> ## Documentation Index
> Fetch the complete documentation index at: https://docs.casebender.com/llms.txt
> Use this file to discover all available pages before exploring further.

# GDPR & Privacy

> CaseBender's GDPR compliance features including data subject rights, consent management, breach notification, and cross-border transfer controls.

## Overview

CaseBender provides comprehensive GDPR compliance capabilities for organizations that process personal data as part of security operations. As an on-premise platform, CaseBender gives you full control over data processing — your data never leaves your infrastructure.

## Data Subject Rights

### Right of Access (Article 15)

CaseBender supports Data Subject Access Requests (DSARs):

* **Request Management**: Track DSARs from receipt through fulfillment with SLA monitoring
* **Data Discovery**: Automatically discover all data associated with a data subject across cases, alerts, comments, audit logs, and observables
* **Data Export**: Generate structured data packages for data subject delivery
* **Deadline Tracking**: 30-day response deadline with extension management
* **Acknowledgment**: Automated acknowledgment to data subjects upon request receipt

### Right to Erasure (Article 17)

CaseBender implements the right to be forgotten with safeguards:

* **Erasure Execution Engine**: Systematically erases personal data across all platform entities
* **PII Registry**: Comprehensive mapping of where personal data is stored in every database model
* **Anonymization**: Where full deletion would compromise audit integrity, data is anonymized using consistent markers
* **Legal Hold Check**: Erasure requests are automatically checked against active legal holds
* **Verification Report**: Post-erasure verification confirms all personal data has been removed or anonymized
* **Audit Trail**: The erasure action itself is logged (without the erased data) for compliance evidence

### Right to Rectification (Article 16)

* Users can update their personal information through their profile
* Administrators can correct data on behalf of data subjects
* All changes are tracked in the audit trail

### Right to Data Portability (Article 20)

* Data export in structured, machine-readable formats (JSON, CSV)
* Includes all data the subject provided to the platform
* Export packages are encrypted for secure delivery

## Consent Management

### Consent Lifecycle

CaseBender tracks consent throughout its lifecycle:

1. **Collection**: Record consent with purpose, legal basis, and timestamp
2. **Storage**: Consent records are stored with cryptographic integrity
3. **Verification**: Check consent status before processing operations
4. **Withdrawal**: Data subjects can withdraw consent at any time
5. **Impact Assessment**: Withdrawal triggers an impact analysis showing what processing will stop

### Processing Activities Register (Article 30)

Maintain a register of processing activities:

* **Activity Catalog**: Document each processing activity with purpose, legal basis, and data categories
* **Data Flow Mapping**: Track where personal data flows within the platform
* **Retention Periods**: Document retention periods per processing activity
* **Third-Party Sharing**: Record any data sharing with third parties (integrations)

## Breach Notification

### Article 33 — Notification to Supervisory Authority

CaseBender supports the 72-hour breach notification requirement:

* **Breach Detection**: Security monitoring and UEBA detect potential breaches
* **Breach Recording**: Document breach details, affected data, and impact assessment
* **Authority Notification**: Generate notification documents for supervisory authorities
* **Timeline Tracking**: Track the 72-hour deadline with escalation alerts
* **Follow-Up**: Manage supplementary notifications as more information becomes available

### Article 34 — Notification to Data Subjects

When a breach is likely to result in high risk to individuals:

* **Subject Identification**: Identify affected data subjects from breach scope
* **Notification Generation**: Generate clear, plain-language notifications
* **Delivery Tracking**: Track notification delivery and acknowledgment
* **Remediation Guidance**: Include recommended protective measures for affected individuals

## Privacy Impact Assessment

### Automated PIA (Article 35)

CaseBender automates Data Protection Impact Assessments:

* **Personal Data Detection**: Automatically scan entities for personal data patterns
* **Risk Assessment**: Evaluate processing risks based on data types, volume, and sensitivity
* **Mitigation Recommendations**: Suggest privacy-enhancing measures based on identified risks
* **Review Workflow**: PIAs are reviewed and approved by the Data Protection Officer
* **Continuous Monitoring**: PIAs are re-evaluated when processing activities change

## Cross-Border Transfer Controls

### Transfer Safeguards (Articles 44-49)

CaseBender enforces data residency and cross-border transfer rules:

* **Data Residency Policies**: Define where data can be stored and processed by jurisdiction
* **Transfer Rules**: Configure rules for when data can cross borders (adequacy decisions, SCCs, BCRs)
* **Transfer Evaluation**: Automatically evaluate proposed transfers against configured rules
* **Violation Detection**: Detect and alert on unauthorized cross-border data flows
* **Transfer Heatmap**: Visualize data flows across jurisdictions

### Supported Transfer Mechanisms

| Mechanism                        | Description                                      |
| -------------------------------- | ------------------------------------------------ |
| **Adequacy Decision**            | Transfer to countries with EU adequacy decisions |
| **Standard Contractual Clauses** | Transfer under approved SCCs                     |
| **Binding Corporate Rules**      | Intra-group transfers under BCRs                 |
| **Explicit Consent**             | Transfer with explicit data subject consent      |
| **Legal Obligation**             | Transfer required by law                         |

## Privacy-Aware Logging

CaseBender implements privacy by design in its logging:

* **PII Redaction**: Personal data is automatically redacted from application logs
* **Configurable Redaction Paths**: Define which fields are redacted in log output
* **Audit vs. Application Logs**: Audit logs retain necessary detail for compliance; application logs are privacy-safe
* **Redaction Strategies**: Support for masking, hashing, and full removal

## Related Documentation

* [Data Protection](/en/security/data-protection) — Encryption and data retention
* [Compliance Overview](/en/security/compliance-overview) — All supported frameworks
* [Audit Logging](/en/security/audit-logging) — Audit trail and integrity
