Data Subject Rights - Analytics Procedure ​
Document Type: Internal Procedure / Compliance Operations Category: GDPR Compliance / Data Subject Requests Date: 2025-11-15 Status: Active Related Documents:
analytics-consent-gdpr-compliance.mdprivacy-policy-analytics-cookies.md
Purpose ​
This document provides operational procedures for handling data subject rights requests related to analytics data collected via PostHog on the Hello World Co-op DAO platform.
Scope ​
Applies to: Analytics data only (PostHog tracking)
Does NOT apply to:
- Membership data (Epic 2.1+)
- Payment/financial data (Epic 2.0+)
- Authentication data (Epic 2.1+)
- User-generated content (Epic 3+)
See separate procedures for those data categories.
Data Subject Rights Under GDPR ​
Summary of Rights ​
| Right | GDPR Article | Response Time | Complexity |
|---|---|---|---|
| Right to Access | Art. 15 | 30 days | Low |
| Right to Rectification | Art. 16 | 30 days | N/A (anonymous data) |
| Right to Erasure | Art. 17 | 30 days | Medium |
| Right to Restriction | Art. 18 | 30 days | Low |
| Right to Data Portability | Art. 20 | 30 days | Low |
| Right to Object | Art. 21 | Immediate | Low |
| Right to Withdraw Consent | Art. 7(3) | Immediate | Low |
Request Handling Procedures ​
1. Right to Access (GDPR Article 15) ​
User Request: "What analytics data do you have about me?"
Procedure ​
Step 1: Verify Identity
- Confirm requester's email matches email used on platform (if identified user)
- For anonymous users: Explain we cannot identify their specific data
Step 2: Gather Data from PostHog
bash
# PostHog API - Get user events (if user is identified)
curl https://app.posthog.com/api/event/ \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "person_id=USER_ID"Step 3: Prepare Data Export
Create JSON export with:
json
{
"request_date": "2025-11-15",
"data_controller": "Hello World Co-op DAO",
"user_consent_status": "granted",
"consent_timestamp": "2025-11-15T10:00:00Z",
"analytics_events": [
{
"event": "pageview",
"timestamp": "2025-11-15T10:05:00Z",
"properties": {
"page": "/",
"referrer": "https://google.com"
}
}
],
"data_retention": "90 days for raw events",
"third_party_processor": {
"name": "PostHog Inc.",
"location": "United States",
"privacy_policy": "https://posthog.com/privacy"
}
}Step 4: Deliver to User
- Email attachment (encrypted PDF or JSON)
- Include explanation of what data means
- Response time: Within 30 days
Template Response:
Subject: Your Data Access Request - Hello World Co-op DAO
Dear [User],
Thank you for your data access request under GDPR Article 15.
Please find attached a complete export of analytics data we hold about you. This includes:
- Page views and interactions on our website
- Device and browser information
- Session timestamps
This data is used solely for improving our platform's user experience and is retained for 90 days before automatic deletion.
Your current consent status: [granted/denied]
Consent given on: [timestamp]
If you have any questions about this data, please reply to this email.
You have the right to:
- Request deletion of this data (Right to Erasure)
- Withdraw your consent at any time
- Object to processing
Best regards,
Privacy Team
Hello World Co-op DAO
privacy@helloworlddao.com2. Right to Erasure / "Right to be Forgotten" (GDPR Article 17) ​
User Request: "Delete all my analytics data"
Procedure ​
Step 1: Verify Identity
- Confirm requester identity
- Check for legal holds or retention obligations
Step 2: Immediate Actions (Web Application)
typescript
// Option 1: User can do this themselves
import { clearConsent, denyConsent } from '@/utils/consent';
import { optOutTracking } from '@/init-posthog';
clearConsent(); // Remove consent from localStorage
optOutTracking(); // Opt out of PostHog trackingStep 3: PostHog Data Deletion
bash
# PostHog API - Delete person data
curl -X DELETE https://app.posthog.com/api/person/USER_ID/ \
-H "Authorization: Bearer YOUR_API_KEY"
# This will:
# - Delete the person profile
# - Anonymize associated events (remove identifiers)
# - Retain aggregated statistics (cannot identify individual)Step 4: Verification
- Confirm deletion in PostHog dashboard
- Verify user no longer appears in person list
- Check events are anonymized
Step 5: Confirmation to User
Template Response:
Subject: Data Erasure Completed - Hello World Co-op DAO
Dear [User],
Your data erasure request has been completed.
Actions taken:
✓ Your consent preference has been removed
✓ PostHog tracking has been disabled for your session
✓ Your person profile in PostHog has been deleted
✓ All identifiable event data has been anonymized
Please note:
- Aggregated statistics (e.g., total page views) may remain but cannot identify you individually
- This process cannot be reversed
- If you visit our website again, you will be asked for consent as a new visitor
Timeline: Completed within [X] days of your request
If you have any questions, please contact privacy@helloworlddao.com.
Best regards,
Privacy Team
Hello World Co-op DAOResponse Time: 30 days maximum, typically 7 days
3. Right to Rectification (GDPR Article 16) ​
User Request: "Correct my analytics data"
Response ​
Analytics data is behavioral and anonymous - there is no personal data to correct.
Template Response:
Subject: Data Rectification Request - Hello World Co-op DAO
Dear [User],
Thank you for your data rectification request under GDPR Article 16.
Our analytics system collects only behavioral data (page views, clicks, session duration) and does not store personal identifiable information such as names, addresses, or contact details.
Since the data collected is anonymous and behavioral, there is no personal information to correct. If you believe specific data points are inaccurate, please provide details and we will investigate.
Alternative actions you may wish to take:
- Request deletion of your analytics data (Right to Erasure)
- Withdraw consent to analytics tracking
- Object to processing
Please let us know how you would like to proceed.
Best regards,
Privacy Team
Hello World Co-op DAO4. Right to Data Portability (GDPR Article 20) ​
User Request: "Give me my data in a portable format"
Procedure ​
Same as Right to Access, but export in machine-readable format (JSON or CSV).
JSON Export Format:
json
{
"format": "JSON",
"version": "1.0",
"exported": "2025-11-15T10:00:00Z",
"data_controller": "Hello World Co-op DAO",
"events": [
{
"event": "pageview",
"timestamp": "2025-11-15T10:05:00Z",
"page": "/",
"referrer": "https://google.com",
"browser": "Chrome 120",
"os": "Windows 10"
}
]
}CSV Export Format:
csv
event,timestamp,page,referrer,browser,os
pageview,2025-11-15T10:05:00Z,/,https://google.com,Chrome 120,Windows 10
click,2025-11-15T10:06:00Z,/,,"Chrome 120",Windows 10Response Time: 30 days
5. Right to Object (GDPR Article 21) ​
User Request: "I object to analytics tracking"
Procedure ​
Immediate Actions:
- User can object via consent banner "Decline" button
- User can enable Do Not Track in browser
- User can email privacy@helloworlddao.com
Response:
Subject: Objection to Processing - Confirmed
Dear [User],
Your objection to analytics tracking has been recorded.
We have:
✓ Stopped all analytics tracking for your sessions
✓ Marked your consent status as "denied"
✓ Disabled PostHog initialization for your browser
You will not see the consent banner again, and no analytics data will be collected during your future visits.
If you change your mind, you can accept tracking via our Cookie Settings page.
Best regards,
Privacy Team
Hello World Co-op DAOResponse Time: Immediate (automated via consent banner) or 7 days if via email
6. Right to Withdraw Consent (GDPR Article 7(3)) ​
User Request: "I want to withdraw my previous consent"
Procedure ​
Same as Right to Object.
Additional Note: Make clear that withdrawal is just as easy as granting consent.
Template Response:
Subject: Consent Withdrawal - Confirmed
Dear [User],
Your consent withdrawal request has been processed.
Previous consent status: Granted on [timestamp]
New consent status: Denied as of [current timestamp]
We have:
✓ Stopped all analytics tracking
✓ Disabled PostHog for your sessions
✓ Updated our records
Please note: Withdrawing consent does not affect the lawfulness of processing before withdrawal.
Historical data collected while you had given consent may remain in our systems until the 90-day retention period expires, unless you also request erasure.
Would you like us to also delete your historical analytics data? If so, please reply "Yes, delete my data" and we will process a Right to Erasure request.
Best regards,
Privacy Team
Hello World Co-op DAO7. Right to Restriction of Processing (GDPR Article 18) ​
User Request: "Temporarily restrict processing my data"
Procedure ​
For analytics, this is similar to objection/withdrawal.
Steps:
- Stop PostHog tracking (same as withdrawal)
- Do NOT delete data (unlike erasure)
- Mark data as "restricted" in records
Response: Within 30 days
Request Tracking & Logging ​
Request Log ​
Maintain a log of all data subject requests:
| Field | Description | Example |
|---|---|---|
| Request ID | Unique identifier | DSR-2025-001 |
| Request Date | When request received | 2025-11-15 |
| Request Type | Type of right exercised | Right to Erasure |
| User Identifier | Email or user ID | user@example.com |
| Status | Current status | Completed |
| Completion Date | When completed | 2025-11-20 |
| Response Sent | Confirmation to user | Yes |
| Notes | Any special circumstances | - |
Compliance Dashboard (TODO) ​
Create internal dashboard tracking:
- Total requests by type
- Average response time
- Overdue requests (>30 days)
- Trends over time
Response Time SLAs ​
| Request Type | Legal Requirement | Internal SLA | Escalation Threshold |
|---|---|---|---|
| Right to Access | 30 days | 14 days | 28 days |
| Right to Erasure | 30 days | 7 days | 28 days |
| Right to Object | Immediate | Immediate | N/A |
| Right to Withdrawal | Immediate | Immediate | N/A |
| Right to Portability | 30 days | 14 days | 28 days |
| Right to Rectification | 30 days | 14 days | 28 days |
| Right to Restriction | 30 days | 14 days | 28 days |
Escalation Process:
- Day 28: Escalate to Legal/Compliance team
- Day 30: Notify user of delay and reason
- Day 60: Involve Data Protection Officer (if applicable)
Common Scenarios & FAQs ​
Scenario 1: Anonymous User Requests Data ​
Question: "I visited your site last week. What data do you have?"
Response: We cannot identify which analytics events belong to you specifically, as we do not collect identifiable information unless you create an account. We can provide general information about what types of data we collect (see Privacy Policy).
Scenario 2: User Enabled DNT ​
Question: "I have Do Not Track enabled. Do you still collect data?"
Response: No. We honor the Do Not Track setting. If DNT is enabled, our analytics system does not initialize and no data is collected.
Scenario 3: User Wants Partial Deletion ​
Question: "Delete my data from last week, but keep the rest."
Response: Our analytics system does not support partial deletion. We can either:
- Delete all your analytics data (Right to Erasure)
- Keep all your analytics data (no action)
Scenario 4: Request Received via Social Media ​
Process:
- Ask user to submit formal request via email (privacy@helloworlddao.com) for identity verification
- Do not process requests via social media due to identity verification concerns
- Explain this is for their protection
Technical Implementation ​
Consent Withdrawal Flow ​
typescript
// Frontend implementation
export async function handleConsentWithdrawal(userId: string) {
// Step 1: Update localStorage
denyConsent();
// Step 2: Opt out of PostHog
optOutTracking();
// Step 3: Log to audit trail
await logConsentEvent({
userId,
action: 'consent_withdrawn',
timestamp: new Date().toISOString(),
source: 'user_request'
});
// Step 4: Confirm to user
return {
status: 'success',
message: 'Consent withdrawn successfully'
};
}Data Erasure Flow ​
typescript
// Backend API endpoint (TODO: Implement in Epic 2+)
export async function handleDataErasureRequest(userId: string) {
// Step 1: Verify identity
const user = await verifyUserIdentity(userId);
// Step 2: Delete from PostHog
await posthogClient.deletePerson(user.posthogId);
// Step 3: Clear consent data
await clearUserConsent(userId);
// Step 4: Log erasure
await logDataErasure({
userId,
timestamp: new Date().toISOString(),
dataTypes: ['analytics'],
completedBy: 'system'
});
// Step 5: Send confirmation email
await sendErasureConfirmation(user.email);
return { status: 'completed' };
}Audit Trail Requirements ​
What to Log ​
For every data subject request, log:
- Request received date/time
- Request type
- User identifier
- Actions taken
- Completion date/time
- Person who handled request
- Confirmation sent (yes/no)
Retention of Audit Logs ​
- Audit logs: Retained for 3 years (compliance requirement)
- Even if user data is deleted, audit log of deletion request remains
Training & Responsibilities ​
Who Handles Requests ​
| Role | Responsibility | Training Required |
|---|---|---|
| Customer Support | Receive and triage requests | GDPR basics, escalation procedures |
| Privacy Team | Process complex requests | Full GDPR training, technical procedures |
| Engineering | Execute technical deletions | Data architecture, PostHog API |
| Legal/Compliance | Review edge cases | GDPR law, regulatory requirements |
Training Checklist ​
- [ ] GDPR principles and rights
- [ ] Request identification and triage
- [ ] Identity verification procedures
- [ ] Response templates and timelines
- [ ] Escalation procedures
- [ ] Technical tools (PostHog dashboard, APIs)
Review and Updates ​
Review Schedule: Quarterly
Triggers for Update:
- New GDPR guidance from regulators
- Changes to PostHog API or features
- User feedback on process
- Audit findings
Document Owner: Privacy Team Lead (TBD)
Related Resources ​
Internal Documents ​
/docs/compliance/user-experience/analytics-consent-gdpr-compliance.md/docs/compliance/user-experience/privacy-policy-analytics-cookies.md
External Resources ​
Document Status: Active Last Review: 2025-11-15 Next Review: 2026-02-15 (Quarterly)