Managed operating model · Early access

One request in. One controlled case, ready for review.

Trace is designed to coordinate the operational work between an incoming GDPR request and the authorised person who must decide the response. For accepted, in-scope pilots, the proposed target is a review-ready pack within 24 hours—not legal closure within a day.

Before work begins

The clock needs a clear starting line.

The proposed target applies after Trace accepts the case, scope and transfer method. A public form submission does not start case processing or create a service commitment.

01 / ACCEPTANCE

Fit is confirmed

Trace first checks request type, urgency, source complexity, reviewer availability and whether the pilot can be delivered responsibly.

02 / SCOPE

The evidence boundary is written down

Sources, identifiers, access paths, exclusions and customer responsibilities are agreed before production data is handled.

03 / AUTHORITY

A decision owner is named

The customer identifies who can approve disclosure, erasure, correction, retention and final response wording.

Product truth: Trace is validating a hands-on pilot operating model. Applying does not guarantee acceptance, a 24-hour outcome or access to automated connectors. Capacity and scope must be confirmed first.

The proposed managed sequence

From inbox to review boundary.

Each stage is designed to leave enough context for the next person to understand what happened, what remains uncertain and where judgement is required.

01

Accept and frame the case

The intended case record would hold the request, the right being exercised, the identity-verification state, controller instructions and the response clock. Ambiguity should become a visible question, not a hidden assumption.

Intake
02

Confirm scope before access

The proposed pilot source map would name the systems, identifiers, access method and known gaps. No connector credential or production data should be submitted through the public application form.

Scoping
03

Retrieve only what was agreed

Evidence would be retrieved through a customer-approved method: a controlled export, manual evidence import or configured least-privilege access where an accepted pilot can support it.

Scoped retrieval
04

Build a source-level record

Available records would be organised by source. Retrieval time, search identifiers, missing systems and collection limits should travel with the case rather than be smoothed over.

Evidence
05

Prepare the review pack

The target pack would contain a case summary, source inventory, evidence package, response draft, exception notes and timestamped activity record. The proposed 24-hour target ends here.

Pack target
06

Keep judgement with authorised people

An authorised reviewer would decide what may be disclosed, corrected, retained, erased or escalated. The intended workflow records that decision; it does not make the legal decision.

Human decision

Two clocks

Operational speed does not replace the legal timetable.

24h

Trace pack target

A proposed service target for an accepted, in-scope request to reach a review-ready state. It covers available evidence, drafting and explicit flags—not final disclosure, erasure or closure.

1mo

General GDPR response period

Controllers generally must act without undue delay and within one month. Circumstances may permit an extension, and “one month” is not simply a fixed 30-day count.

Read the official EDPB timing explanation, European Commission request guidance and GDPR Article 12. Trace does not calculate a legally binding deadline on this public page.

The proposed deliverable

A pack designed for a decision, not another hand-off.

The exact files depend on the right exercised, the agreed scope and what the source systems actually contain. The examples below show the intended structure.

01 / PDF

Case summary

Request type, identity state, scope, target and every unresolved question.

02 / CSV

Source inventory

Systems checked, access method, identifiers used, records found and known gaps.

03 / ZIP

Evidence package

Available requester records arranged by source for authorised inspection.

04 / PDF

Response draft

A structured starting point for the controller—not autonomous legal advice.

05 / PDF

Exception notes

Third-party information, retention questions, uncertainty and missing-source warnings.

06 / JSON

Case timeline

Timestamped activity and decisions. Trace does not claim a cryptographically immutable log.

Clear ownership

Trace prepares. Your authorised people decide.

The operating model is deliberately asymmetric: routine coordination can be managed, while legal and factual judgement stays at a visible human boundary.

Trace · proposed managed work

Structure the case

  • Record intake, scope and identity state
  • Coordinate agreed evidence retrieval or import
  • Build the source inventory and activity record
  • Prepare a response draft and exception notes
  • Flag missing evidence and open decisions
Customer · controller or authorised reviewer

Exercise judgement and authority

  • Confirm the requester and the lawful scope
  • Decide what must be disclosed, corrected or erased
  • Assess third-party rights, exemptions and retention duties
  • Approve final wording and delivery method
  • Own the legal response and relationship with the requester

A controlled first request

Test the operating model on one request.

Apply with your stack and request context. Trace will only propose a pilot after scope, capacity, security and the review boundary can be confirmed.