Client-based access control

If your application stores data that might be used to identify a person and you are subject to GDPR or similar regulations, use client-based access control to track and process requests to view, change, or remove the data.

Client-based access control (CBAC) helps you satisfy the data privacy requirements of the European Union (EU) General Data Protection Regulation (GDPR) and similar regulations. In Pega Platform, personal data might be stored in the Pega database or related data sets, and is identified by class name and property name. Personal data is associated with an actual person, not with an abstract entity such as a business.

For information about the overall CBAC process, see the Pega Community article Supporting EU GDPR data privacy rights in Pega Infinity with client-based access control.

Data privacy APIs

A request to get, rectify (update), erase (delete), or limit the usage of personal data is done by using REST APIs. The access request processing can be synchronous or asynchronous, but the processing of rectify and erase will be done asynchronously. Access, erase, and rectify requests are handled as cases. When a case that requests data is processed, the client data is returned to the client in decrypted form by using HTTPS in Base64 encoded format. For requests to rectify or erase, the data is modified or deleted as requested.

The REST APIs that define personal data requests are in the Data Privacy category of the api service package, which is known as the Pega API.

  • Requests to update and delete personal data are one-time requests. They do not prevent the data from being changed or added again in the future.
  • Client data that is temporarily stored on a CBAC case does not persist after the case has been resolved.