GDPR Compliance & UK Data Residency
GDPR Compliance & UK Data Residency
Available from v0.11.4.
agentOS Block Manager includes built-in tooling for UK GDPR compliance. This covers formal management of data subject rights requests, a UK-compliant Privacy Notice, and a Register of Processing Activities (ROPA) tailored to residential block management.
Overview
| Feature | Location |
|---|---|
| Data subject request dashboard | /dashboard/gdpr |
| Privacy Notice | /privacy |
| Register of Processing Activities | /ropa |
All personal data is stored exclusively in UK-based data centres. This is enforced at the infrastructure level across primary databases, backups, and system logs.
GDPR Dashboard
Navigate to Dashboard → GDPR & Data Protection to access the GDPR module.
Summary Cards
The top of the page shows four summary cards:
- Total Requests — all data subject requests across all statuses
- Pending — requests that are pending or currently in progress
- Overdue — requests that have passed their deadline without being resolved
- Completed — fully completed requests
UK Data Residency Banner
A persistent banner confirms that all personal data is stored in UK-based data centres with AES-256-GCM encryption at rest and row-level security enforcing multi-tenant isolation. The banner links to the Privacy Notice and ROPA.
Managing Data Subject Requests
Request Types
The platform supports all six data subject rights defined under UK GDPR:
| Type | GDPR Article | Description |
|---|---|---|
| Subject Access Request | Art. 15 | Data subject requests a copy of all data held about them |
| Right to Erasure | Art. 17 | Data subject requests deletion of their personal data |
| Rectification | Art. 16 | Data subject requests correction of inaccurate data |
| Data Portability | Art. 20 | Data subject requests data in a structured, machine-readable format |
| Restriction of Processing | Art. 18 | Data subject requests limited use of their data |
| Right to Object | Art. 21 | Data subject objects to processing based on legitimate interest |
Request Lifecycle
Each request moves through the following statuses:
- Pending — request received, not yet actioned
- In Progress — request is being processed
- Completed — request fully fulfilled
- Partially Completed — request partially fulfilled (typically erasure requests where financial records must be retained)
- Rejected — request rejected with a recorded reason
- Expired — request passed its deadline without resolution
30-Day Deadline
When a request is created, a 30-day response deadline is automatically calculated from the creation date, per UK GDPR requirements. Deadlines are displayed in the request table and detail panel. Overdue requests are highlighted in red.
An optional extended deadline field is available for complex requests.
Creating a Request
Only users with the Admin role can create and update requests.
- Click New Data Request from the GDPR dashboard
- Select the Request Type
- Select the requester's Relationship (leaseholder, freeholder, contractor, tenant, director/RMC, staff, other)
- Enter the requester's full name and email address
- Optionally provide a description and comma-separated list of data categories
- Click Create Request (30-day deadline)
The 30-day deadline is calculated and recorded automatically at creation time.
Filtering Requests
The request table can be filtered independently by:
- Status — All Statuses, Pending, In Progress, Completed, Partially Completed, Rejected, Expired
- Request Type — All Types, or any of the six UK GDPR request types
Request Detail Panel
Click any row in the table to open the detail panel for that request. The panel shows:
- Request type and requester details (name, email, relationship)
- Current status and deadline (with overdue highlighting)
- Identity verification status and verification method
- Description and data categories
- Financial records retention notice (if applicable)
- Rejection reason (if applicable)
Available actions (admin only, while the request is not yet completed or rejected):
- Verify Identity — marks the requester's identity as verified and records the verification method
- Start Processing — moves the request from Pending to In Progress
- Mark Completed — marks the request as fully completed
- Partially Complete (Financial Records Retained) — for erasure requests only; marks the request as partially completed and records that financial records have been retained under legal obligation
- Reject — marks the request as rejected
Financial Record Retention
Under UK GDPR Article 17(3)(b), financial records are exempt from the right to erasure where retention is required by law.
For agentOS Block Manager, this covers:
- Service charge records — 7 years (Companies Act 2006)
- Client money records — 7 years (FCA CASS)
- HMRC tax records — 7 years
When creating an erasure request, the form displays a warning notice explaining this limitation. When processing an erasure request, the Partially Complete (Financial Records Retained) action automatically records a retention details note: non-essential personal data is deleted immediately, and financial records are scheduled for deletion after the retention period expires.
Privacy Notice (/privacy)
The Privacy Notice at /privacy is written for UK GDPR and Data Protection Act 2018 compliance. It covers:
- Data Controller identity and DPO contact
- UK Data Residency commitment
- Data categories specific to block management (leaseholder data, financial records, compliance data)
- Legal bases for each category of processing
- Retention schedules with specific periods for each data type
- All six UK GDPR data subject rights with article references
- ICO complaints procedure — how to raise a complaint with the Information Commissioner's Office
- Data security measures — AES-256-GCM encryption, row-level security, role-based access control
- Sub-processors and data sharing
Register of Processing Activities (/ropa)
The ROPA at /ropa documents 11 processing activities specific to residential block management:
- Block management operations
- Service charge processing
- Client money management (FCA regulated)
- Leaseholder history records
- Regulatory compliance
- Billing and subscriptions
- Transactional email
- Audit logging
- GDPR request management
- Role-based access control
- Analytics
Each activity entry includes the UK Data Residency column confirming where the associated data is stored.
Access Control
| Action | Required Role |
|---|---|
| View GDPR dashboard | Any authenticated user |
| View request list and summary | Any organisation member (orgProcedure) |
| Create a new request | Admin (adminProcedure) |
| Update request status, assign, verify | Admin (adminProcedure) |
All create and update mutations are recorded in the platform audit log.
Data Isolation
The data_requests table is covered by row-level security (RLS) policies, ensuring that each organisation can only access its own data subject requests. This is consistent with the platform's multi-tenant architecture.