Module 20 of 20
Coming soonGDPR compliance without mountains of paperwork and external consultants on permanent retainer
Manage data protection policies with versioning and staff acceptance records, handle data subject access requests with automatic 30-day deadlines under Art. 12 GDPR, maintain your record of processing activities under Art. 30 and keep your DPIA status in view. GDPR-compliant, EU-hosted in Nuremberg, multi-tenant isolated on Postgres with Row-Level Security. 49 euros per user per month all-in, no per-module licence costs.
What GDPR Compliance does
Policy management with version control and acceptance proof
Manage data protection policies, acceptable-use policies, data processing agreements and internal directives with full version control. Every new version is immediately active and triggers an acceptance workflow: staff must confirm the new version exactly once, and the acceptance record contains a timestamp, IP address and device hash as proof. The system prevents duplicate confirmations and shows per policy and version who has confirmed and who is still outstanding. For a data protection audit you export acceptance records for all policies at the press of a button as PDF. Policies are archived with soft-delete, the version history remains fully preserved. The built-in AI helper can suggest structural templates on request; the legal wording and final text are reviewed by your data protection officer.
Data subject requests with automatic 30-day deadline under Art. 12 GDPR
Data subject access requests (DSAR: access, rectification, erasure, restriction, portability) are captured in a structured form with name, email, request type and receipt date. The 30-day response deadline under Art. 12 GDPR is set automatically by the database based on the receipt date, no manual calculation required. The module shows open requests sorted by due date, overdue requests are highlighted in colour. Internal notes and status transitions (open, in progress, completed, rejected) are recorded in the workflow and are fully traceable. Per request you can trigger a data export job that compiles the data subject's relevant data from the system. All steps are recorded in the audit trail, making requests from supervisory authorities fully documented.
Record of processing activities under Art. 30 GDPR
The record of processing activities (RoPA) is pre-structured per module: for each processing activity, purpose, legal basis, categories of data subjects, data categories, recipients, third-country transfers and retention periods are recorded. Entries are editable and versioned on change. Because each processing activity is created exactly once per module and uniquely identified by a RoPA code, there are no duplications and no inconsistencies between module documentation and the record. At the press of a button you export the complete record as PDF or CSV for your supervisory authority or for external data protection audits. The change history documents who edited which entry when, the audit trail is complete.
DPIA overview from the ISMS module in real time
Data protection impact assessments (DPIA under Art. 35 GDPR) are created and maintained in the ISMS module. The compliance module mirrors this status as a read-only view: you see process name, data categories, purposes, legal basis, risk level and approval status of all DPIAs at a glance. No dual maintenance, no export-import back and forth. When a DPIA is set to 'approved' in the ISMS, the status is immediately visible in the compliance module. This central view helps data protection officers quickly assess the overall status of DPIA obligations without switching between modules. Write access to DPIA entries is exclusively in the ISMS module, which rules out accidental changes in the compliance context.
Hard multi-tenant isolation and audit-ready data structure
All compliance data is strictly separated by tenant: Row-Level Security at the Postgres level ensures that no record of one tenant is visible to another. The account ID comes exclusively from the JWT claim, not from client parameters, and mass assignment is excluded at schema level. Policy acceptances are additionally protected at the structural level by a composite foreign key: a cross-tenant acceptance is technically impossible and raises a database error. Soft-delete preserves all records in the audit trail, so deleted policies and requests are fully reconstructable. For data protection audits by supervisory authorities or DPOs the entire compliance dataset, with timestamps, user IDs and status histories, is ready for export.
Structured compliance status at a glance
The compliance module dashboard shows at a glance where action is needed: how many policies are active and still have outstanding acceptances? How many data subject requests are open and which expire in fewer than 7 days? How many RoPA entries are fully maintained? The built-in AI helper answers questions about GDPR compliance status directly in the chat, for example 'Which policies have not yet received all confirmations?' or 'Which DSAR requests are overdue?'. All tables offer filtering by status, type and search term as well as pagination for large datasets. Results are directly exportable without external tools, the data protection officer does not need system access for periodic reports.
Who uses this module
CEO
Your data protection officer is on holiday and a supervisory authority announces an inspection for the day after tomorrow. You open the compliance module and export at the press of a button the complete record of processing activities under Art. 30 as PDF, the acceptance records for all data protection policies for the last three years with timestamp and IP, and the status of all data subject requests including deadline compliance. The built-in AI helper answers in the chat 'Are there any open DSAR requests that have exceeded the 30-day deadline?' and lists the cases. The compliance module does not cost any external consultant hours for compiling these documents: that is included in 49 euros per user per month all-in. DPIA status from the ISMS module is also in view, without you having to switch between two systems.
Team lead
As data protection officer or compliance manager you maintain policies, track data subject requests and keep the record of processing activities current, all in one module instead of Excel spreadsheets and email folders. When a new data protection policy comes into force, you create a new version and start the acceptance workflow: the system shows you daily who has not yet confirmed. When a data subject request comes in, you record name, type and receipt date, and the 30-day deadline is set automatically. You see in the dashboard which requests are about to become deadline violations before it happens. At the annual management review you print the compliance status report from the module: how many policies, how many acceptances, how many DSAR requests completed, no manual gathering from spreadsheets.
Employee
You receive a reminder by email: the company's data protection policy has been updated to version 2.1 and you need to confirm it. You click the link, see the current version of the policy directly in the DARION AI module and confirm with one click. The timestamp, your IP address and a device hash are saved as an acceptance record, and duplicate confirmations are not possible. That is it. You do not need to sign a paper, reply to an email or open a separate tool. Your organisation now has an audit-proof record that you have acknowledged the policy in its current version, which is legally relevant in the event of a data protection incident or internal audit.
Connects with
Microsoft 365OutlookGoogle Workspace
Frequently asked questions
Other modules in this area
Available
Documents
GoBD-compliant document management with OCR full-text search and versioning, plus an AI helper that takes care of file structure, classification and audit-proof archiving
Start free trial
Available
Knowledge
Structured knowledge base with AI search, automatic FAQ generation from tickets, role-based onboarding paths, skill inventory and stale detection. GDPR-compliant, multi-tenant isolated, EU-hosted at Hetzner Nuremberg, without Excel maintenance.
Start free trial
Available
ISMS
ISO 27001-compliant Information Security Management System with risk inventory, Statement of Applicability, TOMs under Article 32 GDPR, unchangeable audit trail with hash chaining and NIS2 maturity tracker.
Start free trial
Available
Reporting
Cross-module reporting overview with dashboards, scheduled exports and an AI helper for run analysis and stale report detection
Start free trial