breach notification procedures
- CCPA Implementation -- California privacy law
- Data Controller Setup -- Initial configuration