Handle GDPR data-subject requests
When someone exercises a GDPR right against your workspace, the Admin → GDPR screen does the two operations the platform can run on its own data: a portability export (Article 20) and an erasure (Article 17). Anyone can also file a request through the public intake form at your workspace, which this page covers at the end.
:::note Before you begin
- You need an admin role (
admin,it-admin, orsuper-admin) to open the GDPR screen and run exports. - Erasure is super-admin only. Other admins see the screen and the Erase button, but the action returns a permission error unless you hold
super-admin. - Erasure refuses to run while the person still holds assets. Recover their hardware and revoke their licences first — see Offboarding. :::
What the screen does
Open GDPR in the admin sidebar. The page is a searchable list of every person in the workspace, including already-erased accounts, with one row per data subject and two actions per row.
| Element | What it shows or does |
|---|---|
| Article cards | Three reminder cards across the top — Article 15 (access), Article 20 (portability), Article 17 (erasure). |
| Search | Filters the list by email, name, or employee ID. |
| Data subject | Avatar, name, email, and employee ID. Erased accounts carry a rose Erased badge and render dimmed. |
| Employment | Job title and department. |
| Status | The employment-status badge — Active, Onboarding, Inactive, or Offboarded. |
| Last login | The last sign-in date and a relative time, or Never. |
| Actions | Export JSON on every row; Erase on every row that isn't already erased. |
The two GDPR rights map to the two actions:
| Right | GDPR article | Action | Effect |
|---|---|---|---|
| Access / portability | Article 15 / 20 | Export JSON | Downloads a structured copy of everything held about the person. Non-destructive. |
| Erasure | Article 17 | Erase | Pseudonymises personal fields and keeps assignment history for audit. Permanent. |
Article 15 (access) overlaps with Article 20 (portability) here — the same Export JSON file answers both. Employees can also run this export themselves from the My portal; see Your profile and data export.
Export a person's data (Article 20)
To produce a portability copy for one person:
- Open GDPR in the admin sidebar.
- Search for the person by email, name, or employee ID.
- On their row, select Export JSON.
The browser downloads a file named gdpr-export-<id>-<timestamp>.json (for example,
gdpr-export-42-20260607-141230.json). The export runs immediately and is itself recorded
in the audit log.
The file contains these sections.
| Section | Contents |
|---|---|
exported_at, exported_by | The export timestamp and the admin email that ran it. |
data_subject | Identity, contact, employment, manager, status, and last-login fields from the user record. |
hardware_assignments | Each device — asset tag, name, serial number, assigned and returned dates, return condition. |
software_assignments | Each licence — software, edition, account identifier, assigned and revoked dates, access level. |
asset_requests | Requests the person submitted — title, type, status, justification, created date. |
activity | Up to the 1,000 most recent audit-log entries where the person was the actor or the subject. |
The export is read-only and safe to run as often as you need. Send the file to the data subject over a channel you trust — it contains personal data.
Erase a person's data (Article 17)
Erasure pseudonymises the personal fields on an account — name, email, employee ID, job title, phone, and so on — while keeping the assignment and audit history intact, so a "right to be forgotten" request doesn't break your evidence trail. The records remain; they're no longer linked to a real person.
Erasure is permanent and cannot be undone. It overwrites identity fields, clears the password and SSO link, sets the status to Offboarded, and soft-deletes the account. Run an export first if you need a record of what the account held.
To erase a person's data:
- Confirm you hold the
super-adminrole. Other admins can't complete this step. - Recover any hardware still assigned to the person and revoke their software, or the action is blocked. See Offboarding.
- Open GDPR, find the person, and select Erase on their row.
- In the dialog, type the person's exact email into the confirmation field.
- Enter a Reason for the audit log — for example, the date and channel the erasure request arrived on.
- Select Erase data.
A green confirmation appears, the row gains an Erased badge, and the action is logged with your name and the reason you gave.
The form enforces several guards before it runs:
| Field | Required | Notes |
|---|---|---|
| Confirmation email | Yes | Must match the person's current email exactly, or the action is rejected. |
| Reason | Yes | Free text, up to 1,000 characters. Stored in the audit log entry. |
These conditions block the erasure regardless of input:
| Condition | Result |
|---|---|
You aren't a super-admin | Permission error — the action never runs. |
The target holds the super-admin role | Refused. Demote the account first. |
| The target is your own account | Refused. You can't erase yourself here. |
| The person still has active hardware or software assignments | Refused. Recover or revoke them first. |
Route a public privacy request
Each workspace also exposes a public intake form so employees, ex-employees, regulators, or
any data subject can file a request without an account. It lives at /privacy/request on
your workspace subdomain (for example, https://<slug>.app.ontrackio.com/privacy/request)
and is the link to put in a privacy notice or an email footer.
The form accepts these request types, then records the submission with a 30-day response deadline:
| Request type | GDPR article |
|---|---|
| Access | Article 15 |
| Erasure / right to be forgotten | Article 17 |
| Correction | Article 16 |
| Portability | Article 20 |
| Restriction | Article 18 |
The submitter enters their email, an optional name, the request type, and optional details, and confirms the request relates to their own data. On submit they land on a confirmation page; the form is rate-limited to three submissions per IP address per hour and silently drops obvious bot traffic.
Submissions are tracked centrally with a per-request deadline for the operator team that runs your workspace — they don't appear on the Admin → GDPR screen. Once you know which person a request concerns, fulfil an access or portability request with Export JSON, and an erasure request with Erase, on that screen. Correction and restriction are handled by editing or annotating the user record directly.
Verify
- After an export, a file named
gdpr-export-<id>-<timestamp>.jsondownloads, and aGDPR data export performedentry appears in the audit log under your name. - After an erasure, the row shows the Erased badge and the email reads
erased-user-<id>@erased.local; the audit log records aGDPR erasure executedentry with your reason. - The public form returns a confirmation page after a valid submission.
Troubleshooting
| Symptom | What to do |
|---|---|
| The Erase button gives a permission error | Erasure is super-admin only. Ask an owner to run it, or have your role elevated. |
| Erasure is refused: active assignments | The person still holds hardware or software. Recover and revoke via offboarding, then retry. |
| Erasure is refused: confirmation didn't match | Retype the person's exact current email. An erased or changed email won't match. |
| You can't erase a colleague | The screen refuses to erase a super-admin or your own account. Demote the target account first, or have another super-admin act. |
| A person you expect is missing from the list | Search matches email, name, and employee ID. Erased accounts stay listed but appear dimmed with an Erased badge. |
| The public form rejects a submission | It's rate-limited to three tries per IP per hour. Wait, or email the workspace privacy contact directly to escalate. |
| You can't reach the GDPR page | The screen needs an admin role and an active subscription. If your network uses an IP allowlist, confirm you're on an allowed address. |