GDPR
The Audit Service implements GDPR data subject request management through the GdprController and GdprService. It supports the three primary GDPR rights: right of access, right to erasure (right to be forgotten), and right to data portability. Each request follows a verification workflow before processing.
Request Types
| Type | Endpoint | Description |
|---|---|---|
| Data Access | POST /api/v1/gdpr/requests/data-access | Subject Access Request (SAR) -- export all data about a person |
| Data Deletion | POST /api/v1/gdpr/requests/data-deletion | Right to Erasure -- delete all data about a person |
| Data Portability | POST /api/v1/gdpr/requests/data-portability | Export data in a portable format (JSON or CSV) |
Request Lifecycle
| Status | Description |
|---|---|
PENDING_VERIFICATION | Request created, awaiting identity verification |
VERIFIED | Identity verified, awaiting processing |
PROCESSING | Request is being executed |
COMPLETED | Request fulfilled successfully |
REJECTED | Request rejected with reason |
FAILED | Processing failed with error |
EXPIRED | Verification token expired |
Create a Data Access Request
Endpoint: POST /api/v1/gdpr/requests/data-access
curl -X POST http://localhost:8086/api/v1/gdpr/requests/data-access \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"tenantId": "550e8400-e29b-41d4-a716-446655440000",
"dataSubjectId": "770e8400-e29b-41d4-a716-446655440000",
"dataSubjectEmail": "john@acme.com",
"requesterId": "660e8400-e29b-41d4-a716-446655440000",
"requesterEmail": "dpo@acme.com",
"reason": "Data subject request via support ticket #12345",
"legalBasis": "GDPR Article 15"
}'Create a Deletion Request
Endpoint: POST /api/v1/gdpr/requests/data-deletion
curl -X POST http://localhost:8086/api/v1/gdpr/requests/data-deletion \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"tenantId": "550e8400-e29b-41d4-a716-446655440000",
"dataSubjectId": "770e8400-e29b-41d4-a716-446655440000",
"dataSubjectEmail": "john@acme.com",
"requesterId": "660e8400-e29b-41d4-a716-446655440000",
"requesterEmail": "dpo@acme.com",
"reason": "Right to erasure request",
"legalBasis": "GDPR Article 17"
}'Create a Portability Request
Endpoint: POST /api/v1/gdpr/requests/data-portability
| Parameter | Type | Default | Description |
|---|---|---|---|
format | String | json | Export format (json or csv) |
Verify a Request
Endpoint: POST /api/v1/gdpr/requests/verify/:token
Identity verification is required before any GDPR request is processed. A verification token is generated when the request is created and sent to the data subject's email.
curl -X POST http://localhost:8086/api/v1/gdpr/requests/verify/abc123-verification-token \
-H "Authorization: Bearer ${TOKEN}"Request Management
Get Request by ID
Endpoint: GET /api/v1/gdpr/requests/:requestId
List Tenant Requests
Endpoint: GET /api/v1/gdpr/tenants/:tenantId/requests
Filter by Status
Endpoint: GET /api/v1/gdpr/tenants/:tenantId/requests/status/:status
Filter by Type
Endpoint: GET /api/v1/gdpr/tenants/:tenantId/requests/type/:type
Get Requests for a Subject
Endpoint: GET /api/v1/gdpr/subjects/:dataSubjectId/requests
Reject a Request
Endpoint: POST /api/v1/gdpr/requests/:requestId/reject
curl -X POST http://localhost:8086/api/v1/gdpr/requests/880e8400/reject \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"userId": "660e8400-e29b-41d4-a716-446655440000",
"reason": "Request does not meet legal threshold"
}'Download Export
Endpoint: GET /api/v1/gdpr/requests/:requestId/download
Downloads the exported data for completed data access or portability requests. Returns a gzipped file.
Statistics
Endpoint: GET /api/v1/gdpr/tenants/:tenantId/stats
Returns GDPR request statistics including total requests, requests by status, average processing time, and compliance metrics.