Home · Synthesis · cl-consumer-rights-sla

Consumer / Data Subject / Data Principal rights response SLA

GDPRCCPADPDPAVCDPACSA CCM v4

Primary statement

Rights response SLA across jurisdictions: GDPR Art 12(3) one month (extendable by two for complex) + CCPA 1798.130 45 days + DPDPA Rule (forthcoming, expect 30-90 days) + VCDPA 45 days + CSA. SLA tracking, identity verification, fulfilment evidence form the operational core.

Audit-fatigue payoff

A unified rights response programme with per-jurisdiction SLA tracking + identity verification + fulfilment workflow satisfies rights SLA requirements across all 5 contributing frameworks.

Strictness matrix

Scope
Scope: ALL data subject rights under GDPR Articles 15-22 + CCPA + DPDPA + state law rights. Universal across rights types. Ceiling source: gdpr:Art.12 Rationale: GDPR Art 12 universal rights scope is the foundational specification.
Threshold
Threshold: one month from receipt (GDPR). 45 days for CCPA / VCDPA. DPDPA forthcoming. Strictest applicable timeline is the operational SLA. Ceiling source: gdpr:Art.12 Rationale: GDPR Art 12 one-month is the strictest in the cross-jurisdiction set.
Method
Method: request portal + identity verification + per-jurisdiction SLA tracking + per-right fulfilment workflow + extension notice where applicable + grievance redressal + integration with CCPA 1798.130 disclosures. Ceiling source: gdpr:Art.12 Rationale: GDPR Art 12 + CCPA 1798.130 combined are the most prescriptive.
Frequency
Per-request response within applicable SLA. SLA performance review: monthly. Procedure review: annual. Ceiling source: gdpr:Art.12 Rationale: Per-request SLA with monthly performance review is the cadence.
Evidence
Evidence: rights request register with SLA tracking + identity verification records + per-jurisdiction fulfilment + extension notices + monthly SLA performance metrics. Ceiling source: gdpr:Art.12 Rationale: GDPR Art 12 evidence with SLA tracking is comprehensive.

Auditor test pattern

Step 1: Inspect rights request register. Step 2: Sample 5 requests; verify SLA met per jurisdiction. Step 3: For extended requests, verify extension notice. Step 4: Inspect monthly SLA performance metrics.

Common findings

Common findings: (1) SLA tracking absent; responses ad-hoc; (2) Extension notice missing where one month exceeded; (3) Per-jurisdiction SLA differences ignored; (4) Identity verification too heavy or too light.