Misc
GDPR
Retention periods, right-to-be-forgotten and data export requests. One place to configure, enforce and evidence your personal-data policy.
Updated May 18, 2026
Configuration · Misc · 7.2
The GDPR module makes personal-data policy concrete and executable in Gfacility: per entity a retention period, automatic anonymisation or deletion when it expires, plus tooling to handle subject requests (access, erasure, portability) quickly.
Why this matters to the business
"DPO asks for evidence"
Retention period set per entity + audit log → evidence of compliance in one click.
"Erasure request is manual"
Tool that finds all personal data of one person and anonymises/deletes per the rules.
"Visitor photos kept 5 years"
Auto-purge after X days on specific fields — photos shorter than names.
"Data export request = IT project"
Export tool generates PDF/JSON with all data of a person — self-service for the DPO.
Policy blocks you configure
| Block | What you configure |
|---|---|
| Retention periods | Per entity and field: how long to retain (closed tickets 24 months, visitor photos 30 days). |
| Anonymisation vs deletion | Anonymise personal data from closed records (reporting preserved) or delete outright? |
| Request templates | Workflows for access, correction, erasure, portability and objection requests. |
| Consent management | Which consents you ask of visitors / external users, with versioning. |
| Audit trail | Logging of who did what on personal data — required for DPIA. |
Which decisions will you make?
Retention periods per entity
Agree with the DPO; base on legal obligation, business interest and risk.
Anonymise or delete?
Anonymisation preserves reporting history; deletion is stricter. Decide per entity.
Who handles requests?
DPO as owner, with SLA (often 30 days statutory). Workflow + auto-assignment.
Keep consent versions
Which consent version did someone give? Renew on privacy-policy change?