SIMULATED LIVE

[ PORTFOLIO PROTOTYPE · SYNTHETIC DATA ONLY · NO REAL UPLOADS · HUMAN REVIEW REQUIRED ]

DataRights·Trace
DSAR · ARTICLE 15 · SIMULATOR

Turn a synthetic DSAR into an auditable evidence trail.

DataRights Trace is a non-commercial portfolio prototype simulating how GDPR Article 15 access requests move through scoping, disclosure review, redaction, and human-in-the-loop approval — using strictly fictional data.

  • Synthetic data only
  • No real personal data processed
  • No uploads
  • No legal advice
  • No automated final decision
  • Mandatory human review
  • Non-commercial portfolio prototype
Enter the simulatorView safety boundaries
  • GDPR Art. 15
  • Human-in-the-loop
  • Synthetic data only
  • No uploads, no PII
Synthetic DSAR Case
REFDSAR-2026-X79
REQUESTERJ. ███████
RECEIVED2026-04-12 09:14Z
SCOPEAll processing · since 2024
Redaction Preview
NOTES████████████████
THIRD-PARTY██████████
SCORE LOGIC████████████
REDACTED ·3REVIEW ·2
Evidence Trail
09:14Request received · synthetic
09:22Scope assessed · Art. 15(1)
09:41Redaction draft · 5 fields
Human Review Gate
LOCKED

Awaiting human authorization — automation drafts, humans decide.

Demo workflow

Walk a fictional DSAR end to end.

Choose a synthetic scenario. The simulator surfaces the access request, the internal dataset, suggested redactions and an evidence trail. Nothing is uploaded. Nothing is sent.

SIMULATOR ONLINE
SANDBOXED

Case file

Loyalty programme — customer profile

Reference
DSAR-2025-0142
Received
2025-03-04
Request from
Data Subject A (synthetic identity)
Controller (fictional)
Example Retail Controller GmbH (fictional)
Disclosable Suggested redaction Needs human review
  • Full nameData Subject A (example.com) Disclosable
  • Loyalty card number4412-09-7731 Disclosable
  • Purchase history (12 mo.)47 transactions, EUR 612.40 total Disclosable
  • Marketing segment scoreSegment B2 · weights w1=0.34, w2=0.52, w3=0.14 Suggested redaction
  • Referrer (other customer)Referred by Third Party B, card 3389-71 Suggested redaction
  • Service note (CSR draft)“Customer seems frustrated — escalate if she returns.” Suggested redaction
  • Fraud flagFlag F-2 raised 2025-02-11 by risk engine v3 Needs human review

Evidence trail · audit log

05 EVENTS · SIMULATED
  1. 2025-03-04 09:12Intake bot (simulated)

    Request received and logged

    GDPR Art. 12(3) — one-month clock starts

    hash:3c7066f486da
  2. 2025-03-04 09:18Identity check (simulated)

    Subject identity verified against loyalty account

    GDPR Art. 12(6)

    hash:3d7068887c18
  3. 2025-03-05 14:02DataRights Trace (simulator)

    7 fields surfaced; 1 review-flag raised

    Internal disclosure policy v2.1

    hash:3e706a187155
  4. 2025-03-05 14:03DataRights Trace (simulator)

    Third-party identifier and scoring weights proposed for redaction

    GDPR Art. 15(4); recital 63 (rights of others)

    hash:3f706bac6692
  5. Pending: DPO review

    Approve, amend or reject suggested response

    Mandatory human review

    hash:387060a8b1e5

Human review checklist

00/07

The simulator does not release a response. A qualified human reviewer must confirm each item before any disclosure leaves the organisation.

Safety perimeter

Compliance architecture, enforced as protocol.

Hard boundaries that define the prototype as much as any feature. These are non-negotiable constraints, not toggles.

PROTOCOL.01

NON-COMMERCIAL

Portfolio prototype. Not a product. No pricing, no onboarding, no client work.

PROTOCOL.02

NO REAL DATA

100% fictional scenarios. No uploads. No external systems. No real personal data path exists.

PROTOCOL.03

NO LEGAL ADVICE

Educational only. Controllers must obtain qualified legal counsel.

PROTOCOL.04

NO AUTO-DECISIONS

Automation drafts. Humans decide. The release gate cannot be bypassed.

PROTOCOL.05

NO TELEMETRY

Nothing about the simulated workflow leaves the browser session.

PROTOCOL.06

GDPR REFERENCES

Article and recital citations are illustrative — verify against current text.

Security posture

Minimum attack surface, by design.

This prototype intentionally minimizes attack surface: no uploads, no accounts, no payment flow, no database-backed user records, no real DSAR handling and no real personal data processing inside the simulator.

Security posture shown here is part of the portfolio demonstration and not a certification, audit or guarantee.

POSTURE.01

No backend processing

No backend processing of simulator input. The interactive workflow runs without uploads, accounts, forms, payments or database-backed user records.

POSTURE.02

No accounts

No user account, login or identity layer is created, which materially reduces the attack surface.

POSTURE.03

No persistence

No database, no cookies, no local storage of user input. State lives in memory only.

POSTURE.04

No telemetry

No analytics, no third-party trackers, no external API calls from the simulator.

POSTURE.05

No uploads

There is no file input, no drag-and-drop, no free-text field that accepts personal data.

POSTURE.06

Safe rendering

The simulator does not render user-generated HTML and does not inject user-provided content.

HA

Helmut Auerbach

Mag. iur. · CIPP/E

ROLEArchitect
DOMAINEU Privacy / Legal-Tech
LOCATIONGermany / DACH
SIGverified

About

Architected by Helmut Auerbach, Mag. iur., CIPP/E

Product-Led Privacy · EU Data Protection · Legal-Tech Workflow Design

Austrian-trained jurist (Mag. iur.) and Certified Information Privacy Professional / Europe (CIPP/E). Works at the seam between EU data protection law and product design, with a focus on workflows where compliance has to survive contact with real teams, real systems and real time pressure.

Focus areas

  • EU data protection law (GDPR)
  • Data subject rights & DSAR operations
  • Privacy-by-design product reviews
  • Human-in-the-loop compliance workflows

Privacy Notice

Privacy Notice

The simulator itself does not collect, store or process user-entered personal data. It does not provide uploads, accounts, forms, payments or database-backed user records. Technical access data may be processed by the hosting provider solely for delivering and securing the website. Client-side error reporting and third-party telemetry are disabled. Fonts are served from the local system; no external font provider is contacted. No real personal data should be entered into this prototype.

Legal Boundary

Legal Boundary

DataRights Trace is a fictional educational simulator. It must not be used to produce, draft, validate, support or substitute any real Article 15 response. It does not constitute legal advice or a Rechtsdienstleistung within the meaning of the German RDG or equivalent Austrian/Swiss legal-services regulation. Controllers handling real data subject access requests must rely on qualified legal counsel and an authorised internal process.