Handle right-to-erasure and Article 20 portability requests, keep DPIA records, and track the Article 12 response window — every action logged to an immutable audit trail.
Regulation
Regulation (EU) 2016/679 — applies since 25 May 2018
Who must comply
Any controller or processor handling the personal data of people in the EU
Maximum fines
Up to €20M or 4% of global annual turnover
GDPR has applied since 25 May 2018 to any organisation — wherever it is based — that processes the personal data of people in the EU. This page focuses on the data-subject-rights workflows the platform supports; it is guidance, not legal advice.
Beyond a lawful basis for processing, GDPR gives individuals enforceable rights and holds organisations accountable. The duties this platform helps you operate:
Erase personal data without undue delay on request — unless a legal-retention obligation applies under Article 17(3)(b), such as the EU AI Act's ten-year record-keeping for high-risk AI.
Provide the individual's personal data in a structured, commonly used and machine-readable format so they can reuse it elsewhere.
Run a DPIA where processing is likely to result in a high risk to individuals' rights and freedoms, and document the outcome.
Demonstrate compliance with records and an audit trail, and govern processors and sub-processors through the written terms Article 28 requires.
The data-subject-rights workflows come with the evidence trail an auditor or supervisory authority will ask for.
Hard-delete tenant-scoped personal data on a DPO-referenced request, while records under a legal-retention obligation are automatically blocked — and the audit-log entry survives the deletion.
Generate a structured, machine-readable JSON archive of a data subject's records (per EDPB WP242), with the Article 12 thirty-day and ninety-day deadlines stamped on every export.
Keep documented data protection impact assessments tied to the AI systems and processing they cover.
Every privacy action is logged with actor, timestamp and the GDPR basis — your Article 5(2) accountability evidence, which survives even a tenant erasure.
GDPR applies to any organisation that processes the personal data of people in the EU, regardless of where the organisation is based and whether it acts as a controller or a processor. It has applied since 25 May 2018.
The right to erasure (Article 17) lets an individual have their personal data deleted; the right to data portability (Article 20) lets them obtain a copy in a structured, machine-readable format to reuse elsewhere. LandingRed supports both, each with an audit trail.
No. Article 17(3) sets out exceptions — including where retention is required by a legal obligation. For example, the EU AI Act requires high-risk AI system records to be kept for ten years, which blocks their erasure. The platform enforces this and reports the blocking records instead of deleting them.
Under Article 12(3) you must respond within one month, extendable by a further two months for complex requests. The platform stamps both the thirty-day and ninety-day deadlines on every portability export so you can prove the request was answered in time.
The most serious infringements can attract fines of up to €20 million or 4% of total worldwide annual turnover, whichever is higher (Article 83(5)). Supervisory authorities can also order processing to stop.
Take the free self-assessment to map your GDPR readiness in a few minutes — no account required.