Data Rights Overview

Field	Value
Document ID	ASCEND-DATA-003
Version	1.0.0
Last Updated	December 19, 2025
Author	Ascend Engineering Team
Publisher	OW-KAI Technologies Inc.
Classification	Enterprise Client Documentation
Compliance	SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4

Reading Time: 8 minutes | Skill Level: Intermediate

Overview

ASCEND provides enterprise-grade data subject rights management for GDPR, CCPA, and other privacy regulations. Handle access requests, erasure (right to be forgotten), data portability, and consent management with full audit compliance.

Regulatory Coverage

Regulation	Articles/Sections	Implementation
GDPR Article 15	Right of Access	Data export API
GDPR Article 17	Right to Erasure	Deletion workflows
GDPR Article 20	Data Portability	Standard formats
GDPR Articles 6-7	Consent	Consent management
CCPA 1798.100	Right to Know	Data access
CCPA 1798.105	Right to Delete	Erasure workflows
CCPA 1798.110	Categories Disclosure	Data inventory
CCPA 1798.130	Response Timeline	SLA tracking

Data Rights Architecture

+---------------------------------------------------------------------------------+
|                          DATA RIGHTS SYSTEM                                      |
+---------------------------------------------------------------------------------+
|                                                                                  |
|   REQUEST TYPES                                                                 |
|   +-------------------------------------------------------------------------+   |
|   |                                                                          |   |
|   |   ACCESS           ERASURE          PORTABILITY       RECTIFICATION     |   |
|   |   +----------+     +----------+     +----------+      +----------+      |   |
|   |   | GDPR 15  |     | GDPR 17  |     | GDPR 20  |      | GDPR 16  |      |   |
|   |   | CCPA 110 |     | CCPA 105 |     | CCPA 130 |      |          |      |   |
|   |   +----------+     +----------+     +----------+      +----------+      |   |
|   |                                                                          |   |
|   +-------------------------------------------------------------------------+   |
|                              |                                                   |
|                              v                                                   |
|   +-------------------------------------------------------------------------+   |
|   |                    REQUEST LIFECYCLE                                     |   |
|   |                                                                          |   |
|   |   RECEIVED -> VERIFIED -> PROCESSING -> COMPLETED/REJECTED              |   |
|   |      |           |            |              |                          |   |
|   |   Auto-SLA    Identity     Data         Audit Log                       |   |
|   |   Tracking    Check        Discovery    + Response                      |   |
|   |                                                                          |   |
|   +-------------------------------------------------------------------------+   |
|                              |                                                   |
|                              v                                                   |
|   +-------------------------------------------------------------------------+   |
|   |                    SUPPORTING SYSTEMS                                    |   |
|   |                                                                          |   |
|   |   CONSENT            DATA LINEAGE        AUDIT TRAIL                    |   |
|   |   +-------------+    +-------------+     +-------------+                |   |
|   |   | Purpose     |    | Source      |     | Immutable   |                |   |
|   |   | Tracking    |    | Tracking    |     | Logging     |                |   |
|   |   | Withdrawal  |    | Retention   |     | Evidence    |                |   |
|   |   +-------------+    +-------------+     +-------------+                |   |
|   |                                                                          |   |
|   +-------------------------------------------------------------------------+   |
|                                                                                  |
+---------------------------------------------------------------------------------+

Right to Access (GDPR Article 15)

Submit Access Request

curl -X POST "https://pilot.owkai.app/api/data-rights/access/request" \
  -H "Authorization: Bearer <jwt_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "subject_email": "user@example.com",
    "include_metadata": true,
    "data_categories": ["profile", "actions", "audit_logs"]
  }'

Response:

{
  "id": "req_abc123",
  "created_at": "2025-12-15T10:30:00Z",
  "subject_email": "user@example.com",
  "request_type": "ACCESS",
  "status": "RECEIVED",
  "legal_basis": "GDPR Article 15",
  "priority": "NORMAL",
  "due_date": "2026-01-14T10:30:00Z",
  "verification_status": "PENDING"
}

Retrieve Subject Data

curl "https://pilot.owkai.app/api/data-rights/access/req_abc123/data?verification_token=xxx" \
  -H "Authorization: Bearer <jwt_token>"

Response:

{
  "request_id": "req_abc123",
  "subject_email": "user@example.com",
  "generated_at": "2025-12-15T12:00:00Z",
  "legal_basis": "GDPR Article 15",
  "data_package": {
    "profile": {
      "email": "user@example.com",
      "created_at": "2024-01-15T10:00:00Z",
      "role": "analyst"
    },
    "actions": [
      {
        "action_id": "act_001",
        "action_type": "data_query",
        "created_at": "2025-12-10T14:30:00Z"
      }
    ],
    "audit_logs": [
      {
        "event_type": "LOGIN",
        "timestamp": "2025-12-15T09:00:00Z"
      }
    ]
  },
  "metadata": {
    "total_records": 156,
    "data_sources": ["users", "agent_actions", "audit_logs"],
    "retention_information": {
      "profile": "Until account deletion",
      "audit_logs": "7 years (SOX compliance)"
    }
  }
}

Right to Erasure (GDPR Article 17)

Submit Erasure Request

curl -X POST "https://pilot.owkai.app/api/data-rights/erasure/request" \
  -H "Authorization: Bearer <jwt_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "subject_email": "user@example.com",
    "erasure_scope": "FULL",
    "data_categories": null,
    "retention_exceptions": ["audit_logs"]
  }'

Response:

{
  "id": "req_def456",
  "created_at": "2025-12-15T10:30:00Z",
  "subject_email": "user@example.com",
  "request_type": "ERASURE",
  "status": "RECEIVED",
  "legal_basis": "GDPR Article 17",
  "priority": "HIGH",
  "due_date": "2026-01-14T10:30:00Z",
  "verification_status": "PENDING",
  "request_details": {
    "erasure_scope": "FULL",
    "retention_exceptions": ["audit_logs"]
  }
}

Execute Erasure

curl -X POST "https://pilot.owkai.app/api/data-rights/erasure/req_def456/execute?confirmation_token=xxx" \
  -H "Authorization: Bearer <admin_jwt>"

Response:

{
  "request_id": "req_def456",
  "status": "COMPLETED",
  "erasure_summary": {
    "records_deleted": 156,
    "systems_processed": ["users", "agent_actions", "notifications"],
    "retention_exceptions_applied": ["audit_logs"],
    "audit_trail_id": "audit_xyz789"
  },
  "legal_compliance": {
    "basis": "GDPR Article 17",
    "completed_within_deadline": true
  }
}

Data Portability (GDPR Article 20)

Request Portable Data

curl -X POST "https://pilot.owkai.app/api/data-rights/portability/request?subject_email=user@example.com&target_format=JSON&include_metadata=true" \
  -H "Authorization: Bearer <jwt_token>"

Export Formats

Format	Description	Use Case
JSON	Structured data	API integration
CSV	Tabular data	Spreadsheet analysis
XML	Structured markup	System integration

Consent Management

Record Consent

curl -X POST "https://pilot.owkai.app/api/data-rights/consent/record" \
  -H "Authorization: Bearer <jwt_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "subject_email": "user@example.com",
    "consent_type": "data_processing",
    "consent_status": "GIVEN",
    "processing_purposes": ["ai_governance", "analytics", "security"],
    "legal_basis": "GDPR Article 6(1)(a)",
    "data_controller": "Your Company Inc",
    "privacy_policy_version": "2.1.0"
  }'

Response:

{
  "consent_id": "con_abc123",
  "status": "recorded",
  "created_at": "2025-12-15T10:30:00Z",
  "legal_basis": "GDPR Article 6(1)(a)",
  "processing_purposes": ["ai_governance", "analytics", "security"]
}

Consent Status Values

Status	Description
GIVEN	Consent actively provided
WITHDRAWN	Consent revoked
EXPIRED	Consent period ended
PENDING	Awaiting confirmation

Data Lineage

Record Data Lineage

curl -X POST "https://pilot.owkai.app/api/data-rights/lineage/record" \
  -H "Authorization: Bearer <jwt_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "subject_identifier": "user@example.com",
    "data_type": "user_profile",
    "source_system": "registration_form",
    "destination_system": "user_database",
    "processing_purpose": "account_management",
    "legal_basis": "GDPR Article 6(1)(b)",
    "retention_period": "5 years",
    "data_location": "us-east-2",
    "data_classification": "PII"
  }'

View Subject Lineage

curl "https://pilot.owkai.app/api/data-rights/lineage/subject/user@example.com" \
  -H "Authorization: Bearer <jwt_token>"

Response:

{
  "subject_identifier": "user@example.com",
  "data_lineage": {
    "data_types": ["user_profile", "action_history", "audit_logs"],
    "source_systems": ["registration_form", "agent_api", "auth_system"],
    "processing_purposes": ["account_management", "ai_governance", "security"],
    "retention_summary": {
      "user_profile": "5 years",
      "action_history": "2 years",
      "audit_logs": "7 years"
    }
  },
  "summary": {
    "total_data_types": 3,
    "source_systems": 3,
    "processing_purposes": 3
  }
}

Compliance Reporting

Generate Compliance Report

curl "https://pilot.owkai.app/api/data-rights/compliance/report?start_date=2025-01-01T00:00:00Z&end_date=2025-12-31T23:59:59Z&report_type=DETAILED" \
  -H "Authorization: Bearer <admin_jwt>"

Response:

{
  "report_type": "DETAILED",
  "period": {
    "start_date": "2025-01-01T00:00:00Z",
    "end_date": "2025-12-31T23:59:59Z"
  },
  "compliance_metrics": {
    "total_requests": 45,
    "requests_by_type": {
      "ACCESS": 25,
      "ERASURE": 12,
      "PORTABILITY": 5,
      "RECTIFICATION": 3
    },
    "average_response_time_days": 8.5,
    "compliance_rate": 100,
    "overdue_requests": 0
  }
}

SLA Requirements

Regulation	Request Type	Response Deadline
GDPR	All types	30 days
CCPA	Access/Delete	45 days
GDPR	Complex requests	60 days (with notice)

Best Practices

1. Verify Identity

# Always verify requester identity
{
    "verification_method": "email_confirmation",
    "verification_status": "VERIFIED"
}

2. Document Legal Basis

# Include legal basis for all processing
{
    "legal_basis": "GDPR Article 6(1)(a)",
    "consent_record_id": "con_abc123"
}

3. Track SLAs

# Monitor response deadlines
if request.due_date < datetime.now():
    alert("SLA breach risk")

4. Maintain Audit Trail

# Log all data rights activities
{
    "event_type": "DATA_ACCESS_REQUEST",
    "immutable": True,
    "retention": "7 years"
}

Next Steps

• GDPR Compliance - EU data protection
• Data Protection - Security controls
• Audit Compliance - Compliance mapping

---

Document Version: 1.0.0 | Last Updated: December 2025