Overview
CaseBender provides comprehensive GDPR compliance capabilities for organizations that process personal data as part of security operations. As an on-premise platform, CaseBender gives you full control over data processing — your data never leaves your infrastructure.Data Subject Rights
Right of Access (Article 15)
CaseBender supports Data Subject Access Requests (DSARs):- Request Management: Track DSARs from receipt through fulfillment with SLA monitoring
- Data Discovery: Automatically discover all data associated with a data subject across cases, alerts, comments, audit logs, and observables
- Data Export: Generate structured data packages for data subject delivery
- Deadline Tracking: 30-day response deadline with extension management
- Acknowledgment: Automated acknowledgment to data subjects upon request receipt
Right to Erasure (Article 17)
CaseBender implements the right to be forgotten with safeguards:- Erasure Execution Engine: Systematically erases personal data across all platform entities
- PII Registry: Comprehensive mapping of where personal data is stored in every database model
- Anonymization: Where full deletion would compromise audit integrity, data is anonymized using consistent markers
- Legal Hold Check: Erasure requests are automatically checked against active legal holds
- Verification Report: Post-erasure verification confirms all personal data has been removed or anonymized
- Audit Trail: The erasure action itself is logged (without the erased data) for compliance evidence
Right to Rectification (Article 16)
- Users can update their personal information through their profile
- Administrators can correct data on behalf of data subjects
- All changes are tracked in the audit trail
Right to Data Portability (Article 20)
- Data export in structured, machine-readable formats (JSON, CSV)
- Includes all data the subject provided to the platform
- Export packages are encrypted for secure delivery
Consent Management
Consent Lifecycle
CaseBender tracks consent throughout its lifecycle:- Collection: Record consent with purpose, legal basis, and timestamp
- Storage: Consent records are stored with cryptographic integrity
- Verification: Check consent status before processing operations
- Withdrawal: Data subjects can withdraw consent at any time
- Impact Assessment: Withdrawal triggers an impact analysis showing what processing will stop
Processing Activities Register (Article 30)
Maintain a register of processing activities:- Activity Catalog: Document each processing activity with purpose, legal basis, and data categories
- Data Flow Mapping: Track where personal data flows within the platform
- Retention Periods: Document retention periods per processing activity
- Third-Party Sharing: Record any data sharing with third parties (integrations)
Breach Notification
Article 33 — Notification to Supervisory Authority
CaseBender supports the 72-hour breach notification requirement:- Breach Detection: Security monitoring and UEBA detect potential breaches
- Breach Recording: Document breach details, affected data, and impact assessment
- Authority Notification: Generate notification documents for supervisory authorities
- Timeline Tracking: Track the 72-hour deadline with escalation alerts
- Follow-Up: Manage supplementary notifications as more information becomes available
Article 34 — Notification to Data Subjects
When a breach is likely to result in high risk to individuals:- Subject Identification: Identify affected data subjects from breach scope
- Notification Generation: Generate clear, plain-language notifications
- Delivery Tracking: Track notification delivery and acknowledgment
- Remediation Guidance: Include recommended protective measures for affected individuals
Privacy Impact Assessment
Automated PIA (Article 35)
CaseBender automates Data Protection Impact Assessments:- Personal Data Detection: Automatically scan entities for personal data patterns
- Risk Assessment: Evaluate processing risks based on data types, volume, and sensitivity
- Mitigation Recommendations: Suggest privacy-enhancing measures based on identified risks
- Review Workflow: PIAs are reviewed and approved by the Data Protection Officer
- Continuous Monitoring: PIAs are re-evaluated when processing activities change
Cross-Border Transfer Controls
Transfer Safeguards (Articles 44-49)
CaseBender enforces data residency and cross-border transfer rules:- Data Residency Policies: Define where data can be stored and processed by jurisdiction
- Transfer Rules: Configure rules for when data can cross borders (adequacy decisions, SCCs, BCRs)
- Transfer Evaluation: Automatically evaluate proposed transfers against configured rules
- Violation Detection: Detect and alert on unauthorized cross-border data flows
- Transfer Heatmap: Visualize data flows across jurisdictions
Supported Transfer Mechanisms
| Mechanism | Description |
|---|---|
| Adequacy Decision | Transfer to countries with EU adequacy decisions |
| Standard Contractual Clauses | Transfer under approved SCCs |
| Binding Corporate Rules | Intra-group transfers under BCRs |
| Explicit Consent | Transfer with explicit data subject consent |
| Legal Obligation | Transfer required by law |
Privacy-Aware Logging
CaseBender implements privacy by design in its logging:- PII Redaction: Personal data is automatically redacted from application logs
- Configurable Redaction Paths: Define which fields are redacted in log output
- Audit vs. Application Logs: Audit logs retain necessary detail for compliance; application logs are privacy-safe
- Redaction Strategies: Support for masking, hashing, and full removal
Related Documentation
- Data Protection — Encryption and data retention
- Compliance Overview — All supported frameworks
- Audit Logging — Audit trail and integrity