Compliance & Data Protection
The Compliance section covers GDPR/DSGVO data protection obligations and the compliance monitoring tools available to compliance officers.
Compliance Dashboard
The compliance dashboard shows your club's real-time regulatory status. See Dashboard for details on the 9-panel overview.
Audit Log
The audit log records every data-changing action taken by any staff member.
To access the audit log:
- Go to Compliance → Audit Log.
- Use the filters to narrow by date, table, event type, or actor.
The audit log is immutable — no one can modify or delete entries. It covers changes to 12 critical tables including members, roles, dispensing events, and compliance records.
Breach Incidents
Use the Breach Incidents module to manage GDPR data breaches (Art. 33 GDPR).
Key deadlines
| Deadline | Action required |
|---|---|
| T+8h | Internal management notification (automatic alert) |
| T+72h | Report to supervisory authority (Art. 33 GDPR) |
| T+30 days | Notify affected individuals if required (Art. 34 GDPR) |
To register a breach:
- Go to Compliance → Breach Incidents.
- Click Report Breach.
- Fill in: discovery date/time, description, data categories affected, estimated number of individuals.
- Save.
CANNEVO tracks both the T+8h and T+72h clocks automatically, with escalation alerts as deadlines approach.
DSAR Requests
Data Subject Access Requests (DSARs) must be handled within 30 days of receipt.
Request types
| Type | GDPR Article | Action |
|---|---|---|
| Access | Art. 15 | Generate data export for the member |
| Erasure | Art. 17 | Check what can be deleted vs. legally required to retain |
| Portability | Art. 20 | Generate machine-readable export |
| Restriction | Art. 18 | Flag record for processing restriction |
To register a DSAR:
- Go to Compliance → DSARs.
- Click New Request.
- Select request type and enter member details.
- Save — the 30-day deadline is set automatically.
Deadline extension: In complex cases, the deadline can be extended by 60 days. Click Extend Deadline and provide a justification.
Members with open DSARs
Members with an open DSAR are automatically excluded from retention archival until the request is resolved. This prevents data being deleted while a data access request is pending.
Break-Glass Access
Support staff from CANNEVO may occasionally need temporary elevated access to diagnose issues. This is managed via the break-glass access system:
- Maximum duration: 2 hours
- Requires explicit approval from a
tenant_adminuser - All actions during break-glass access are fully audited
- Access is automatically revoked when the grant expires
To review break-glass grants:
- Go to Compliance → Break-Glass (or Settings → Security).
- Approve or revoke pending grants.
- View the audit trail for any completed break-glass sessions.
Data Protection Configuration
Go to Settings → Config to:
- View and accept the Data Processing Agreement (DPA)
- Check DPA acceptance status
- View your sub-processor list