The General Data Protection Regulation (GDPR) is a comprehensive data protection law enforced across the European Union (EU) that gives individuals greater control over their personal data. It outlines specific rights for individuals and applies to all organizations that operate in the EU or handle the personal data of EU residents.

A key operational component of GDPR is the Data Subject Request (DSR)—an action taken by individuals (data subjects) to exercise their rights under data protection laws. These rights include accessing, correcting, deleting, or transferring their personal data.

This user guide explains how to comply with GDPR requirements within our platform. It provides practical steps for addressing Data Subject Requests (DSRs), such as data access, deletion, and outlines how to configure platform features to align with GDPR standards.

Understanding GDPR Roles in Your Dengage Integration

This guide explains how the key roles defined under the General Data Protection Regulation (GDPR)—Data Subject, Data Controller, and Data Processor—relate to your integration with Dengage. Understanding these roles is essential for ensuring that personal data is handled lawfully, transparently, and in line with individuals’ rights, especially when responding to Data Subject Requests (DSRs).

Data Subject

In the context of GDPR, the Data Subject refers to the individual whose personal data is being collected and processed by your organization. This person has the right to submit DSRs, which may include requests to access, correct, or delete their personal data. Before any action is taken in response to such a request, it is critical that the Data Subject is properly authenticated.

Data Controller

As the organization using Dengage, you are considered the Data Controller. This means you are the party that decides why and how personal data should be processed. When a Data Subject submits a DSR, it is your responsibility to receive, verify, and respond to that request. Your role includes ensuring that the request is handled appropriately and that the outcome is clearly communicated back to the individual.

Data Processor

Dengage serves as the Data Processor in this relationship. This means it processes personal data on your behalf and according to your instructions. Dengage does not make independent decisions regarding how data is handled. Instead, it provides the necessary infrastructure, such as tools, APIs, or platform functionalities, to help you fulfill DSRs. Whether it involves exporting user data, deleting specific profiles, or updating records, Dengage assists in executing your directions in a secure and compliant manner.

Standard User Definition for DSR Handling

When managing Data Subject Requests (DSRs) under GDPR, it’s essential to have a clear and consistent definition of who qualifies as a "user"—also known as the data subject. In this context, a user refers to any identifiable individual whose personal data is processed, stored, or tracked within your systems or platforms. Proper identification and authentication of these individuals are critical to ensuring that DSRs are handled securely and in compliance with legal obligations.

Identifying a User

A user may be identified by one or more unique identifiers. Common identifiers include user IDs, customer IDs, email addresses, or phone numbers. These values allow you to map and retrieve all relevant data associated with the individual.

Scope of Data

The scope of a DSR covers all personal data linked to the identified user. This means consolidating information from various touchpoints where the user's data might exist. Ensuring a comprehensive scope helps maintain full compliance with GDPR requirements.

Authentication Requirements

Before fulfilling any DSR, it is essential to verify the identity of the requester. Authentication protects against malicious attempts to access someone else's personal data. The level of authentication should be appropriate to the sensitivity of the data and the nature of the request.

Applicable User Types

Users eligible to submit DSRs are not limited to registered customers. They can include:

• Registered users who have accounts or profiles
• Anonymous visitors, if they can be identified through device IDs, cookie IDs, or similar tracking technologies
• Mobile app users tracked via unique identifiers or analytics tools

Primary Identifiers

Different types of users are identified through different key identifiers, which serve as the primary reference points for locating personal data:

• For registered users, common identifiers include email addresses, usernames, or user IDs assigned by your system.
• Anonymous users may be identified using cookie IDs, IP addresses, or session IDs collected during their interactions.
• Mobile users are typically identified via device IDs or app user tokens generated by mobile applications.
• For customers stored in your CRM system, identifiers such as customer IDs, loyalty program IDs, or phone numbers are used to locate data.
• In e-commerce contexts, a combination of order ID and email address is often used to uniquely identify a user and their associated personal data.

Understanding these primary identifiers helps ensure the accurate retrieval and processing of data when handling DSRs across platforms and user types.

Data Deletion (Right to Be Forgotten)

This feature allows users to request permanent deletion of their personal data to comply with privacy regulations such as GDPR. When a deletion request is submitted, all personal data related to that user—including contacts, devices, and user events—will be permanently removed from all storage locations

Compliance

Our system supports this right by allowing you to request the permanent deletion of your personal data.

After stopping data collection, you can submit a deletion request to permanently remove your user profile and all related data—including contact details, device information, and user activity logs—from all our data stores.

What Happens When You Submit a Deletion Request?

When you submit a deletion request, the system schedules your data for permanent removal. This includes all contact records, device information, and event data related to you. The deletion will be completed within 30 days.

There is a 7-day cancellation window after you submit the request. During these 7 days, no data will be deleted yet. If you change your mind, you can cancel the deletion request within this period.

How to Submit a Deletion Request

To start deleting your data, you need to create an erasure request. This tells the system to permanently delete the profile and all associated information.

You can do this using the CreateErasureRequest API:

• This is a POST request to <https://api.dengage.com/rest/opendsr/requests>.
• It creates a new deletion request for the specified user.

How to Check the Status of a Deletion Request

You can keep track of your deletion request’s progress to see if it is still Pending or InProgress, has been Completed, Failed or Cancelled.

Use the GetRequestStatus API:

• This is a GET request to <https://api.dengage.com/rest/opendsr/status/{subjectRequestId}>.
• The response tells you the current status of your request.

How to Cancel a Deletion Request

If a deletion request was submitted in error, you can cancel it within 7 days from the request date. No data will be deleted during this cancellation window.

To cancel, use the CancelErasureRequest API:

• Make a DELETE request to <https://api.dengage.com/rest/opendsr/requests/{subjectRequestId}>.
• Cancelling within the 7 days stops the deletion process.

If not cancelled, the deletion proceeds automatically after 7 days.

Additional Information

To learn more about the system capabilities and compliance details, you can use the GetDiscovery API:

• Make a GET request to <https://api.dengage.com/rest/opendsr/discovery>.
• This returns information about supported OpenDSR features.