General Data Protection Regulation (GDPR) APIs

Getting Started with GDPR APIs

The General Data Protection Regulation (GDPR) APIs provide essential tools for managing personal data under EU regulations. These APIs support Right to Access and Right to Forget requests, ensuring that customer data is handled securely and in compliance with privacy standards.

The GDPR APIs in the Real-time CDP (rCDP) enable organizations to manage sensitive data with transparency and control. These APIs are commonly used in retail, marketing, and customer data analytics scenarios.

This integration allows backend systems to securely submit and manage consumer privacy requests, such as Right to Know (Access Request) and Right to Delete (Right to Forget). The APIs also support request status tracking and provide a structured mechanism for managing compliance-related data operations within the Algonomy platform.

Scope

This section describes the GDPR privacy operations supported by the Real-time CDP (rCDP) APIs. It outlines the capabilities included in the current implementation and identifies features that are not supported.

Included

  • Right to Know ( Access Request)

  • Right to Delete (Right to Forget)

Not Included

  • Right to Correct

  • Opt-out of sale of personal data

  • Sensitive personal information processing

  • Privacy Preference Center

For more information about creating and updating an OAuth access token, see API Authentication.

System Architecture Overview

This section describes the high-level architecture for processing GDPR privacy requests. It explains how requests move through system components, from initiation to execution in the Algonomy rCDP platform.

The GDPR request flow involves the following components:

  • Customer request: The consumer submits a privacy request.

  • Privacy portal or customer support: An interface used by customers or support agents to raise requests.

  • Backend systems: Validate customer identity and prepare the request payload.

  • Middleware or API layer: Handles authentication and orchestrates API calls.

  • GDPR APIs: Accept and process privacy operation requests.

  • Algonomy rCDP platform: Executes data retrieval or deletion operations.

Integration flow

  1. Customer submits a privacy request.

  2. Backend systems validate the customer identity.

  3. Generate an OAuth authentication token.

  4. Backend systems invoke the GDPR APIs.

  5. The rCDP platform processes the request.

  6. A tracking ID is returned.

  7. Use the Request Status API to monitor request completion.

Roles and responsibilities

Area

 Customer responsibilities Algonomy responsibilities
API integration

Develop backend integration

Provide API endpoints and documentation
Customer identity validation

Validate consumer identity

Not applicable

Token management

Generate OAuth tokens

Provide authentication services
Privacy request submission

Submit requests using APIs

Process requests within rCDP
Data processing

Not applicable

Execute retrieval and deletion operations

Infrastructure management

 Maintain internal systems

Maintain the RCDP platform

Monitoring

 Monitor API integrations

Monitor platform processing

Issue resolution

 Investigate integration issues

Investigate platform issues

Compliance handling

Handle customer communication

 Handle customer communication

Deployment strategy

This section describes the recommended approach for deploying GDPR API integrations across environments, including validation, testing, and production readiness.

Stage deployment

  • Use stage API endpoints provided by Algonomy

  • Perform connectivity validation

  • Perform authentication testing

  • Perform integration testing

  • Obtain QA approval

Production deployment

  • Activate production endpoints

  • Exchange credentials

  • Set up monitoring

  • Perform go-live validation

Testing and validation

This section describes the key testing activities required to verify API functionality, ensure successful integration, and validate system behavior.

  • API connectivity testing

  • Token generation testing

  • Access request testing

  • Delete request testing

  • Status tracking validation

  • Error handling validation

Authentication scope

The GDPR APIs use OAuth 2.0 for secure authentication. OAuth is an industry-standard protocol that ensures API calls are made securely using temporary access tokens with limited scope and duration. This approach enhances compliance with security requirements.

To use the GDPR APIs, you must generate OAuth access tokens that provide secure, temporary access to the APIs.

For more information about creating and managing access tokens, see API Authentication.

Obtaining Access Tokens

To interact with the GDPR APIs, it is necessary to first obtain an OAuth access token. Access tokens are essential for API calls and are generated by sending a request that includes specific parameters like the API URL, resources, tenant hash, and OAuth key secret.

Creating an access token requires the following details:

API URL

The API URL, necessary for token generation, can be obtained through your Customer Success Manager (CSM) or the Algonomy support team.

List of GDPR APIs

Access tokens are specific to resources. The available resources for GDPR APIs include registerGdprRequest, revokeGdprActions, and gdprRequestStatus. You can specify one or multiple resources in your token request. To include multiple resources in the payload, separate them with commas.

The following APIs are available to implement GDPR requests in Real-time CDP:

Resources Description
registerGdprRequest Register a GDPR access or forget request.
revokeGdprActions Revoke a previously submitted GDPR request.
gdprRequestStatus Check the status of a submitted GDPR request.

Tenant_hash

You can obtain your tenant_hash by contacting your Customer Success Manager (CSM) or the Algonomy support team.

OAuth_key_secret

OAuth_key_secret is required if the tenant is enabled with B2B API OAuth authentication.

You can obtain your OAuth_key_secret (OAuth secret key) by contacting your Customer Success Manager (CSM) or the Algonomy support team.

There is a soft limit on the number of tokens that can be generated for GDPR B2B APIs daily. The soft limit is 100, but it can be increased as needed. CSM or Algonomy support team for assistance.

Using the Postman Collection

You can use the GDPR B2B APIs Postman collection to understand and implement the GDPR API requests RCDP supports. The following JSON file contains the complete collection. Download the JSON file and import it into Postman to begin using the APIs.

  1. Download or save the JSON file from here.

  2. Save the file with a .json extension, (for example: GDPR_B2B_APIs_Collections.postman_collection.json).

  3. Open Postman (version 2.1 or later).

  4. Select File > Import, browse to the saved file, and choose Import. You can see the GDPR B2B APIs collection in your workspace.

  5. In the collection, open the Variables tab and enter the values provided by your RCDP Customer Success Manager (CSM):

    • B2B_URL

    • TENANT_HASH

    • OAUTH_KEY

  6. Save your changes and start using the requests included in the collection.

  7. If you encounter an authentication error, verify that your OAuth token is valid.

List of GDPR APIs

The following GDPR APIs are available to implement the "Right to access'' and ''Right to forget'' requests in Real-time CDP: