Data Subject Requests (DSR)
Qarion provides built-in support for GDPR Data Subject Requests (DSR), enabling organizations to respond to data export and erasure requests in a structured, auditable workflow.
Overview
Under GDPR, data subjects have the right to request:
- Data Export (Article 15) — A copy of all personal data held about them
- Data Erasure (Article 17) — Deletion or anonymization of their personal data ("Right to be Forgotten")
Qarion automates both of these processes across all platform data — user profiles, comments, audit logs, access requests, quality check results, and more.
Submitting a DSR
Data Subject Requests can be submitted in two ways:
Admin Panel
Organization administrators can create DSR requests on behalf of data subjects:
- Navigate to Admin → Compliance → Data Subject Requests
- Click New Request
- Select the request type (Export or Erasure) and the data subject's email
- Submit the request for processing
OpenDSR API
For programmatic access, Qarion exposes an OpenDSR-compliant API at /opendsr/:
# Submit a data export request
curl -X POST "https://api.qarion.com/opendsr/requests" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"subject_request_type": "portability",
"subject_identities": [
{"identity_type": "email", "identity_value": "user@example.com"}
]
}'
Data Export
When an export request is processed, Qarion collects all personal data associated with the data subject across platform entities:
- User profile and preferences
- Comments and discussions
- Audit log entries (as actor)
- Access request history
- Quality check attributions
- Meeting participation records
The collected data is assembled into a structured JSON archive that can be downloaded by the administrator.
Data Erasure
When an erasure request is processed, Qarion performs automated anonymization across all tables:
- User profile fields are replaced with anonymized placeholders
- Comments are redacted while preserving thread structure
- Audit log actor references are anonymized
- Access request records are purged
- Referential integrity is preserved throughout the process
Request Lifecycle
Each DSR follows a structured lifecycle:
| Status | Description |
|---|---|
| Pending | Request submitted, awaiting processing |
| Processing | Data collection or erasure in progress |
| Completed | Request fulfilled successfully |
| Failed | Processing encountered an error |
All state transitions are logged in the audit trail for compliance evidence.
Identity Verification
Before processing any request, Qarion requires identity verification:
- Email-based verification for requests submitted via the OpenDSR API
- Admin-initiated requests are verified by the administrator's own authentication
Key Files
| File | Purpose |
|---|---|
app/services/dsr/data_export_service.py | Personal data collection and export |
app/services/dsr/erasure_service.py | Cross-table data anonymization |
app/api/endpoints/dsr.py | Internal DSR management endpoints |
app/api/endpoints/opendsr.py | OpenDSR-compliant public API |