GDPR Compliance Checklist

This document tracks GDPR compliance implementation for the KoproGo platform.

✅ Implemented Features

Article 15: Right to Access (Data Export)

• Endpoint: GET /api/v1/gdpr/export

• Authentication: JWT-based, self-service + SuperAdmin bypass

• Authorization: Users can only export their own data (unless SuperAdmin)

• Data Included:

  • User profile (email, name, role, created_at, updated_at)

  • Owner profiles (all linked via email)

  • Related data (buildings, units, expenses, meetings, documents)

  • Ownership history (unit_owners with temporal tracking)

• Export Format: JSON with structured data

• Metadata: Total items count, export date (RFC3339)

• Audit Logging: Success and failure events persisted to database

• Tests: Unit tests (use cases, DTOs) + E2E tests

Article 17: Right to Erasure (Data Deletion)

• Endpoint: DELETE /api/v1/gdpr/erase

• Authentication: JWT-based, self-service + SuperAdmin bypass

• Authorization: Users can only erase their own data (unless SuperAdmin)

• Anonymization Strategy:

  • Users: is_anonymized=true, email/name/phone replaced with anonymized_*

  • Owners: Same anonymization pattern

  • Preserves referential integrity (7-year retention for financial records)

• Legal Holds Validation:

  • Checks for unpaid expenses before erasure

  • Returns 409 Conflict if legal obligations prevent deletion

• Audit Logging: Success and failure events persisted to database

• Tests: Unit tests (use cases, DTOs, repositories) + E2E tests planned

Article 17: Erasure Eligibility Check

• Endpoint: GET /api/v1/gdpr/can-erase

• Functionality: Pre-flight check for legal holds

• Returns: Boolean can_erase with user_id

• Audit Logging: GdprErasureCheckRequested event logged

Article 20: Right to Data Portability

• Machine-Readable Format: JSON export with consistent structure

• Complete Data Set: All personal data included in export

• Timestamp Standardization: RFC3339 format for all dates

Article 30: Records of Processing Activities

• Audit Log Table: audit_logs with comprehensive tracking

• Retention Policy: 7-year retention (Belgium GDPR requirement)

  • retention_until field with default NOW() + 7 years

  • Index on retention_until for efficient cleanup

• Event Types: 5 GDPR-specific event types

  • GdprDataExported

  • GdprDataExportFailed

  • GdprDataErased

  • GdprDataErasureFailed

  • GdprErasureCheckRequested

• Audit Data Captured:

  • Event type, timestamp, user_id, organization_id

  • Resource type and ID

  • Success/failure status

  • Error messages (for failures)

  • Metadata (operation-specific details)

  • IP address and user agent (infrastructure fields ready)

• Persistence: Async logging to database via AuditLogger

• Repository Methods: 7 methods for querying/managing audit logs

  • create, find_by_id, find_all_paginated

  • find_recent, find_failed_operations

  • delete_older_than, count_by_filters

• Tests: E2E tests verify persistence and retention

🚧 Partially Implemented / TODO

General GDPR Requirements

• Privacy Policy: Document data processing activities

• Consent Management: Cookie consent, data processing consent

• Data Protection Officer (DPO): Designate DPO contact

• Data Breach Notification: 72-hour breach notification procedure

• Data Minimization: Review data collection practices

• Purpose Limitation: Document purpose for each data field

• Storage Limitation: Automated cleanup of expired data

• Security Measures: Encryption at rest, encryption in transit

• Data Processing Agreements: Contracts with third-party processors

Article 13-14: Information to be Provided

• Transparency: Inform users about data processing at registration

• Privacy Notice: Clear explanation of data usage

Article 16: Right to Rectification

• Endpoint: PATCH /api/v1/gdpr/rectify (user profile updates)

• Functionality: Allow users to correct inaccurate data

Article 18: Right to Restriction

• Endpoint: POST /api/v1/gdpr/restrict

• Functionality: Temporarily restrict data processing

Article 21: Right to Object

• Endpoint: POST /api/v1/gdpr/object

• Functionality: Allow users to object to data processing

Article 25: Data Protection by Design and Default

• Pseudonymization: Hash or mask sensitive data where possible

• Access Controls: Role-based access control (RBAC) - partially implemented

• Encryption: Encrypt sensitive fields in database

Article 32: Security of Processing

• Encryption at Rest: Database encryption (PostgreSQL TDE)

• Encryption in Transit: HTTPS enforced (production)

• Password Security: Bcrypt with proper cost factor (implemented)

• Session Management: Secure JWT handling (implemented)

• Audit Log Security: Access-controlled audit log viewing

• Backup Encryption: Encrypted backups with retention

Article 33-34: Data Breach Procedures

• Breach Detection: Monitoring and alerting system

• Breach Response Plan: Documented incident response procedure

• Notification Templates: Email templates for breach notifications

📊 Test Coverage

Unit Tests

• Domain Layer: 9 tests for GDPR entities

• Application Layer:

  • GDPR DTOs: 6 tests

  • GDPR Use Cases: 9 tests (mocked repository)

  • AuditLogger: 1 test

• Infrastructure Layer:

  • PostgresGdprRepository: Compile-time verified queries

  • GDPR Handlers: 3 structural tests

• Total: 180 unit tests passing

Integration Tests

• E2E GDPR Tests: 2 tests in tests/e2e_gdpr_audit.rs

  • Audit log persistence for export

  • Audit log persistence for erasure check

  • 7-year retention validation

• E2E GDPR Workflows: Full GDPR export/erase scenarios (planned)

Planned Tests

• BDD Scenarios: Cucumber tests for user-facing GDPR workflows (Phase 9)

• Playwright E2E: Frontend GDPR interface tests (Phase 12)

• Performance Tests: Load testing for audit log writes

🔒 Security Considerations

Implemented

• Authentication: JWT-based with role enforcement

• Authorization: Self-service + SuperAdmin bypass

• Input Validation: UUID validation, DTO validation

• SQL Injection Prevention: sqlx with parameterized queries

• Error Handling: Generic error messages, detailed logging

• Audit Logging: All GDPR operations logged

TODO

• Rate Limiting: Prevent abuse of GDPR endpoints

• IP Address Logging: Capture client IP in audit logs

• User Agent Logging: Capture client user agent in audit logs

• MFA for Erasure: Require additional verification for data erasure

• Email Confirmation: Send confirmation email after export/erase

• Cooldown Period: Prevent repeated export requests (e.g., 1 per day)

📅 Retention Policies

Implemented

• Audit Logs: 7-year retention (Article 30, Belgium requirement)

  • Database field: retention_until

  • Index for efficient cleanup queries

  • Repository method: delete_older_than()

TODO

• Automated Cleanup Job: Cron job to delete expired audit logs

• Anonymized User Cleanup: Determine retention for anonymized data

• Document Retention: Define retention for uploaded documents

• Financial Data Retention: 7-year minimum for Belgium law

🌍 Multi-Tenancy Considerations

Implemented

• Organization Isolation: All GDPR operations scoped to organization_id

• SuperAdmin Override: SuperAdmin can export across organizations

• User-Owner Linking: Email-based discovery of related owners

• Partial Anonymization: Only anonymize owners linked to user email

TODO

• Cross-Tenant Data Leakage Prevention: Security audit

• Organization-Level GDPR Settings: Custom retention policies per org

📋 Next Steps (Priority Order)

1. Phase 6: Admin endpoints for GDPR management

   • GET /api/v1/admin/gdpr/audit-logs (with pagination/filters)

   • GET /api/v1/admin/gdpr/users/:id/export (admin-initiated export)

   • DELETE /api/v1/admin/gdpr/users/:id/erase (admin-initiated erasure)

2. Phase 7: Rate limiting and security hardening

   • Implement rate limiting for GDPR endpoints

   • Add IP address and user agent capture in handlers

   • Email notifications for export/erase operations

3. Phase 8: Additional GDPR rights

   • Right to Rectification (Article 16)

   • Right to Restriction (Article 18)

   • Right to Object (Article 21)

4. Phase 9: BDD scenarios (Cucumber)

   • GDPR export workflow

   • GDPR erase workflow with legal holds

   • Audit log verification

5. Phase 10-11: Frontend implementation

   • Privacy settings page (/settings/privacy)

   • GDPR export button + download

   • GDPR erase button + confirmation modal

   • Admin dashboard for GDPR operations

6. Phase 12: Playwright E2E tests

   • Complete export workflow (button → download)

   • Complete erase workflow (button → confirmation → success)

   • Admin GDPR management interface

7. Phase 13: Documentation

   • Privacy Policy

   • Terms of Service

   • Cookie Policy

   • GDPR Compliance Guide for administrators

8. Phase 14: Automated cleanup and monitoring

   • Cron job for audit log retention

   • Monitoring dashboard for GDPR requests

   • Alerting for failed GDPR operations

📚 References

• GDPR Official Text

• Belgian Data Protection Authority

• ICO GDPR Guidance

✅ Sign-Off

• Last Updated: 2025-10-30

• Reviewed By: Development Team

• GDPR Compliance Status: ⚠️ Partial (Core features implemented, additional requirements pending)

• Recommended Actions: Proceed with Phase 6-8 before production deployment