Skip to main content

GDPR & POPIA Implementation Details

Detailed implementation guide for GDPR and POPIA compliance features.

Implementation Status

✅ Implemented Features

User Data Management

  • User profile editing and data access
  • Account deletion functionality
  • Data export capabilities (in progress)
  • Audit logging of data access

Security Measures

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (via Supabase)
  • Secure authentication (Supabase Auth)
  • Role-based access control (RBAC)
  • Site-level access restrictions (POPIA compliance)

Data Protection

  • Input sanitization and validation
  • SQL injection prevention
  • XSS protection
  • CSRF protection
  • Secure session management

🚧 In Progress

Data Export

  • JSON export of user data
  • CSV export functionality
  • Scheduled export delivery
  • Cookie consent banner
  • Marketing consent management
  • Granular consent controls

📋 Planned

Advanced Features

  • Data processing activity register
  • Privacy impact assessments
  • Automated compliance reporting
  • Data subject request portal

Technical Implementation

Site Access Restrictions (POPIA)

The application implements site-level access restrictions to ensure users only see data they're authorized to access:

// SiteAccessContext ensures data filtering before rendering
// Prevents POPIA violations where unauthorized data could flash on screen

Key Components:

  • SiteAccessContext: Manages user's site-level access
  • SiteAccessGuard: Prevents rendering until access is loaded
  • API-level filtering: Server-side data filtering

Data Minimization

Implemented:

  • Only necessary data fields collected
  • Optional fields clearly marked
  • Regular data cleanup of unused accounts

Example:

// User profile only collects necessary information
interface UserProfile {
  email: string;        // Required for authentication
  name: string;         // Required for display
  phone?: string;       // Optional
  avatar?: string;      // Optional
}

Right to Erasure

Implementation:

  1. User requests account deletion
  2. System marks account for deletion
  3. Data anonymized within 24 hours
  4. Permanent deletion within 30 days
  5. Confirmation sent to user

Code Location:

  • frontend/app/api/users/delete/route.ts
  • frontend/app/dashboard/profile/page.tsx

Audit Logging

All data access and modifications are logged:

Logged Events:

  • User login/logout
  • Data access (sites, sensors)
  • Profile modifications
  • Account deletions
  • Administrative actions

Log Format:

{
  "timestamp": "2024-01-01T00:00:00Z",
  "user_id": "user-uuid",
  "action": "data_access",
  "resource": "sites",
  "ip_address": "192.168.1.1",
  "user_agent": "Mozilla/5.0..."
}

Data Flow

User Registration

  1. User provides email and password
  2. Email verification required
  3. Consent obtained for terms of service
  4. Account created in Supabase
  5. Initial profile data stored

Data Access

  1. User authenticates
  2. Site access permissions loaded
  3. Data filtered by permissions
  4. Access logged for audit

Data Deletion

  1. User requests deletion
  2. Account marked as deleted
  3. Personal data anonymized
  4. Monitoring data retained per policy
  5. Confirmation sent

Security Measures

Encryption

  • In Transit: TLS 1.2+ for all connections
  • At Rest: Database encryption via Supabase
  • Passwords: Hashed using bcrypt (via Supabase)

Access Controls

  • Authentication: Supabase Auth with MFA support
  • Authorization: Role-based access control
  • Site Access: Domain-based restrictions (POPIA)

Input Validation

  • Server-side validation on all inputs
  • SQL injection prevention (parameterized queries)
  • XSS prevention (input sanitization)
  • CSRF protection (tokens)

Compliance Checklist

GDPR Requirements

  • Right to access
  • Right to erasure
  • Right to portability (in progress)
  • Right to rectification
  • Data minimization
  • Purpose limitation
  • Storage limitation
  • Security safeguards
  • Breach notification procedures
  • Data protection officer (if required)

POPIA Requirements

  • Information officer designated
  • Data subject rights implemented
  • Lawful processing conditions
  • Security safeguards
  • Data breach procedures
  • Site-level access restrictions
  • POPIA-specific consent management (in progress)

User Rights Exercise

How to Exercise Rights

Access Your Data

  1. Log in to your account
  2. Navigate to Profile settings
  3. View all stored information
  4. Request export if needed

Correct Your Data

  1. Go to Profile settings
  2. Edit any information
  3. Save changes
  4. Changes are logged

Delete Your Account

  1. Go to Profile settings
  2. Click "Delete Account"
  3. Confirm deletion
  4. Receive confirmation email

Object to Processing

  1. Contact support
  2. Specify objection
  3. Review and response within 30 days

Contact

For data protection inquiries:

  • Email: privacy@example.com
  • Support: Available through application
  • Response Time: Within 30 days as required by law