GDPR Compliance Guide
Overview
ASCEND provides comprehensive support for the General Data Protection Regulation (GDPR) when deploying AI agents that process personal data of EU data subjects. This guide covers how ASCEND implements GDPR requirements and enables organizations to fulfill their obligations as data controllers.
Applicable Regulations:
- GDPR (EU) 2016/679
- UK GDPR (post-Brexit)
- ePrivacy Directive (complementary)
Data Subject Rights Summary
| GDPR Article | Right | ASCEND Feature | Coverage |
|---|---|---|---|
| Article 15 | Right of Access | Data export API | Full |
| Article 16 | Right to Rectification | Data update API | Full |
| Article 17 | Right to Erasure | Deletion workflow | Full |
| Article 18 | Right to Restriction | Processing controls | Full |
| Article 20 | Right to Portability | Machine-readable export | Full |
| Article 21 | Right to Object | Consent management | Full |
| Article 22 | Automated Decision-Making | Human-in-the-loop | Full |
Article 15: Right of Access
Data subjects have the right to obtain confirmation of whether their personal data is being processed and access to that data.
ASCEND Implementation
Data Discovery:
POST /api/v1/data-rights/discover
Authorization: Bearer {token}
Content-Type: application/json
{
"subject_email": "user@example.com",
"include_metadata": true
}
Response:
{
"subject_email": "user@example.com",
"data_locations": [
{
"table": "users",
"category": "PROFILE",
"record_count": 1,
"sensitivity": "HIGH"
},
{
"table": "agent_actions",
"category": "AGENT_INTERACTION",
"record_count": 156,
"sensitivity": "MEDIUM"
},
{
"table": "consent_records",
"category": "CONSENT",
"record_count": 3,
"sensitivity": "HIGH"
}
],
"discovery_completed_at": "2026-01-20T10:00:00Z"
}
Data Access Package
Generate a complete data access package for the data subject:
POST /api/v1/data-rights/access-package
Authorization: Bearer {token}
Content-Type: application/json
{
"subject_email": "user@example.com",
"format": "json",
"include_metadata": true,
"include_lineage": true
}
Response (Article 15 compliant):
{
"profile": {
"user_id": 123,
"email": "user@example.com",
"role": "standard_user",
"created_at": "2025-06-15T08:30:00Z",
"is_active": true
},
"agent_interactions": [
{
"id": 456,
"agent_id": "support-agent",
"tool": "query_database",
"timestamp": "2026-01-19T14:30:00Z",
"risk_level": "low",
"status": "completed"
}
],
"consent_history": [
{
"consent_type": "marketing_emails",
"purpose": "Marketing communications",
"legal_basis": "consent",
"granted": true,
"granted_at": "2025-06-15T08:35:00Z",
"withdrawn_at": null
}
],
"data_lineage": [
{
"data_category": "profile_data",
"data_source": "registration_form",
"sensitivity_level": "HIGH",
"legal_basis_processing": "contract",
"processing_purpose": "Account management",
"retention_period": "Account lifetime"
}
]
}
Response Timeline
GDPR Article 12(3) requires response within 30 days:
# ASCEND automatically calculates due dates
if 'GDPR' in legal_basis:
due_date = datetime.now(UTC) + timedelta(days=30) # GDPR Art. 12(3)
Article 17: Right to Erasure ("Right to be Forgotten")
Data subjects can request deletion of their personal data under certain circumstances.
Erasure Eligibility Assessment
Before erasure, ASCEND assesses what data can be deleted vs. what must be retained:
POST /api/v1/data-rights/erasure/assess
Authorization: Bearer {token}
Content-Type: application/json
{
"request_id": "DSR-20260120-ABC123",
"subject_email": "user@example.com"
}
Response:
{
"eligible_for_erasure": [
{
"category": "profile_data",
"table": "users",
"reason": "No retention requirement"
},
{
"category": "consent_records",
"table": "consent_records",
"record_count": 3,
"reason": "No active retention requirement"
}
],
"retention_required": [
{
"category": "agent_interactions",
"table": "agent_actions",
"record_count": 156,
"reason": "SOX/PCI-DSS 7-year retention requirement",
"alternative": "Anonymization available"
}
],
"assessment_notes": [
"Audit logs cannot be deleted but will be anonymized",
"Financial transaction records retained per legal requirement"
]
}
Execute Erasure
POST /api/v1/data-rights/erasure/execute
Authorization: Bearer {token}
Content-Type: application/json
{
"request_id": "DSR-20260120-ABC123",
"subject_email": "user@example.com",
"erasure_scope": "FULL",
"data_categories": ["profile", "consent"],
"retention_exceptions": ["agent_actions"]
}
Response:
{
"scope": "FULL",
"systems_affected": ["users", "consent_records", "data_lineage"],
"records_erased": 4,
"records_anonymized": 156,
"retention_exceptions": ["agent_actions"],
"completed_at": "2026-01-20T10:15:00Z",
"audit_trail_id": "erasure-log-789",
"verification_hash": "sha256:abc123..."
}
Retention Exceptions (Article 17(3))
ASCEND enforces legal retention requirements:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Profile data | Account lifetime | Contract |
| Agent interactions | 7 years | SOX/PCI-DSS |
| Audit logs | 7 years | Financial regulations |
| Consent records | 3 years after withdrawal | GDPR evidence |
| Erasure logs | Permanent | Legal compliance |
Article 20: Right to Data Portability
Data subjects can receive their data in a machine-readable format.
Export Formats
POST /api/v1/data-rights/export
Authorization: Bearer {token}
Content-Type: application/json
{
"subject_email": "user@example.com",
"format": "json",
"compression": "gzip"
}
Supported Formats:
| Format | MIME Type | Use Case |
|---|---|---|
| JSON | application/json | API integration |
| CSV | text/csv | Spreadsheet import |
| XML | application/xml | Enterprise systems |
Export Package Structure
data_export_user@example.com_20260120.zip
├── profile.json
├── agent_interactions.json
├── consent_history.json
├── data_lineage.json
└── metadata.json
Consent Management (Articles 6-7)
Record Consent
POST /api/v1/consent/record
Authorization: Bearer {token}
Content-Type: application/json
{
"subject_email": "user@example.com",
"consent_type": "ai_processing",
"consent_status": "GIVEN",
"processing_purposes": [
"AI agent interactions",
"Automated decision support"
],
"legal_basis": "consent",
"consent_method": "explicit_checkbox",
"consent_evidence": {
"ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0...",
"timestamp": "2026-01-20T10:00:00Z",
"form_version": "v2.1"
}
}
Response:
{
"consent_id": "consent-456",
"subject_email": "user@example.com",
"consent_type": "ai_processing",
"granted": true,
"granted_at": "2026-01-20T10:00:00Z",
"legal_basis": "consent",
"audit_trail": "audit-789"
}
Withdraw Consent
POST /api/v1/consent/withdraw
Authorization: Bearer {token}
Content-Type: application/json
{
"subject_email": "user@example.com",
"consent_type": "ai_processing"
}
Consent History
GET /api/v1/consent/history?subject_email=user@example.com
Authorization: Bearer {token}
Response:
{
"consent_history": [
{
"consent_type": "ai_processing",
"purpose": "AI agent interactions",
"legal_basis": "consent",
"granted": true,
"granted_at": "2025-06-15T08:35:00Z",
"withdrawn_at": null
},
{
"consent_type": "marketing_emails",
"purpose": "Marketing communications",
"legal_basis": "consent",
"granted": false,
"granted_at": "2025-06-15T08:35:00Z",
"withdrawn_at": "2025-12-01T10:00:00Z"
}
]
}
Data Processing Records (Article 30)
ASCEND maintains records of processing activities:
Processing Activity Record
{
"controller": {
"name": "Organization Name",
"contact": "dpo@organization.com"
},
"processing_purposes": [
"AI agent governance",
"Security monitoring",
"Compliance reporting"
],
"data_categories": [
"User identifiers",
"Agent interaction logs",
"Security events"
],
"data_subjects": [
"Employees",
"Contractors",
"End users"
],
"recipients": [
"Internal security team",
"Compliance officers"
],
"retention_periods": {
"user_data": "Account lifetime + 30 days",
"agent_logs": "7 years",
"security_events": "7 years"
},
"security_measures": [
"Encryption at rest (AES-256)",
"Encryption in transit (TLS 1.3)",
"Access control (RBAC)",
"Audit logging"
]
}
Generate Article 30 Report
GET /api/v1/compliance/gdpr/article-30-report
Authorization: Bearer {token}
Data Subject Request Workflow
Create Request
POST /api/v1/data-rights/requests
Authorization: Bearer {token}
Content-Type: application/json
{
"subject_email": "user@example.com",
"request_type": "ACCESS",
"legal_basis": "GDPR Article 15"
}
Response:
{
"request_id": "DSR-20260120-XYZ789",
"subject_email": "user@example.com",
"request_type": "ACCESS",
"status": "RECEIVED",
"compliance_framework": "GDPR",
"due_date": "2026-02-19T00:00:00Z",
"created_at": "2026-01-20T10:00:00Z"
}
Request Status Tracking
| Status | Description | Timeline |
|---|---|---|
| RECEIVED | Request received and logged | Day 0 |
| VERIFICATION_PENDING | Identity verification in progress | Day 1-3 |
| DISCOVERY_COMPLETE | Data locations identified | Day 3-7 |
| PROCESSING | Request being fulfilled | Day 7-25 |
| REVIEW_PENDING | Awaiting approval | Day 25-28 |
| COMPLETED | Request fulfilled | Day 30 |
List Requests
GET /api/v1/data-rights/requests?status=PROCESSING
Authorization: Bearer {token}
Compliance Reporting
Generate GDPR Report
POST /api/v1/compliance/reports
Authorization: Bearer {token}
Content-Type: application/json
{
"framework": "gdpr",
"report_type": "SUMMARY",
"date_range": {
"start": "2026-01-01",
"end": "2026-01-20"
}
}
Response:
{
"report_period": {
"start": "2026-01-01T00:00:00Z",
"end": "2026-01-20T23:59:59Z"
},
"request_summary": {
"total_requests": 45,
"completed_requests": 42,
"completion_rate": 93.33,
"overdue_requests": 0
},
"request_breakdown": {
"access_requests": 25,
"erasure_requests": 15,
"portability_requests": 5
},
"erasure_summary": {
"total_erasures_executed": 15,
"records_deleted": 1250,
"records_anonymized": 3400
},
"compliance_status": {
"gdpr_compliant": true,
"response_deadline_met": true,
"audit_trail_complete": true
}
}
Tenant Isolation (ONBOARD-019)
ASCEND implements strict tenant isolation for GDPR compliance:
class DataSubjectRightsService:
"""
ONBOARD-019: Tenant Isolation Security
- organization_id REQUIRED (fail-closed design)
- All database queries filter by organization_id
- No cross-tenant data access possible
"""
def __init__(self, db: Session, organization_id: int):
if organization_id is None:
raise ValueError(
"organization_id is required for tenant isolation. "
"Data rights operations cannot proceed without organization context."
)
self.organization_id = organization_id
Security Controls:
| Control | Implementation |
|---|---|
| Query filtering | All queries include WHERE organization_id = ? |
| Access logging | All data access logged to immutable audit trail |
| Cross-tenant prevention | Fail-closed design prevents data leakage |
| Audit trail | Organization ID included in all audit logs |
API Reference
Data Subject Request Endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/data-rights/requests | Create DSR |
| GET | /api/v1/data-rights/requests | List requests |
| GET | /api/v1/data-rights/requests/{id} | Get request details |
| POST | /api/v1/data-rights/discover | Discover data locations |
| POST | /api/v1/data-rights/access-package | Generate access package |
| POST | /api/v1/data-rights/erasure/assess | Assess erasure eligibility |
| POST | /api/v1/data-rights/erasure/execute | Execute erasure |
| POST | /api/v1/data-rights/export | Export data (portability) |
Consent Management Endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/consent/record | Record consent |
| POST | /api/v1/consent/withdraw | Withdraw consent |
| GET | /api/v1/consent/history | Get consent history |