Sign in →

Privacy Operations

The operator GDPR workspace — handle Data Subject Requests (Article 12, 72h SLA) and manage personal-data Breach Incidents (Articles 33 & 34) from two SLA-driven queues.

Updated 2026-06-15Suggest edits

Privacy Operations

Privacy Operations (Governance → Privacy Operations) is where operators run the two time-critical GDPR workflows. It has two tabs, each backed by a 72-hour SLA queue.

Subject Requests (Articles 12–22)

Handle Data Subject Requests submitted from the storefront, email, or API.

Request typeArticle
ACCESS15
RECTIFICATION16
ERASURE17
RESTRICTION18
PORTABILITY20
OBJECTION21

Requests move through PENDING → IN_PROGRESS → COMPLETED (or REJECTED), with EXPIRED set automatically if the 72-hour Article 12 clock runs out. The queue shows the SLA due time and flags overdue items; the detail drawer captures assignment, notes, and an audit-preserved rejection reason. Rejecting requires a reason.

Breach Incidents (Articles 33 & 34)

File and manage personal-data breaches against the Article 33 72-hour authority-notification deadline.

SeverityStatus lifecycle
LOW · MEDIUM · HIGH · CRITICALPENDING_TRIAGE → INVESTIGATING → CONTAINED → RESOLVED (or FALSE_POSITIVE)

Incidents record source (MANUAL, AUTOMATED, EXTERNAL_REPORT, SUBPROCESSOR), affected data categories and subject counts, root cause, mitigation, and notification timestamps (DPO, authority, subjects). The queue shows a 72-hour countdown and flags overdue incidents. Notify Authority and Notify Subjects stamp the corresponding timestamps for audit.

Privacy Operations is the operational GDPR surface. For the conceptual framework — lawful bases, data-subject rights catalog, breach playbook, and compliance registers — see the Privacy & GDPR docs.