European Union · GDPR & AI Act

GDPR data-subject rights and the EU AI Act, in one platform

AccessPoint runs GDPR access, rectification, breach notification, and data protection impact assessments — and assesses AI systems against the EU AI Act — pre-configured for your supervisory authority and running inside your own Microsoft 365 tenant.

European Union — GDPR at a glance

Response deadline
One month from receipt (Article 12(3))
Extensions
Up to two further months for complex or numerous requests, with notice to the data subject within the first month
Fee
First copy free; a reasonable fee for further copies or manifestly unfounded or excessive requests (Articles 12(5), 15(3))
Breach notification
To the supervisory authority without undue delay, within 72 hours where feasible (Article 33)
Impact assessments
DPIA required for processing likely to result in a high risk (Article 35)
Oversight
Your national supervisory authority (tenant-configured); European Data Protection Board coordination
Languages
Configurable to any EU official language

Built for European Union — GDPR

One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.

GDPR data-subject rights

Run access (Article 15), rectification (Article 16), erasure, restriction, and portability on the one-month clock — with the two-month extension, identity checks, and third-party redaction — all built on Microsoft 365.

Data protection impact assessments

Run the DPIA required by Article 35 before high-risk processing begins — a guided questionnaire with screeners, an embedded risk register, and a defensible, exportable record.

EU AI Act assessments

Assess AI systems against the risk tiers of Regulation (EU) 2024/1689 using the same engine that runs your DPIAs — scored, reviewed, and captured on an audit trail as the Act's obligations phase in.

72-hour breach notification

Log a personal data breach, assess the risk to rights and freedoms, and get a live checklist of what must reach the supervisory authority within 72 hours (Article 33) and the individuals affected (Article 34).

Article 30 records of processing

Every assessment attaches to a durable privacy subject carrying its Article 30 record — lawful basis, data-subject and recipient categories, retention, safeguards, and cross-border transfers — exportable as a full ROPA register.

In your own tenant

Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no vendor access, and no onward transfer of your data.

Data-subject rights meet the AI Act

The GDPR gives individuals rights over their data. The AI Act governs the systems that process it. AccessPoint runs both.

Under the GDPR, individuals can ask what personal data you hold and have it corrected, and you must report serious breaches within 72 hours and assess high-risk processing before it begins. The EU AI Act now layers a risk-based regime on top — prohibited practices since 2 February 2025, obligations for general-purpose AI models since 2 August 2025, and most high-risk-system duties from 2 August 2026. AccessPoint runs data-subject requests, DPIAs, breach response, and AI Act assessments on one governed platform, in your own tenant, so privacy and responsible-AI governance live in the same system.

DPIAs on demand Article 35 assessments with screeners, a risk register, and an exportable record.
AI Act tiering Assess AI systems against the Regulation's risk categories, scored and reviewed.
The 72-hour clock A live breach checklist computed for your supervisory authority and data subjects.

Configured out of the box

Installing the eu-gdpr configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.

Related guide: FOI Workflow Quick Check
  • The GDPR (Regulation (EU) 2016/679) as the legal-authority and citation spine
  • The Article 12 one-month rights clock with the two-month extension rule
  • Data-subject request types — access, rectification, erasure, restriction, portability, objection
  • First-copy-free fee handling with the manifestly-unfounded-or-excessive exception
  • Article 33 and 34 breach-notification rules on the 72-hour clock
  • Article 35 DPIA questionnaires and the Article 30 ROPA register
  • EU AI Act assessment templates aligned to the Regulation's risk tiers
  • A tenant-configurable supervisory-authority and complaint workflow
  • Correspondence templates configurable to any EU official language

European Union — GDPR Questions

How does AccessPoint handle the GDPR one-month response deadline?

Article 12(3) requires controllers to respond to a data-subject request without undue delay and in any event within one month of receipt, extendable by two further months for complex or numerous requests provided the data subject is told within the first month. AccessPoint calculates the clock, tracks the extension, and drives the access (Article 15) and rectification (Article 16) workflow to a defensible close with a full audit trail.

Can it run DPIAs and EU AI Act assessments?

Yes. The assessment engine runs Article 35 DPIAs for high-risk processing and assesses AI systems against the risk tiers of the EU AI Act (Regulation (EU) 2024/1689) — the same screeners, embedded risk register, review, and audit trail, on one platform.

Which supervisory authority does it use?

The GDPR is enforced by each member state's own independent supervisory authority, coordinated by the European Data Protection Board. AccessPoint is configured to your authority, and its complaint and breach workflows reflect that authority's process — set once per tenant.

Where does personal data reside?

Entirely within your own Microsoft 365 and Azure tenant. Requests, documents, assessments, and audit history never leave your control — no third-party cloud, no vendor access, and no onward transfer of your data.

Run GDPR Rights, DPIAs, and the AI Act in One Platform

Try AccessPoint free for 30 days, pre-configured for the GDPR. No credit card required.

Start Free Trial