# GDPR and Data Subject Requests

| Section | Description |
|---|---|
| Feature Area | Platform Operations / Compliance |
| Navigation | API-based (Developer Center) — no dedicated Admin UI page |
| Alt Navigation (Audit Viewer) | `Admin → Troubleshooting → Audit Viewer` (for change-event monitoring) |
| Primary Function | Enable organizations to respond to data subject requests for access, rectification, and deletion of personal data under GDPR, CCPA, and similar regulations |
| Genesys Role | **Data Processor** (under GDPR Article 28) — customers are the **Data Controllers** |

---

## Study Notes

| Topic | Explanation |
|---|---|
| GDPR | General Data Protection Regulation — EU regulation protecting individuals' rights over their personal data |
| Data Subject | The individual whose personal data is being processed — your contact center's customer |
| Data Controller | The organization that determines how and why personal data is processed — **your organization** |
| Data Processor | The vendor that processes data on behalf of the controller — **Genesys Cloud** |
| DPA | Data Processing Agreement — a contract required under GDPR Article 28 between controller and processor; contact dataprivacy@genesys.com |
| GDPR API | Genesys Cloud's preferred self-service mechanism for customers to respond to data subject requests |
| Rate Limits | The GDPR API is rate-limited — it is designed for **individual requests**, not bulk deletion |
| CCPA | California Consumer Privacy Act — data subject rights are similar to GDPR; Genesys Cloud uses the **same GDPR API** to respond to CCPA requests |
| No enabling required | GDPR compliance does not require any Genesys Cloud configuration to be enabled — the GDPR API is available to all customers |
| No GDPR certification | No official GDPR certification exists for cloud providers; Genesys Cloud maintains compliance through independent reviews (HIPAA audits, etc.) |

---

## The Three Fundamental Data Subject Rights (Relevant Articles)

| GDPR Article | Right | GDPR API Request Type |
|---|---|---|
| Article 15 | Right of Access | **Export** — retrieve all personal data Genesys Cloud holds for this subject |
| Article 16 | Right to Rectification | **Update** — correct/update personal data |
| Article 17 | Right to Erasure ("Right to be Forgotten") | **Delete** — remove or anonymize personal data |

> When the request type is **Delete**, some services may **anonymize** personal data rather than fully delete it, depending on the service.
> Processing happens **asynchronously** — the request is created and initiated but may not complete immediately.

---

## GDPR API — Two Endpoints

### 1. Subjects Endpoint
Used to **identify** which subjects match a given search term before submitting a request.

| Attribute | Detail |
|---|---|
| Purpose | Find which individuals a search term matches — reduces risk of accidental data changes |
| Accepted search term types | Name · Address · Phone number · Email address · Social media handle |
| Returns | List of matching subjects — each is a `userId`, `externalContactId`, or `dialerContactId` |
| Best practice | **Always use subjects endpoint first** before submitting a requests endpoint call |

### 2. Requests Endpoint
Used to **initiate** an actual GDPR request (Get, Export, Update, or Delete).

| Attribute | Detail |
|---|---|
| Accepted search term types | Name · Address · Phone · Email · Social media handle · User ID · External Contact ID · Dialer Contact ID |
| Request types | `Get` · `Export` (Article 15) · `Update` (Article 16) · `Delete` (Article 17) |
| Multiple identifiers | Submit one request **per identifier** — if a person has name + phone + email, submit three separate requests |
| ID resolution | If a User ID or External Contact ID is provided, Genesys resolves it to the full record first |
| Processing | **Asynchronous** |

---

## Services That Require a Subject to Be Included

The following services require a `subject` (not just a search term) in the GDPR API request:

- **Outbound Dialing**
- **Directory**
- **External Contacts**

---

## Social Media Search Fields

| Channel | Searchable Fields |
|---|---|
| Twitter / X | `screenName` (@ handle) · `id` (account ID) |
| Instagram | `scopedId` · `handle` (username) |
| Facebook | `scopedId` |
| Apple Messages for Business | `opaqueId` (Apple-generated per-account identifier) |

---

## File Attachments in ACD Interactions

Genesys Cloud does **not** search the contents of file attachments for personal data. Instead:

- A GDPR request using an External ID will find the conversation and any associated file attachments
- On a Delete request, associated file attachments are removed regardless of content
- **Requirement:** ACD interactions containing personal data in file attachments must be associated with a contact profile in **External Contacts** — otherwise they cannot be found via the GDPR API

---

## Merged Contacts (Single Customer View)

If your org uses the single customer view (contact merging):

| Step | Action |
|---|---|
| Subjects endpoint | May return multiple External Contact IDs for the same person (same merge set) |
| Identify merge sets | Use External Contacts API — fetch each contact and check `canonicalContact` field |
| Requests endpoint | Submit only **one request per merge set** using the canonical contact ID |
| Behavior | GDPR API automatically duplicates the request for each contact in the merge set |
| Related requests | Each related request succeeds or fails independently — inspect each individually |

---

## What Personal Data Should NOT Be Stored in Genesys Cloud

To ensure the GDPR API can locate and manage personal data correctly, avoid storing personal data in these locations:

| Location | Why to Avoid |
|---|---|
| Architect flow names, descriptions, state names, task names, action names | GDPR API cannot search these |
| Prompt text-to-speech values | Not searchable |
| Directory personal status | Not searchable via GDPR API |
| Custom attributes (unless associated with an External Contact) | GDPR API cannot find data in custom variables unless linked to a contact |

---

## Response Timeframes (Approximate)

| Request Type | Approximate Processing Time |
|---|---|
| Access / Export (Article 15) | 1–2 days |
| Removal / Delete (Article 17) | Up to **14 days** |

> These are approximate values. Actual times may vary.

---

## Genesys Cloud's GDPR Governance Structure

| Role | Responsibility |
|---|---|
| Chief Privacy Officer | Oversees company-wide data privacy program |
| European Data Protection Officer (DPO) | Oversees compliance with European data protection law |
| VP Security & GRC | Security and regulatory compliance oversight |
| Security & Compliance team | Holds IAPP (International Association of Privacy Professionals) certification |

---

## GDPR and Other Regulations

| Regulation | How Genesys Cloud Addresses It |
|---|---|
| GDPR (EU) | GDPR API; data processor role; DPA available; IAPP-trained staff |
| CCPA (California) | Same GDPR API handles CCPA data subject requests — no separate configuration needed |
| HIPAA | Independent third-party audits |
| PCI DSS | Secure call flows; recording controls; policy exclusions |
| HDS (France) | Genesys Cloud has undergone independent audit to achieve HDS certification |
| LGPD (Brazil) | Aligned with GDPR principles |

---

## Best Practices

| Practice | Reason |
|---|---|
| Always use the subjects endpoint first | Identify exact individuals before submitting a modification or deletion request |
| Submit a request per identifier | If the person has a name, phone, and email — submit three separate requests |
| Associate ACD interactions with External Contact profiles | Required for GDPR API to locate file attachments |
| Do not store PII in flow names or prompt values | GDPR API cannot search these |
| Do not use GDPR API for bulk deletion | Rate limits will restrict bulk operations — use the API for individual requests only |
| Contact dataprivacy@genesys.com for DPA | Required under GDPR Article 28 for organizations subject to GDPR |

---

## Key Takeaways

| Topic | Summary |
|---|---|
| Genesys role | Data **Processor** — you are the Data **Controller** |
| GDPR API | Preferred self-service solution for responding to data subject requests |
| Two endpoints | **Subjects** (identify who) → **Requests** (initiate the action) |
| Request types | Export (Article 15) · Update (Article 16) · Delete (Article 17) |
| Delete behavior | Some services anonymize rather than fully delete |
| Processing | Asynchronous |
| Rate limits | Designed for individual requests only — not bulk operations |
| No UI | GDPR API is developer/API-based — no Admin UI page |
| CCPA | Same GDPR API handles CCPA requests |
| Timeframes | Access: 1–2 days; Removal: up to 14 days |