Compliance Features
Comprehensive GDPR compliance capabilities.
Consent Management
Capture, store, and validate user consent for data processing. Support granular consent options and easy withdrawal.
Data Mapping
Track where personal data flows through your AI systems. Document processing activities and data relationships.
Breach Notification
Automated detection and notification systems for data breaches. Meet 72-hour notification requirements.
Audit Trails
Complete logs of all data access and processing activities. Generate compliance reports on demand.
Privacy by Design
Embed privacy controls into API architecture from the start. Minimize data collection and retention.
Data Residency
Control where EU citizen data is processed. Support data localization requirements.
Implementing Data Subject Rights
How to handle GDPR data subject requests through your gateway.
Right to Access (DSAR)
Data subjects can request a copy of all personal data you hold about them within 30 days.
GET /gdpr/access?user_id={id}
Returns all stored data in JSON format
Right to Erasure
Delete all personal data upon request, except where retention is legally required.
DELETE /gdpr/erase?user_id={id}
Cascades deletion across all systems
Right to Portability
Provide data in a structured, machine-readable format for transfer to other services.
GET /gdpr/export?user_id={id}&format=json
Supports JSON, CSV, XML formats
Right to Rectification
Allow data subjects to correct inaccurate or incomplete personal data.
PATCH /gdpr/rectify?user_id={id}
Updates records across all databases
Implementation Guide
Build GDPR-compliant AI gateway systems.
class GDPRCompliantGateway: """GDPR-compliant AI API gateway""" def __init__(self, data_store, consent_manager, audit_logger): self.data_store = data_store self.consent = consent_manager self.audit = audit_logger async def handle_access_request( self, user_id: str, requester_id: str ) -> GDPRResponse: """Handle Data Subject Access Request""" # Verify identity if user_id != requester_id: raise UnauthorizedAccessException() # Collect all personal data personal_data = await self.data_store.get_user_data(user_id) # Log the access request await self.audit.log({ 'event': 'dsar_fulfilled', 'user_id': user_id, 'timestamp': datetime.utcnow(), 'data_categories': list(personal_data.keys()) }) return GDPRResponse( request_type='access', data=personal_data, format='json', expires_in=30 # days ) async def handle_erasure_request( self, user_id: str, requester_id: str ) -> GDPRResponse: """Handle Right to Erasure request""" # Verify identity if user_id != requester_id: raise UnauthorizedAccessException() # Check for legal holds legal_holds = await self.data_store.check_legal_holds(user_id) if legal_holds: return GDPRResponse( request_type='erasure', status='partial', reason='Legal retention requirements apply', retained_categories=legal_holds ) # Cascade deletion across systems deleted_records = [] # Delete from primary database await self.data_store.delete_user(user_id) deleted_records.append('primary_db') # Delete from caches await self.clear_all_caches(user_id) deleted_records.append('caches') # Delete from logs (pseudonymize) await self.pseudonymize_logs(user_id) deleted_records.append('logs') # Request deletion from AI providers await self.request_provider_deletion(user_id) deleted_records.append('ai_providers') # Audit trail await self.audit.log({ 'event': 'erasure_completed', 'user_id': user_id, 'deleted_from': deleted_records, 'timestamp': datetime.utcnow() }) return GDPRResponse( request_type='erasure', status='completed', deleted_records=deleted_records ) async def handle_portability_request( self, user_id: str, format: str = 'json' ) -> GDPRResponse: """Handle Data Portability request""" # Collect user data data = await self.data_store.get_user_data(user_id) # Convert to requested format if format == 'json': exported = json.dumps(data, indent=2) elif format == 'csv': exported = self.to_csv(data) elif format == 'xml': exported = self.to_xml(data) return GDPRResponse( request_type='portability', data=exported, format=format, media_type=self.get_media_type(format) ) class ConsentManager: """Manage user consent for data processing""" def __init__(self, db): self.db = db async def record_consent( self, user_id: str, purposes: List[str], granted: bool ): """Record user consent decision""" await self.db.insert({ 'user_id': user_id, 'purposes': purposes, 'granted': granted, 'timestamp': datetime.utcnow(), 'ip_address': self.get_request_ip() }) async def check_consent( self, user_id: str, purpose: str ) -> bool: """Check if user has consented to purpose""" consent = await self.db.find_one({ 'user_id': user_id, 'purposes': purpose, 'granted': True }) return consent is not None