Document: Procedure for handling Data Subject Access Requests (DSAR) Data controller:Amanecer Austral SpAVersion:1.0.0(semver — initial 1.0.0) Last updated:28 May 2026Next review:{{nextReview}}Official language: Spanish (LATAM). EN/PT/DE translations under the regime of Art. 50(4) AI Act — see the AI Use Disclosure. Related documents: Privacy Policy, Cookie Policy, Data Retention Policy. Public page:https://amaneceraustral.com/legales/derechos-del-titular
Table of Contents
- Purpose and Scope
- Data Subject Rights (ARCOPOL+)
- Standing: Who May Exercise
- Channels for Exercise
- Identity Verification
- Response Timeframes by Jurisdiction
- No Charge and Exceptions
- Internal Operational Workflow
- Response Templates by Right
- Portability: Format and Scope
- Erasure vs Anonymisation
- Restriction of Processing
- Reasoned Refusal and Complaint Routes
- Supervisory Authorities
- Evidence Retention
- Technical Implementation Notes
- Cited Sources
- Version History
1. Purpose and Scope
This document describes, for internal operational use and as transparent information to the data subject, the procedure by which Amanecer Austral SpA (hereinafter the "Controller") handles requests for the exercise of personal data rights. The procedure applies to all personal data processed by the Controller, regardless of the collection channel (web forms, email, visit scheduling, telephone contact, in-person communications).
The procedure is designed to simultaneously comply with:
- Regulation (EU) 2016/679 — GDPR and UK GDPR.
- Law 19.628 (Chile) on protection of private life (in force until 12 December 2026).
- Law 21.719 (Chile) on personal data protection (published 13 December 2024, in force 13 December 2026).
The internal Privacy Officer of Amanecer Austral SpA is Urzula Velásquez (Encargada de Privacidad interina). The function is performed with the limited scope described in Privacy Policy §2.1, with binding outsourcing plan upon reaching the objective thresholds.
2. Data Subject Rights (ARCOPOL+)
| Right | Operational definition | GDPR | Law 19.628 | Law 21.719 | | --------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ----------------- | ----------- | | Access | Obtain confirmation whether data are being processed and, where so, a copy and detailed information (purposes, categories, recipients, periods, rights, source, automated decisions, international transfers). | Art. 15 | Art. 12 | Art. 16 | | Rectification | Correct inaccurate or incomplete data. | Art. 16 | Art. 12 | Art. 17 | | Erasure / Cancellation ("right to be forgotten") | Delete data where they are no longer necessary, consent is withdrawn without other basis, processed unlawfully, etc. | Art. 17 | Art. 12 | Art. 18 | | Objection | Object to processing based on legitimate interest or public interest, and at all times to direct marketing. | Art. 21 | Art. 12 | Art. 19 | | Portability | Receive the data in a structured, commonly used and machine-readable format, and transmit them to another controller. | Art. 20 | — (no equivalent) | Art. 20 | | Restriction | Restrict processing (stored but not used) while a contestation is verified. | Art. 18 | — | Art. 21 | | Withdrawal of consent | Revoke prior consents, without retroactive effect on prior lawfulness. | Art. 7(3) | — (implicit) | Art. 14 | | Not to be subject to automated decisions with significant effects | Obtain human intervention, express view, contest. | Art. 22 | — | Art. 22 | | Lodge a complaint with authority | File complaint. | Art. 77 | Art. 16 | Art. 46 ff. | | Compensation | Right to compensation for material or non-material damage. | Art. 82 | — | Art. 49 |
Note: the Controller does not take automated decisions producing legal or similarly significant effects on the data subject (see Privacy Policy §15 and AI Use Disclosure §6). Therefore, the right of Art. 22 GDPR has no usual practical application, without prejudice to its formal recognition.
3. Standing: Who May Exercise
In accordance with GDPR and Art. 17 of Law 21.719, the following persons may exercise rights:
- The data subject directly.
- Their legal representative accredited by notarial power (in Chile, public deed or private instrument authorised before a notary; in the EU, in accordance with applicable national law).
- The heirs of the deceased data subject evidencing effective possession or equivalent — Art. 17 Law 21.719 expressly recognises this post-mortem right in Chile; GDPR leaves it to national law (Recital 27 GDPR).
- Legal guardians in case of minors or incapacitated persons, with qualified accreditation of the link (see Privacy Policy §14.4).
4. Channels for Exercise
| Channel | Detail | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- | | Web form | https://amaneceraustral.com/legales/derechos-del-titular — form typed per right, with optional upload of authority/accreditation. | | Email | privacidad@amaneceraustral.com | | Postal | [POR CONFIRMAR — Urzula completa este dato en /admin/ajustes/legal/empresa], FAO — Privacy Officer. |
We do not require a single channel: any of the above is valid. Nor do we require our own form: the data subject may use any means (free letter, simple email) provided it contains the minimum to identify the request.
5. Identity Verification
Verification is proportionate to risk in accordance with EDPB Guidelines 01/2022 on the right of access (v2.0, 28 March 2023) §§ 65-78 and the minimisation principle of Art. 5(1)(c) GDPR.
5.1 Standard procedure (low or medium risk)
- The request must originate from the registered email in our systems (the "email" channel) or the form must include a verifiable data point (e.g. approximate date of prior contact,
propertyIdconsulted, name of the agent who attended). - Cross-check against
leads.email,lead_activities,visits. Successful match → verification completed.
5.2 Enhanced verification (high risk) — two-track
Only where reasonable indicia of doubt exist (e.g. request from email distinct from the registered one, inconsistent verifiable data point, large-volume portability request), we will ask the data subject for one of the following two tracks at their choice (EDPB Guidelines 01/2022 §§ 65-72):
- (a) Selfie holding identity document with sensitive data covered (partial RUT/national ID, date of birth covered; only name and photo visible); or
- (b) Partial copy of the document (name and issue date visible; rest redacted).
We will not require a full copy of passport/ID save strict necessity and prior justification to the data subject. We also accept, as alternative, confirmation by alternative channel (return call to the registered telephone).
5.3 Third-party requests
- Legal representative: original notarial power or authorised copy.
- Heir: registered effective possession (Chile) or equivalent certificate.
- Guardian: judicial decision in force evidencing the guardianship.
6. Response Timeframes by Jurisdiction
Binding table. The figures here are the only applicable; any deviation in another document of the package is resolved in favour of this table.
| Regime | Acknowledgement | Substantive response | Extension | Lawful basis | | --------------------------------------------------- | -------------------------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | | GDPR / EEA (EU data subject) | {{ackHours}} (5 calendar days) | 1 month from the request | Up to 2 additional months with reasoned notification to the data subject within the first month | Art. 12(3) GDPR | | UK GDPR (UK data subject) | 5 calendar days | 1 month from the request | Up to 2 additional months with reasoned notification | Art. 12(3) UK GDPR; Data Protection Act 2018 | | Chile — Law 19.628 (in force until 12 Dec 2026) | 2 business days (Art. 16) | 20 calendar days from the request | Not expressly provided — negative silence enables judicial habeas data | Art. 16 Law 19.628 | | Chile — Law 21.719 (from 13 Dec 2026) | 5 calendar days | Aligned with GDPR: 1 month, extendable pending regulatory confirmation | Up to 2 additional months | Law 21.719 (published text); regulation pending | | Other data subjects (outside EU/CL/UK) | 5 calendar days | Apply the regime most favourable to the data subject among those known | — | Good faith + Art. 6(1)(f) GDPR by analogy |
6.1 Rule of concurrence of regimes
Where a data subject is subject to multiple regimes (e.g. EU resident with Chilean nationality), the regime most favourable to the data subject is applied on a point-by-point basis: shortest response period, broadest gratuity, most extensive rights.
6.2 Computation and suspension
The substantive period's computation begins with the effective receipt of the request by any enabled channel (§4). When additional information is requested from the data subject to verify identity or clarify the request (Art. 12(6) GDPR), the computation is suspended until receipt of the reply and resumed from the following day.
7. No Charge and Exceptions
Exercise is free of charge (Art. 12(5) GDPR; Art. 15 Law 21.719). We will only charge a reasonable fee or refuse where:
- The request is manifestly unfounded or excessive, in particular due to repetition (Art. 12(5) GDPR).
- A second or further copy of the right of access is requested — we may charge a reasonable fee based on administrative costs (Art. 15(3) GDPR).
The burden to prove the unfounded or excessive nature rests on the Controller. Any refusal or charge is reasoned in writing and the data subject is offered the possibility of complaining to the supervisory authority and/or seeking judicial remedy.
8. Internal Operational Workflow
`` [Receipt] ↓ [received] — Initial state. dueAt calculated by jurisdiction. ↓ [identity_pending] — If verification required. Pause of computation (Art. 12(6) GDPR). ↓ [processing] — Identity verified; team processes. ↓ [resolved] | [rejected] — Reasoned resolution to the data subject. ``
8.1 Detailed states
| State | Description | | ------------------ | ---------------------------------------------------------------------------------------------- | | received | Request received. id (dsar_xxx) assigned, dueAt calculated, Privacy Officer notified. | | identity_pending | Verification requested from the data subject. Period computation paused under Art. 12(6) GDPR. | | processing | Identity verified. Team gathers data / executes action. | | resolved | Response sent with outcome and evidence. | | rejected | Reasoned refusal notified with complaint routes. | | withdrawn | Data subject withdraws the request. |
8.2 dsar_requests record fields
| Field | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | id | prefixedId("dsar") | | received_at | Timestamp of receipt | | due_at | Calculated per detected jurisdiction | | jurisdiction | EU / CL_19628 / CL_21719 / UK / OTHER — the most favourable to the data subject if uncertain | | right_invoked | access / rectification / erasure / objection / portability / restriction / consent_withdrawal / automated_decision / indemnification | | requester_email | Declared contact email | | verified_titular_id | Optional FK to leads.id or other entity if confirmed | | status | See previous table | | assigned_to_user_id | Internal user responsible (default: Privacy Officer) | | evidence_r2_prefix | R2 folder with case documentation (powers, correspondence, exports) | | resolution_note | Internal text with the resolution reasoning | | closed_at | Closing timestamp |
8.3 Internal SLAs
- Assignment to the Privacy Officer:
{{slaAssignHours}}(24 business hours). - Identity verification initiated: maximum 2 business days from receipt.
- Review meetings weekly if there are open requests.
9. Response Templates by Right
All templates are stored in /admin/ajustes/dsar/plantillas, versioned and multi-language (ES/EN/PT/DE).
9.1 Access (Art. 15 GDPR)
A structured dossier is delivered including:
- Confirmation of processing.
- Categories of data and purposes (aligned with Privacy Policy §5).
- Recipients (processors, authorities) — reference to Privacy Policy §7.
- Envisaged retention periods or criteria to determine them — reference to Privacy Policy §6.
- Available rights and how to exercise them.
- Right to lodge complaint with supervisory authority.
- Source of the data if not obtained from the data subject.
- Copy of the personal data processed, in readable format (PDF + JSON annex).
- Safeguards for international transfers (Art. 15(2) GDPR).
9.2 Rectification (Art. 16 GDPR)
The correction is confirmed. If a rectified datum had been communicated to a recipient, it is notified to them (Art. 19 GDPR) save impossibility or disproportionate effort.
9.3 Erasure (Art. 17 GDPR)
Prior analysis:
- Does an Art. 17(3) GDPR exception apply? (freedom of expression, compliance with legal obligation — AML/accounting —, public interest, archiving/research, exercise of claims).
- If yes: partial erasure + irreversible anonymisation of the rest + notification to the data subject of the scope and reason for non-total erasure.
- If no: complete erasure in primary systems + instruction to processors + notification to the data subject with timeline.
9.4 Objection (Art. 21 GDPR)
- Objection to direct marketing: absolute, without balancing test (Art. 21(2) and (3) GDPR). Immediate execution.
- Objection to processing based on legitimate interest: case-by-case analysis; ceases save compelling legitimate grounds (Art. 21(1) GDPR) evidenced by documented LIA.
9.5 Portability (Art. 20 GDPR)
Applicable to data processed by consent or contractual performance (Art. 20(1)(a) GDPR) and on an automated basis. Delivery in structured JSON (see §10).
9.6 Restriction (Art. 18 GDPR)
Activation of processing_restricted_at flag in affected records; logical block preventing any mutation or use, while maintaining storage. Notification to the data subject when lifting the restriction (Art. 18(3) GDPR).
9.7 Withdrawal of consent (Art. 7(3) GDPR)
Processed within a maximum of 24 hours. If consent was the sole lawful basis, processing ceases and, save mandatory retention, erasure or anonymisation is carried out.
9.8 Automated decision (Art. 22 GDPR)
Template informs that no automated decisions producing significant legal effects are taken. If in future they should arise, human intervention, right to express view and to contest (Art. 22(3) GDPR) are offered.
9.9 Compensation (Art. 82 GDPR)
Where the request includes a compensation claim, the data subject is informed of the right under Art. 82 GDPR, of the available fora (Art. 79(2) GDPR; Brussels I bis Arts. 17-19 for consumer) and, where applicable, of the possibility of recourse to SERNAC mediation or ADR pursuant to the Complaints Procedure. Quantification of material or non-material damage is for the competent court; the Controller will cooperate by providing available documentation.
10. Portability: Format and Scope
We deliver a ZIP file with:
lead.json— structured lead data (name,email,phone,country,language,budget_range,topics,propertyId,source,created_at,stage_history).activities.json— array oflead_activities(notes, emails, calls, state changes).visits.json— array ofvisits(no third-party data).communications/— emails received/sent to the data subject (where technically available),.emlformat.consents.json— applicable consent records.README.md— description of each file, JSON schema, extraction date.
UTF-8 JSON format with documented schema (schema/dsar-export.schema.json, JSON Schema 2020-12). Structured, commonly used and machine-readable in accordance with Art. 20(1) GDPR.
Direct transmission to another controller: if the data subject so requests and it is technically feasible (Art. 20(2) GDPR), secure transmission between controllers is offered.
What is NOT included (legally outside the right of portability):
- Data derived or inferred by the Controller (internal notes, internal scoring) — Art. 20 GDPR limits to "personal data provided by the data subject".
- Third-party data (other leads mentioned, internal agents).
11. Erasure vs Anonymisation
Where total erasure is not possible due to residual legal obligation (KYC/AML 5 years standard or 10 years extended; accounting/tax 10 years — see Privacy Policy §6 and Retention Policy §2), we apply irreversible anonymisation:
- One-way hash + truncation of email.
- Replacement of name with generic placeholder.
- Deletion of telephone, free-text message, budget.
- Retention only of internal identifier + aggregated AML/accounting flags, without reasonable possibility of re-identification (EDPB Opinion 05/2014 anonymisation test + Recital 26 GDPR).
- Recording in
audit_logwithaction='anonymized'and reference to legal motive.
The anonymisation is notified to the data subject as fulfilment of the right of erasure "as applicable". The delay of up to 30 calendar days is expressly informed for the erasure to propagate to backups (cyclical overwriting) pursuant to Retention Policy §3.4.
12. Restriction of Processing
Technical mechanism: processing_restricted_at field in affected entities (leads, lead_activities, visits). All repositories and server actions check this flag before mutating; they only permit read by the Privacy Officer while it is active.
Cases where it applies (Art. 18(1) GDPR):
- While accuracy is verified (during a pending rectification).
- When the data subject opposes erasure and prefers restriction.
- When the Controller no longer needs the data but the data subject needs them for claims.
- During the verification period of an objection.
13. Reasoned Refusal and Complaint Routes
Any total or partial refusal is communicated in writing to the data subject with:
- Legal motivation (specific articles invoked, case law and guidance where applicable).
- Indication that the data subject may complain to the competent supervisory authority — see §14.
- Indication that they may resort to the judicial route (Art. 79 GDPR; habeas data Art. 16 Law 19.628; judicial action Art. 47 Law 21.719) and, where applicable, exercise the right to compensation of Art. 82 GDPR.
- Period of 30 calendar days for the data subject to request internal review prior to external complaint (voluntary procedure offered as courtesy).
14. Supervisory Authorities
| Jurisdiction | Authority | Address | Web | Telephone | | --------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ----------------------------------------------- | ----------------- | | Spain | AEPD (Spanish Data Protection Authority) | C/ Jorge Juan, 6 — 28001 Madrid | https://www.aepd.es | +34 901 100 099 | | France | CNIL (French Data Protection Authority) | 3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 | https://www.cnil.fr | +33 1 53 73 22 22 | | Germany (federal) | BfDI (German Federal Commissioner for Data Protection) | Graurheindorfer Straße 153 — 53117 Bonn | https://www.bfdi.bund.de | +49 228 997799-0 | | Germany — Baden-Württemberg | LfDI BW | Lautenschlagerstraße 20 — 70173 Stuttgart | https://www.baden-wuerttemberg.datenschutz.de | +49 711 615541-0 | | Portugal | CNPD (Portuguese Data Protection Authority) | Av. D. Carlos I, 134, 1.º — 1200-651 Lisbon | https://www.cnpd.pt | +351 213 928 400 | | Italy | Garante per la protezione dei dati personali | Piazza Venezia 11 — 00187 Rome | https://www.garanteprivacy.it | +39 06 696771 | | Ireland | Data Protection Commission (DPC) | 21 Fitzwilliam Square South — Dublin 2 D02 RD28 | https://www.dataprotection.ie | +353 1 765 0100 | | United Kingdom | ICO (UK Information Commissioner's Office) | Wycliffe House, Water Lane — Wilmslow SK9 5AF | https://ico.org.uk | +44 0303 123 1113 | | Chile (until 12 Dec 2026) | Judicial habeas data before civil court of domicile; Council for Transparency for data held by public bodies | — | https://www.consejotransparencia.cl | — | | Chile (from 13 Dec 2026) | Personal Data Protection Agency (Law 21.719) | To be determined | {{chileAPDUrl}} | To be determined |
15. Evidence Retention
Each DSAR case generates evidence stored in R2 under dsar-evidence/{dsar_id}/:
- Original request (PDF/EML).
- Identity verification documentation.
- Full correspondence with the data subject.
- Export delivered (in portability).
- Resolution signed by the Privacy Officer.
Retention period: 5 years from case closure, in accordance with Art. 5(2) and Art. 24 GDPR (accountability) + Art. 78 LOPDGDD (AEPD limitation) + prudential buffer; consistency with Privacy Policy §6 row 13 and Retention Policy §2 row 14.
Technical Implementation Notes
Operational documentation for the engineering team. Not part of the externally published document.
Public route
src/app/(public)/legales/derechos-del-titular/page.tsx— explanation + form typed per right.- Static page (server component), breadcrumbs, list of rights in tables, FAQ ("How long does it take?", "Can I request for my deceased mother?", "What documents do I need?"). No tracking on these pages.
Web form (POST /api/dsar)
- Fields:
right_invoked(enum),requester_email,full_name,country,description,proof_upload(optional, multipart),is_third_party(bool),relationship(if third party). - Zod validation (
src/lib/validation/dsar.ts). - Mandatory Turnstile.
- Jurisdiction detection by
cf-ipcountry+ declaredcountry; the regime most favourable to the data subject applies. - Insertion in
dsar_requests, calculation ofdue_atper jurisdiction, upload of proof to R2dsar-evidence/{id}/proof/. - Automatic email to the data subject (acknowledgement within 5 calendar days) and to
privacidad@amaneceraustral.comwith summary. - Slack notification to the
#dsarchannel with mention of the Privacy Officer.
dsar_requests table (Drizzle)
``ts dsarRequests: sqliteTable("dsar_requests", { id: text("id").primaryKey(), receivedAt: integer("received_at", { mode: "timestamp" }).notNull(), dueAt: integer("due_at", { mode: "timestamp" }).notNull(), jurisdiction: text("jurisdiction").notNull(), // 'EU' | 'CL_19628' | 'CL_21719' | 'UK' | 'OTHER' rightInvoked: text("right_invoked").notNull(), requesterEmail: text("requester_email").notNull(), verifiedTitularId: text("verified_titular_id"), status: text("status").notNull().default("received"), assignedToUserId: text("assigned_to_user_id"), evidenceR2Prefix: text("evidence_r2_prefix").notNull(), resolutionNote: text("resolution_note"), closedAt: integer("closed_at", { mode: "timestamp" }), }); ``
Admin UI (/admin/dsar)
- Listing with visible SLA (red if
dueAt < now + 3d). - Detail with timeline, R2 attachments, response templates per right with variable merge.
- "Run portability export" action → generates ZIP server-side and signs temporary R2 URL (24 h).
- "Anonymise" action → executes
anonymizeLead(leadId, reason)function applying the §11 procedure and recording in audit log. - "Activate restriction" action → sets
processing_restricted_atin affected entities.
Critical functions
- Portability export:
src/lib/dsar/exportPortable.ts. Generates JSON validated againstschema/dsar-export.schema.json. - Anonymisation:
src/lib/dsar/anonymize.ts. Idempotent. Single D1 transaction. Mandatory audit log. Vitest tests verifying irreversibility. - Period calculation:
src/lib/privacy/dsar-deadlines.tswith §6 figures. Pure testable functions.
processing_restricted_at flag
- Add
processing_restricted_at: integer({ mode: "timestamp" })column toleads,lead_activities,visits. - Repositories filter and reject mutations when active (except
liftRestrictionfunction).
SLA cron
- Daily Cloudflare Cron Trigger notifying the Privacy Officer of requests approaching expiry (
dueAt - now < 5d).
i18n templates
- One per right × locale, stored as markdown in
legal_templates(versioned). - Rendered with typed variable merge.
Accessibility
- WCAG 2.2 AA; form typed per right with contextual explanations; "Prefer not to say" options where appropriate.
prefers-reduced-motionrespected.
E2E tests (Playwright)
- Submission of request per each right.
- Receipt of automatic email.
- Correct render in admin with SLA.
- Execution of portability export.
- Execution of anonymisation.
- Verification of SLA and cron notifications.
Cited Sources
- Regulation (EU) 2016/679 — GDPR: https://eur-lex.europa.eu/eli/reg/2016/679/oj
- UK GDPR — Data Protection Act 2018: https://www.legislation.gov.uk/ukpga/2018/12/contents
- CJEU Case C-673/17 [Planet49] (1 October 2019): https://curia.europa.eu/juris/document/document.jsf?docid=218462
- CJEU Case C-311/18 [Schrems II] (16 July 2020): https://curia.europa.eu/juris/document/document.jsf?docid=228677
- EDPB Guidelines 01/2022 on the right of access (v2.0, 28 March 2023): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en
- EDPB Guidelines 05/2020 on consent (v1.1, 4 May 2020): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en
- EDPB Opinion 05/2014 on anonymisation techniques (WP216): https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-art-29-wp/opinion-052014-anonymisation-techniques_en
- AEPD — Citizens' rights: https://www.aepd.es/derechos-y-deberes/conoce-tus-derechos
- AEPD — Models for exercise of rights: https://www.aepd.es/preguntas-frecuentes/06-derechos-de-los-ciudadanos
- CNIL — Exercise rights: https://www.cnil.fr/fr/comprendre-vos-droits
- CNPD Portugal — Data subjects' rights: https://www.cnpd.pt/cidadaos/direitos-dos-titulares
- ICO — Your data matters: https://ico.org.uk/your-data-matters/
- Law 19.628 (Chile): https://www.bcn.cl/leychile/navegar?idNorma=141599
- Law 21.719 (Chile): https://www.bcn.cl/leychile/navegar?idNorma=1208650
- Law 19.913 (Chile) — UAF: https://www.bcn.cl/leychile/navegar?idNorma=219119
- Directive (EU) 2015/849 (AMLD4) consolidated: https://eur-lex.europa.eu/eli/dir/2015/849/oj
- Regulation (EU) 2024/1624 — AMLR: https://eur-lex.europa.eu/eli/reg/2024/1624/oj
- Regulation (EU) 1215/2012 — Brussels I bis: https://eur-lex.europa.eu/eli/reg/2012/1215/oj
Version History
| Version | Date | Changes | Approved by | | ------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | 1.0.0 | 28 May 2026 | Initial version reconciled in Round 3. Canonical DSAR periods per jurisdiction, two-track identity verification, expressly recognised Art. 82 GDPR right to compensation. | Urzula Velásquez (CEO / Privacy Officer) |