Rights Requests¶
Process data subject rights requests under GDPR, CCPA, and other privacy regulations.
Overview¶
Dxtra tracks and manages data subject rights requests (DSARs). Requests can be submitted via:
- Transparency Center widget (self-service portal)
- Dashboard interface (staff-assisted)
- GraphQL API (programmatic)
Supported Request Types¶
GDPR Rights (Articles 15-22)¶
| Right | Request Type | Description |
|---|---|---|
| Access | access | Provide copy of personal data (Art. 15) |
| Rectification | rectify | Correct inaccurate data (Art. 16) |
| Erasure | erasure | Delete personal data (Art. 17) |
| Restriction | restrict | Limit data processing (Art. 18) |
| Portability | export | Provide data in portable format (Art. 20) |
| Object | object | Object to processing (Art. 21) |
CCPA Rights¶
| Right | Request Type | Description |
|---|---|---|
| Right to Know | access | Disclose data collection practices |
| Right to Delete | erasure | Delete personal information |
| Right to Opt-Out | noSale | Opt out of data sale |
Request Processing Workflow¶
1. Submission¶
Request is submitted via the Transparency Center widget, dashboard, or API. Status is set to submitted.
2. Identity Verification¶
Verify the requester's identity before processing:
- Email verification link
- Account authentication
- Document verification (for sensitive requests)
3. Assessment¶
Review the request for:
- Valid request type
- Data subject identification
- Legal basis exceptions (tax records, legal claims)
4. Processing¶
Execute the request based on type:
Access requests:
- Query data subject records across systems
- Generate data export (JSON, CSV, PDF)
- Prepare response package
Erasure requests:
- Identify all personal data records
- Check for legal retention requirements
- Delete eligible data
- Document exceptions
Rectification requests:
- Identify data to correct
- Update records
- Document changes
5. Response Delivery¶
Deliver response to the data subject:
- Secure download link (7-day expiry)
- Email notification
- Dashboard notification
Update status to completed.
Response Timelines¶
| Regulation | Initial Response | Full Response |
|---|---|---|
| GDPR | Acknowledge receipt | 30 days (extendable to 90) |
| CCPA | 10 days | 45 days (extendable to 90) |
Dashboard Interface¶
DSRR History¶
The Rights Management page displays:
- Request type with icon
- Submission date
- Data subject DID
- Verification status
- Completion status
Actions¶
From the dashboard you can:
- View request details
- Update verification status
- Process the request
- Mark as complete
Erasure Request Handling¶
Eligible for Deletion¶
- Marketing data (consent-based)
- Account preferences
- Support ticket content
- Analytics identifiers
Retention Exceptions¶
- Tax and accounting records (7 years)
- Active contract data
- Legal claim evidence
- Fraud prevention records
Partial Deletion¶
When full deletion is not possible:
- Delete eligible data
- Document retention reasons
- Notify data subject of exceptions
- Schedule future deletion where applicable
Access Control¶
| Role | Access |
|---|---|
| Owner | Full access |
| Admin | Full access |
| DPO | Full access |
| Data Controller | Organization requests |
| Auditor | Read-only |
For Auditors¶
Rights request records serve as evidence of GDPR/CCPA compliance. Auditors have read-only access to the complete request history including submission timestamps, verification records, response timelines, and completion documentation.
Related Documentation¶
- Rights Portal -- Self-service submission
- Data Subject Management -- Data subject records
- Consent Management -- Consent tracking
- Audit Logging -- Request audit trails