Data subjects and data actions

A DSR Workflow is a procedure for how your organization handles Data Subject Requests. With Transcend Privacy Requests, you can choose to customize your DSR workflow along several dimensions depending on things like how much human verification your company chooses to keep in the loop, what DSR types you choose to process, and how long after receiving an erasure request your company chooses to permanently erase the information in question.

The following sections can be configured in the Admin Dashboard on the "Request Settings" tab in Privacy Requests.

This section is about configuring the "who" of your DSR Workflow. A Data Subject is a person whose data you control or process. In the context of GDPR, the term data subject refers to European human citizens, and does not include such entities such as companies or collections of people.

A single company may collect and/or process the data of a number of different types of data subjects. These data subjects could fall into types such as Customers, Employees, Contractors, Job Applicants, etc. Each of these different data subject types might have data stored and processed by different parts of your organization. Transcend helps to manage this abstraction by allowing you to specify and manage your organization's "Data Subjects" in the Request Settings → tab of the Admin Dashboard where you can specify such things as different login flows for different Data Subject types authenticating to the Privacy Center.

Right now, Data Subject types are custom configured on our end, but you would like to add additional data subjects, please email us at support@transcend.io.

This is about the "what" of a DSR Workflow and describes the operation that your customers might request you do with their data.

In Transcend the following actions that are custom-tuned to be compliant with key regulations under GDPR and Full Text: CCPA.

Data ActionDescriptionEvent Key
Access/DownloadA request to access/download/export in machine-readable format.ACCESS
Erasure/Deletion A request to be forgotten and have all personal data removed from your systems.ERASURE
Opt Out of Communication/MarketingA request to be block-listed from future communications. An example of this is when someone unsubscribes from all marketing emails or SMS.CONTACT_OPT_OUT
Opt in to Communication/MarketingA request to opt a user into communication or marketing channels.CONTACT_OPT_IN
Opt Out of Tracking/AnalyticsA request to not be tracked.TRACKING_OPT_OUT
Opt in to Tracking/AnalyticsA request to re-enable tracking.TRACKING_OPT_IN
Opt Out of Sale/Share of DataA request to stop the sale or share of personal information.SALE_OPT_OUT
Opt in to Sale/Share of DataA request to opt back in to the sale or share of personal information.SALE_OPT_IN
Opt Out of Automated Decision MakingA request to opt out of automated decision making.AUTOMATED_DECISION_MAKING_OPT_OUT
Opt in to Automated Decision MakingA request to opt back in to automated decision making.AUTOMATED_DECISION_MAKING_OPT_IN
Opt Out of Custom PurposeAn opt out for a custom type of request purpose.CUSTOM_OPT_OUT
Opt in to Custom PurposeAn opt in for a custom type of purpose.CUSTOM_OPT_IN
Opt Out of the Use of Sensitive InformationA request to limit the usage of sensitive information, a requirement under the CPRA.USE_OF_SENSITIVE_INFORMATION_OPT_OUT
Opt in to the Use of Sensitive InformationA request to opt back into the use of sensitive information.USE_OF_SENSITIVE_INFORMATION_OPT_IN
Rectification/Update InaccuraciesA request to correct any inaccurate records.RECTIFICATION
Restriction of ProcessingA request to pause data processing activities.RESTRICTION
Business Purpose ReportA request for a business report that describes which of your data we collect and for what purposes we use that data.BUSINESS_PURPOSE
Place on Legal HoldPlace a particular person on legal hold by freezing access to their accounts.PLACE_ON_LEGAL_HOLD
Remove from Legal HoldRemove existing legal holds on a person.REMOVE_FROM_LEGAL_HOLD

You can enable automatic erasure fulfillment with a wait period. This gives time for the user or your team to cancel the erasure request. You can also disable automatic fulfillment and require an approval. You can make these changes by going to Request Settings. Once there, click the edit icon on "Erasure" and you'll see a settings view. We currently support two types of wait periods:

When someone is deleting their account, you may want to give them the option to back up the data before deleting it for good. When this feature is in use the workflow will look like:

a) compile data for the user across the integrations b) after request is approved, send the user a DSAR download link and wait 2 weeks before deleting the account. The Data Subject has the option to cancel their request at any time on the Privacy Center. c) After the 2 week delay period, the erasure process will begin. At this time time, the user will no longer be able to download their data or cancel their request.

To enable this feature ensure the setting named "Begin erasure immediately and prevent file downloads" is unchecked. If you turn on this checkbox, there will be no delay period, and the request will begin to erase immediately after the request is approved.

For security reasons, you may want to wait to delete someones account for a day, a week or even longer. Delaying a request will allow you to send an email notification to the data subject explaining a reason in which they may want to cancel their request. To enable automatic erasure request fulfillment, enable "Delay After Verification" and choose a wait period in days.

To disable automatic erasure fulfillment and require an approval step before performing an erasure, disable "Delay After Verification".

To require an approval before sending the final report to the data subject, enable "Approval Before Send". Note that "Approval Before Send" only affects the final report, and not the actual data erasure. Use "Delay After Verification" to configure the data erasure step.