Skip to main content

General Data Protection Regulation

Suggest edit
Updated on June 30, 2021

Implementing client-based access control (CBAC) helps you satisfy the data privacy requirements of the European Union (EU) General Data Protection Regulation (GDPR) and similar regulations. Personal data is associated with an actual person, not with an abstract entity such as a business.

If your application stores data that could be used to identify a person and you are subject to GDPR or similar regulations, use client-based access control to track and process requests to view, change, remove, and restrict the use of personal data, and to show auditors that you have done so.

Note: For more information about GDPR, see the EU General Data Protection Regulation (GDPR) website.


This article and related articles use the following terminology:

Pega application
An application that is built on Pega Platform and contains personally identifiable data
A person who is a customer of yours and whose personal data you manage. (In GDPR, this person is known as the “data subject.”)
GDPR request management application
A Pega application that is built to manage GDPR requests for Pega and non-Pega applications.
  • The Pega Infinity™ CRM applications include a GDPR request management application.
  • If you do not have a Pega Infinity CRM application, Pega Exchange provides a prototype application called the GDPR Accelerator that you can download and customize.
A Pega or non-Pega application that stores personally identifiable data, within which client requests must be enforced. These repositories are defined in the GDPR request management application as instances of a class group. This type of repository is different from the repositories that are used in the CI/CD pipeline.

Types of requests

Rectify and erase requests are one-time operations. They do not prevent data from being changed or added again in the future. Pega Platform can be configured to automatically support the following types of personal data requests:

Personal data request typesConfiguration behavior
Request to access Find all the personal data for a client and return the values to the client.
Request to rectifyCorrect personal data for a client for properties that you support changing.
Request to eraseDelete personal data for a client for properties that you support deleting.
Request to restrict usageProhibit particular functions from accessing data for a specific client. For example, a client might consent to use your banking system but not to receive marketing communications.

GDPR functionality

For more information about see the General Data Protection Regulation Demonstration video.

  • Building a client-based access control environment

    If you have Pega marketing application in production that stores personal client data, you can configure an application that is used only for handling CBAC requests from clients. The client makes a CBAC request to the GDPR request management application, which communicates the request to the marketing application to retrieve or modify the personal data. The result of the request is passed back to the GDPR request management application and communicated to the client.

  • GDPR request management application

    You can configure a GDPR request management application to verify customer identity and initiate requests on behalf of a customer. You configure your GDPR request management application according to your business needs and the type of interface that you want to offer.

  • Personal data restrictions for GDPR

    The General Data Protection Regulation (GDPR) imposes strict requirements for protecting personal data. When you develop Pega applications, you can restrict personal information from certain functions.

Did you find this content helpful? YesNo

100% found this useful

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us