Skip to Content
Admin ConsoleGDPR Compliance

GDPR Compliance

The GDPR module gives your tenant a complete, audit-ready toolkit for data protection compliance. It covers consent lifecycle management, all seven data subject rights under Articles 15–22, breach notification workflows, Data Protection Impact Assessments, and the Article 30 Record of Processing Activities (ROPA).

All GDPR features require the admin:all permission. Access them from the sidebar under GDPR or via the API at /api/gdpr/*.


Overview

The module maps directly to the key obligations of the General Data Protection Regulation:

GDPR ObligationModule Feature
Art. 7 — Conditions for consentConsent Types, User Consents
Art. 15–22 — Data subject rightsData Subject Access Requests (DSAR)
Art. 17 — Right to erasureErasure Requests
Art. 20 — Right to portabilityData Exports
Art. 30 — Records of processingProcessing Activities (ROPA)
Art. 33/34 — Breach notificationData Breach Registry
Art. 35 — Impact assessmentsData Protection Impact Assessments (DPIA)
Art. 37 — DPO supportDPO Dashboard

The module also supports 13 privacy regulations beyond GDPR, including UK GDPR, CCPA, LGPD, PIPL, and PDPA, tracked under the Regulations section.

The GDPR module records an audit trail of every action taken on consent, erasure, breach, and DSAR records. These records are preserved even after a user’s personal data is deleted, using anonymised identifiers, to satisfy accountability obligations under Article 5(2).


Consent management covers two things: defining the types of consent your tenant collects, and recording individual user consent events against those types.

A consent type represents a specific, versioned consent purpose — for example, “Privacy Policy v3”, “Marketing Emails”, or “Analytics Tracking”. Each type has:

FieldDescription
NameHuman-readable label
SlugURL-safe unique identifier (e.g. privacy-policy)
CategoryOne of: PRIVACY_POLICY, TERMS_OF_SERVICE, MARKETING, ANALYTICS, FUNCTIONAL, THIRD_PARTY
VersionInteger, starts at 1 and increments on each publish
RequiredWhether users must grant this consent to use the service
ActiveWhether this consent type is currently being collected
  1. Go to GDPRConsent Types and click New Consent Type.
  2. Fill in the name, slug, category, and description.
  3. Toggle Required if this consent is mandatory.
  4. Click Save. The type is created at version 1 in draft state.

Publishing a consent type bumps its version and marks all existing user consents against previous versions as stale. Users who have already consented will be prompted to re-consent the next time the consent check runs.

Go to GDPRConsent Types and click the consent type you want to publish.

Click Publish

Click Publish New Version in the type’s detail panel.

Confirm

Confirm the action. The version counter increments immediately.

Publishing a new version invalidates all existing user consents for that type. Every user who previously consented will be required to consent again. Do this only when the underlying policy or terms have materially changed.

Go to GDPRConsent Stats to see an acceptance and rejection breakdown per consent type. The stats show current version consent rates and can be used to identify consent types where re-consent rates are low after a version bump.

User consents are recorded as individual audit events. Each event captures:

  • The user (userId)
  • The consent type and the version at the time of consent
  • Whether consent was granted or denied
  • The IP address and user agent
  • The timestamp of grant and, if applicable, revocation

Granting consent — Send a POST /api/gdpr/consents request with userId, consentTypeId, and granted: true. This is typically called server-side when a user accepts a policy form.

Revoking consent — Send a DELETE /api/gdpr/consents request with userId and consentTypeId. A revocation is recorded as a new audit event rather than deleting the original grant, preserving the full history.

Viewing the consent trailGET /api/gdpr/consents?userId=<id> returns the full chronological consent history for a user, across all consent types.

Consent records are never deleted, even when processing an erasure request. They are anonymised by removing personal identifiers, but the grant/revocation events are retained to demonstrate lawful basis at the time the data was processed.


Data Subject Access Requests (DSAR)

The DSAR module handles all seven rights under GDPR Articles 15–22:

RightDSAR Type
Art. 15 — Right of accessACCESS
Art. 16 — Right to rectificationRECTIFICATION
Art. 17 — Right to erasureERASURE
Art. 18 — Right to restrictionRESTRICTION
Art. 20 — Right to portabilityPORTABILITY
Art. 21 — Right to objectOBJECTION
Art. 22 — Automated decision-makingAUTOMATED_DECISION

DSAR Lifecycle

A DSAR moves through the following statuses:

RECEIVED → IDENTITY_VERIFICATION → IN_PROGRESS → AWAITING_INFO → COMPLETED → REJECTED → APPEALED

A deadline is automatically calculated when the request is created. Under GDPR the standard deadline is 30 days from receipt, extendable by two months for complex cases.

Creating a DSAR

  1. Go to GDPRData Subject Requests and click New Request.
  2. Fill in:
    • Subject name and email — the data subject’s identifying information
    • Type — one of the seven right types above
    • PriorityLOW, NORMAL, HIGH, or URGENT
    • Description — the subject’s request in their own words
  3. Click Submit. The request is created with status RECEIVED and the deadline is set automatically.

Managing DSARs

From the DSAR list you can filter by status, type, and priority. Click any request to open the detail view.

Assigning a request — Set the Assigned To field to the team member responsible for handling it.

Identity verification — Before processing, advance the status to IDENTITY_VERIFICATION and confirm the subject’s identity. Set Identity Verified once confirmed.

Recording a response — Enter the response text in the Response field before marking the request complete.

Internal notes — Use the Internal Notes field for team-facing information that should not be shared with the data subject.

Rejecting a request — Set status to REJECTED and provide a rejection reason. Common grounds for rejection: the request is manifestly unfounded or excessive, or the data is required for legal claims.

GDPR requires you to respond to access requests within one month of receipt. If you cannot meet this deadline you must notify the data subject and provide a reason before the deadline passes. Monitor the automatically calculated deadline field on each request.


Erasure Requests

Erasure requests implement the Article 17 right to deletion with a structured approval workflow. Unlike direct user deletion, erasure requests give administrators time to assess legal grounds for retention before committing to deletion.

Erasure Request Lifecycle

PENDING → APPROVED → PROCESSING → COMPLETED → REJECTED → CANCELLED

A grace period (scheduledAt) is set on approval to allow final checks before data is permanently removed.

Creating an Erasure Request

  1. Go to GDPRErasure Requests and click New Erasure Request.
  2. Enter the subject’s email address. Auris resolves the email to the internal user record automatically. If the user has never logged into the console but exists in the identity provider, a local record is created to anchor the request.
  3. Provide a reason for the request.
  4. Click Submit.

If a pending erasure request already exists for the same user, the submission returns an error. Resolve the existing request before creating a new one.

Approving or Rejecting

Open the request detail view and click Approve or Reject.

  • Approve — Optionally set a scheduled execution date (grace period). The request moves to APPROVED.
  • Reject — Provide a rejection reason. Common lawful grounds for refusal: the data is needed to fulfil a legal obligation, to defend legal claims, or the right of freedom of expression overrides the erasure request.

Executing Erasure

After approval, click Execute Erasure to begin data deletion. The request moves through PROCESSING to COMPLETED. The deletedData field is populated with a summary of what was removed.

Execution is irreversible. The user’s personal data, profile, and session records are permanently deleted. Audit log entries that reference the user are anonymised. Ensure all necessary exports have been provided to the data subject before executing.

The userEmail and keycloakId are captured as a snapshot at request creation time. This means the audit trail retains the subject’s identity even after their data has been deleted, satisfying Article 5(2) accountability requirements.

Cancelling a Request

A PENDING request can be cancelled by the administrator (for example, if the data subject withdraws the request). This records a CANCELLED status with a timestamp.


Data Exports

Data exports implement the Article 20 right to data portability. When a data subject requests a copy of their data, you create an export job and provide them with the download link.

Creating a Data Export

  1. Go to GDPRData Exports and click New Export.
  2. Identify the user by entering either a user ID or email address.
  3. Choose the export format: JSON (full structured data) or CSV (summary format).
  4. Click Request Export.

The export job is created and processed asynchronously. Status moves from PENDINGPROCESSINGCOMPLETED.

Export Statuses

StatusMeaning
PENDINGExport queued, not yet started
PROCESSINGExport being generated
COMPLETEDDownload URL available
FAILEDExport failed; see the error field
EXPIREDThe download link has expired (default 7 days)

Downloading and Sharing

Once the status is COMPLETED, the downloadUrl field contains a time-limited link. Send this link to the data subject directly. The link expires after the configured export retention period (default 7 days).

Export retention (how long the download URL remains valid) is configured separately in the Retention Policy section. The default is 7 days. Consider reducing this if your exports contain sensitive categories of personal data.


Data Breach Registry

The Data Breach Registry supports the Article 33 obligation to notify the supervisory authority within 72 hours of becoming aware of a breach, and the Article 34 obligation to notify affected individuals when the breach is likely to result in high risk.

Reporting a Breach

  1. Go to GDPRData Breaches and click Report Breach.
  2. Fill in the required fields:
FieldRequiredDescription
TitleYesBrief descriptive name
DescriptionYesWhat happened
SeverityYesLOW, MEDIUM, HIGH, or CRITICAL
Detected AtYesWhen the breach was first detected
Data AffectedNoDescription of the data categories exposed
Individuals AffectedNoEstimated number of affected individuals
Categories AffectedNoJSON list of affected data categories
Responsible PersonNoThe DPO or staff member handling the response
  1. Click Report. The breach is created with status DETECTED.

Breach Lifecycle

DETECTED → INVESTIGATING → CONTAINED → NOTIFIED_AUTHORITY → NOTIFIED_INDIVIDUALS → RESOLVED → CLOSED

Update the status as the incident response progresses. Record the following timestamps when they occur:

  • Reported to Authority At — when you filed the Article 33 notification to the DPA
  • DPA Reference Number — the reference assigned by the supervisory authority
  • Reported to Individuals At — when you sent Article 34 notifications to affected individuals

Article 33 requires notification to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Use the Detected At timestamp and Reported to Authority At timestamp to demonstrate compliance with this deadline.

Containment and Remediation

Update the Containment Actions and Remedial Actions fields as the incident progresses. These fields form part of your Article 33 notification record and may be requested by the supervisory authority.

If notification to individuals is not required (for example, because the data was encrypted and the risk to individuals is low), record the justification in the Notification Exemption Reason field.


Data Protection Impact Assessments (DPIA)

DPIAs are required under Article 35 when processing is likely to result in a high risk to individuals. The module lets you create, track, and archive DPIAs, and optionally link them to a specific processing activity.

DPIA Lifecycle

DRAFT → IN_PROGRESS → REVIEW → APPROVED → REJECTED

Creating a DPIA

  1. Go to GDPRDPIAs and click New DPIA.
  2. Fill in the title and description.
  3. Optionally link the DPIA to a Processing Activity from your ROPA.
  4. Click Save.

Completing a DPIA

A complete DPIA record includes:

FieldDescription
NecessityJustification for why the processing is necessary and proportionate
ProportionalityAssessment of whether privacy risks are proportionate to the purpose
Risks to RightsStructured list of identified risks, each with a likelihood, severity, and mitigation measure
Overall Risk LevelLOW, MEDIUM, HIGH, or VERY_HIGH
Consultation RequiredWhether DPA consultation is required (mandatory if residual risk remains high)
DPO OpinionThe DPO’s formal opinion on the assessment

Approving and Archiving

Once the DPIA is in REVIEW status, the approver can approve or reject it. On approval, approvedBy and approvedAt are recorded. Set nextReviewAt to schedule a periodic re-assessment.

When a processing activity is updated significantly, the linked DPIA should be reviewed and re-approved. Use the Next Review At date to track when this is due.


DPO Dashboard

The DPO Dashboard provides an aggregated view of all GDPR module activity across the tenant, designed as a single starting point for the Data Protection Officer’s daily oversight.

Access it at GDPRDPO Dashboard.

The dashboard surfaces:

SectionWhat It Shows
Consent SummaryTotal consent types, active types, and overall acceptance rate
Open DSARsCount by status, with overdue requests highlighted
Pending Erasure RequestsCount pending approval and count approved but not yet executed
Active BreachesBreaches in DETECTED, INVESTIGATING, or CONTAINED status
DPIA StatusDPIAs in draft or awaiting review
Compliance ReadinessOverall readiness score from the compliance checklist
Export JobsActive and recently expired export jobs
Processing ActivitiesCount by ROPA status

The dashboard is read-only and reflects live data. It does not require navigating to individual sub-sections to get a health overview.


Compliance Readiness Checklist

The compliance readiness checklist provides an itemised view of GDPR obligations mapped to concrete checks. Each item references the relevant GDPR article and has a status and optional evidence field.

Checklist Item Statuses

StatusMeaning
NOT_STARTEDThe check has not been addressed
IN_PROGRESSWork is underway
COMPLETEDThe obligation is satisfied
NOT_APPLICABLEThe obligation does not apply to this tenant

Automated Checks

Some checklist items are automated. When you trigger Re-run Automated Checks (via POST /api/gdpr/compliance-readiness), Auris evaluates the tenant configuration and sets the status of automated items based on the current state. Examples of automated checks include: whether a retention policy is configured, whether a DPO contact is on record, and whether consent types are active.

Updating a Checklist Item

Click any item to open the edit panel. You can:

  • Update the status manually
  • Add notes explaining your approach
  • Upload or link evidence (such as a document reference or URL)

Retention Policies

The retention policy is a tenant-level singleton that controls automatic data deletion. When the retention cron job runs, it enforces all configured retention periods across the tenant.

Configuring Retention

Go to GDPRRetention Policy to view and update the policy.

SettingDefaultDescription
Audit Log Retention90 daysAudit log entries older than this are permanently deleted
Session Retention30 daysInactive session records older than this are deleted
Export Retention7 daysCompleted data export download links expire after this period
Inactive User Deactivation365 daysUsers with no activity beyond this threshold are deactivated
Auto-Delete Inactive UsersOffWhether inactive users are deleted (not just deactivated)
EnabledOffMaster switch — retention enforcement only runs when this is on

Enabling Auto-Delete Inactive Users will permanently remove accounts that have had no login activity beyond the configured threshold. Ensure this aligns with your legitimate interest assessments and that affected users have been notified in accordance with your privacy policy before enabling this setting.

The retention enforcement cron job runs against the endpoint GET /api/gdpr/cron/enforce-retention and must be scheduled by your infrastructure operator. It is protected by a CRON_SECRET environment variable and will not execute without valid credentials. If the CRON_SECRET variable is not configured, the endpoint returns 503 (fail-closed).


Data Residency

The data residency record documents where your tenant’s data is physically stored and processed. It is used for DPO reporting, DPA inquiries, and customer data processing agreements.

Access it at GDPRData Residency.

FieldDescription
RegionGeographic region (e.g. EU, EEA)
CountryCountry of primary data storage (e.g. DE)
ProviderInfrastructure provider name
CertificationsList of relevant certifications (e.g. ISO 27001, SOC 2 Type II)
Third-Party ProcessorsStructured list of sub-processors, each with name, purpose, location, and whether a DPA is in place

Under Article 28 GDPR, a Data Processing Agreement (DPA) must be in place with every sub-processor. Use the Third-Party Processors list to track DPA coverage and identify gaps. Mark dpaCovered: true only once the DPA has been signed.


Regulations

The Regulations section tracks compliance status across 13 global privacy frameworks. This is useful for tenants operating across multiple jurisdictions.

Supported Regulations

CodeRegulation
GDPREU General Data Protection Regulation
UK_GDPRUK General Data Protection Regulation
CCPACalifornia Consumer Privacy Act (US)
LGPDLei Geral de Proteção de Dados (Brazil)
PIPEDAPersonal Information Protection and Electronic Documents Act (Canada)
POPIAProtection of Personal Information Act (South Africa)
PDPA_SGPersonal Data Protection Act (Singapore)
PDPA_THPersonal Data Protection Act (Thailand)
APPIAct on the Protection of Personal Information (Japan)
PIPLPersonal Information Protection Law (China)
DPDPADigital Personal Data Protection Act (India)
FADPFederal Act on Data Protection (Switzerland)
KVKKKişisel Verilerin Korunması Kanunu (Turkey)

Regulation Statuses

StatusMeaning
ACTIVEFully applicable, compliance tracked
PARTIALApplicable in some jurisdictions or for some users
PLANNEDNot yet implemented, planned for a future period
NOT_APPLICABLEDoes not apply to this tenant

Regulation Overview and Gap Analysis

Go to GDPRRegulationsOverview to see a cross-regulation summary. The overview runs a gap analysis comparing your current configuration (consent basis, breach notification setup, DPO assignment, etc.) against the requirements of each active regulation and surfaces items that need attention.

Updating a Regulation Profile

Click any regulation in the list to open its detail view. You can update:

  • Applicable regions (which countries this regulation applies to for your tenant)
  • Consent basis used for this regulation
  • Required breach notification window (in hours)
  • Whether a DPO is required under this regulation
  • Notes and review information

Processing Activities (ROPA)

The Record of Processing Activities satisfies the Article 30 obligation to maintain a written record of all data processing operations. Each entry in the ROPA represents a distinct processing activity.

ROPA Entry Lifecycle

StatusMeaning
DRAFTBeing prepared, not yet operational
ACTIVEProcessing is live
UNDER_REVIEWCurrently being reassessed
ARCHIVEDProcessing has ceased

Creating a Processing Activity

  1. Go to GDPRProcessing Activities and click New Activity.
  2. Fill in the required fields:
FieldDescription
NameShort descriptive name (e.g. “Customer Account Registration”)
DescriptionFull description of the processing activity
PurposeThe specific purpose for which data is processed
Lawful BasisOne of: CONSENT, CONTRACT, LEGAL_OBLIGATION, VITAL_INTERESTS, PUBLIC_TASK, LEGITIMATE_INTERESTS
Data CategoriesCategories of personal data processed (e.g. identity, contact, financial, health)
Data SubjectsDescription of the categories of individuals whose data is processed
RecipientsWho the data is shared with
Transfers Outside EUWhether data is transferred outside the EEA
Transfer SafeguardsIf transferring outside the EEA, the safeguard in place (e.g. Standard Contractual Clauses)
Retention PeriodHow long data from this activity is retained
Technical MeasuresTechnical security measures applied to this processing
Organisational MeasuresOrganisational security measures
Responsible PersonThe staff member or role responsible for this activity
DPIA RequiredWhether a DPIA must be completed for this activity
DPIA CompletedWhether the required DPIA has been completed
  1. Click Save. The activity is created in DRAFT status.

Scheduling Reviews

Set the Next Review At date when creating or updating an activity. The DPO Dashboard surfaces activities whose review date has passed or is approaching.

If DPIA Required is set to true, a DPIA must be created and linked to this processing activity before the activity can be set to ACTIVE. Use the DPIA module to create the assessment and link it via the processing activity relation.


  • Logs & Compliance — Audit log and log streaming for GDPR data export and retention evidence
  • Users & Roles — Managing individual users before or after erasure requests
  • Session Management — Revoking sessions as part of an erasure or restriction workflow
  • Security Settings — IP rules and attack protection that contribute to Article 32 technical measures