GDPR Data Subject Rights
Last updated: April 2026
The GDPR grants individuals eight fundamental rights over their personal data. This guide explains each right, how to exercise it with FeatureSignals, and how our platform helps your organization meet its obligations as a data controller.
Controller vs. Processor
FeatureSignals acts as a data processor when you use our platform. Your organization is the data controller and is responsible for responding to data subject requests. FeatureSignals provides the technical capabilities to fulfill those requests.
Right of Access (Article 15)
Data subjects can request a copy of all personal data you hold about them. FeatureSignals provides API endpoints and export tools to retrieve user data:
- Export user profile data via the Management API
- Retrieve audit log entries scoped to the requesting user
- Download evaluation history associated with the user context
- Response time target: within 30 days (GDPR requirement)
GET /v1/users/{userId}/data-export
Right to Rectification (Article 16)
Data subjects can request correction of inaccurate or incomplete personal data. FeatureSignals enables:
- Self-service profile updates via the Flag Engine dashboard
- Admin-initiated corrections through the team management interface
- API-based correction for automated workflows
- Audit trail records the before/after state of all corrections
Right to Erasure — “Right to be Forgotten” (Article 17)
Data subjects can request deletion of their personal data under specific circumstances. FeatureSignals implements a two-phase deletion process:
- Soft delete (immediate): Account is deactivated, user cannot log in. Data is flagged for deletion but recoverable for 30 days.
- Hard delete (day 31): All personal data is permanently purged. Audit log entries are anonymized (user ID replaced with a non-reversible hash). Backups cycle out within 90 days.
DELETE /v1/users/{userId}/gdpr-erasure
Right to Data Portability (Article 20)
Data subjects can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller. FeatureSignals supports:
| Format | Data Included | Method |
|---|---|---|
| JSON | Profile, team memberships, audit log entries | API export endpoint |
| CSV | Evaluation history, flag change log | Dashboard export |
| Machine-readable archive | Complete data package (all categories) | Email request to DPO |
Right to Object (Article 21)
Data subjects can object to processing of their personal data for direct marketing, research, or legitimate interest grounds. FeatureSignals:
- Does not use personal data for marketing or profiling
- Processes only the data necessary to provide the feature flag service
- Honors objection requests within 72 hours of receipt
- Maintains an objection register for compliance documentation
Rights Related to Automated Decision-Making (Article 22)
Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal effects. FeatureSignals:
- Does not perform automated decision-making that has legal or similarly significant effects on individuals
- Flag evaluations are deterministic rule evaluations, not profiling
- Targeting rules are configured by your team, not by automated systems
How FeatureSignals Helps You Comply
As a data controller, your organization is responsible for handling data subject requests. FeatureSignals provides the infrastructure to make compliance straightforward:
API-First Design
Every data subject right is backed by an API endpoint. Integrate DSAR fulfillment into your existing privacy workflow.
Automated Erasure
Trigger GDPR-compliant deletion with a single API call. Soft delete with 30-day grace period, then permanent purge.
Portable Exports
Export user data in JSON or CSV formats suitable for transmission to another controller.
Audit Trail Integrity
All access, rectification, and erasure operations are logged with SHA-256 chain hashing for tamper evidence.
Data Protection Officer
For GDPR inquiries, data subject requests, or to escalate a privacy concern:
- Email: dpo@featuresignals.com
- Privacy request form: Contact Privacy Team
- Response SLA: within 72 hours for urgent requests, 30 days for standard DSARs