European Union · GDPR & AI Act
GDPR data-subject rights and the EU AI Act, in one platform
AccessPoint runs GDPR access, rectification, breach notification, and data protection impact assessments — and assesses AI systems against the EU AI Act — pre-configured for your supervisory authority and running inside your own Microsoft 365 tenant.
European Union — GDPR at a glance
- Response deadline
- One month from receipt (Article 12(3))
- Extensions
- Up to two further months for complex or numerous requests, with notice to the data subject within the first month
- Fee
- First copy free; a reasonable fee for further copies or manifestly unfounded or excessive requests (Articles 12(5), 15(3))
- Breach notification
- To the supervisory authority without undue delay, within 72 hours where feasible (Article 33)
- Impact assessments
- DPIA required for processing likely to result in a high risk (Article 35)
- Oversight
- Your national supervisory authority (tenant-configured); European Data Protection Board coordination
- Languages
- Configurable to any EU official language
Built for European Union — GDPR
One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.
GDPR data-subject rights
Run access (Article 15), rectification (Article 16), erasure, restriction, and portability on the one-month clock — with the two-month extension, identity checks, and third-party redaction — all built on Microsoft 365.
Data protection impact assessments
Run the DPIA required by Article 35 before high-risk processing begins — a guided questionnaire with screeners, an embedded risk register, and a defensible, exportable record.
EU AI Act assessments
Assess AI systems against the risk tiers of Regulation (EU) 2024/1689 using the same engine that runs your DPIAs — scored, reviewed, and captured on an audit trail as the Act's obligations phase in.
72-hour breach notification
Log a personal data breach, assess the risk to rights and freedoms, and get a live checklist of what must reach the supervisory authority within 72 hours (Article 33) and the individuals affected (Article 34).
Article 30 records of processing
Every assessment attaches to a durable privacy subject carrying its Article 30 record — lawful basis, data-subject and recipient categories, retention, safeguards, and cross-border transfers — exportable as a full ROPA register.
In your own tenant
Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no vendor access, and no onward transfer of your data.
Data-subject rights meet the AI Act
The GDPR gives individuals rights over their data. The AI Act governs the systems that process it. AccessPoint runs both.
Under the GDPR, individuals can ask what personal data you hold and have it corrected, and you must report serious breaches within 72 hours and assess high-risk processing before it begins. The EU AI Act now layers a risk-based regime on top — prohibited practices since 2 February 2025, obligations for general-purpose AI models since 2 August 2025, and most high-risk-system duties from 2 August 2026. AccessPoint runs data-subject requests, DPIAs, breach response, and AI Act assessments on one governed platform, in your own tenant, so privacy and responsible-AI governance live in the same system.
Configured out of the box
Installing the eu-gdpr configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.
Related guide: FOI Workflow Quick Check- The GDPR (Regulation (EU) 2016/679) as the legal-authority and citation spine
- The Article 12 one-month rights clock with the two-month extension rule
- Data-subject request types — access, rectification, erasure, restriction, portability, objection
- First-copy-free fee handling with the manifestly-unfounded-or-excessive exception
- Article 33 and 34 breach-notification rules on the 72-hour clock
- Article 35 DPIA questionnaires and the Article 30 ROPA register
- EU AI Act assessment templates aligned to the Regulation's risk tiers
- A tenant-configurable supervisory-authority and complaint workflow
- Correspondence templates configurable to any EU official language
European Union — GDPR Questions
How does AccessPoint handle the GDPR one-month response deadline?
Can it run DPIAs and EU AI Act assessments?
Which supervisory authority does it use?
Where does personal data reside?
Run GDPR Rights, DPIAs, and the AI Act in One Platform
Try AccessPoint free for 30 days, pre-configured for the GDPR. No credit card required.
Start Free Trial