This document explains how GDPR actions currently work in InsightEngine from an operational perspective.

- Users can download their personal data. - Users can delete their account with identity anonymization. - Organization admins can anonymize individual survey participants. - Analytics tracking is only enabled after explicit cookie consent. - GDPR-sensitive actions are recorded in audit history.

Users can request and download a copy of their personal data from Settings.

Current export includes:

• profile details
• memberships
• survey response records linked to the user
• access and activity log records related to the user

Outcome:

• the user receives a downloadable data file for portability and review.

Registered users can delete their own account from Settings after password confirmation.

When this happens:

• personally identifying profile fields are anonymize
• direct account access is removed
• active relationships tied to the account are removed
• historical records needed for accountability are retained in anonymize form
• an erasure event is recorded in audit history

Outcome:

• identity is removed while compliance and aggregate reporting continuity are preserved.

Organization owners and super admins can anonymize a participant record.

When this happens:

• participant names are replaced with anonymize values
• the record is marked as erased for active participant views
• an erasure event is written to audit history with actor and context details

Outcome:

• participant identity is removed from normal operational views while non-identifying analysis can remain available.

Analytics tracking is consent-gated.

Behavior:

• users are presented with an explicit accept/reject choice
• analytics runs only after acceptance
• if consent is rejected or not given, analytics does not initialize

Outcome:

• tracking aligns with consent requirements.

GDPR-relevant actions are auditable.

Recorded events include:

• who performed the action
• what type of action occurred (including erasure)
• when it occurred
• route and client context needed for compliance review

Outcome:

• privacy actions can be evidenced during internal review or external audit.

Current approach uses anonymisation for erasure flows instead of full historical destruction in all cases.

Rationale:

• protect data subject identity
• preserve compliance traceability
• preserve aggregate analytics integrity

• Erasure actions are irreversible in practical terms for personal identity.
• Access to participant erasure is restricted to authorised roles.
• Data export and account deletion are user-initiated self-service actions.
• Audit records are central to demonstrating GDPR accountability.