Information for: DEVELOPERS   PARTNERS

Administering data subject rights requests

The EU General Data Protection Regulation (GDPR) defines any identified or identifiable person as a data subject. To enable personalization on the websites on which it is installed, Acquia Lift may be used to store personal data, which based on the GDPR can be broadly defined, as demonstrated in the following information from Article 4 (1):

“[A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Some examples of personal data include, but are not limited to: name, personalized e-mail address, mailing address, phone number, dynamic and static IP addresses etc.

GDPR allows data subjects specific rights (also known as data subject rights) that pertain to the storage and handling of any gathered data that relates to them.

To ensure that your needs regarding the management, reporting, and removal of data subject information are met per the requirements of GDPR, Acquia Lift includes several methods that you can use to accomplish these tasks. These methods are described in this product documentation page, along with additional information about how Acquia Lift stores personal data.

How Acquia Lift obtains and stores personal data

Acquia Lift uses both profile fields and identifiers to store personal information for data subjects, each of which are described in the following sections.

Profile fields

Visitors to websites are tracked as profiles, which can be viewed in the Profile Manager interface in the People tab.

For more information about profiles fields, see the following resources:


Identifiers are used to identify and track visitor profiles. Some identifiers may be set as resolvable, which means their value is unique for an individual. An example of a resolvable identifier is e-mail address. Some identifiers, however, are non-resolvable, which means their values may not be unique across profiles (such as name).

Acquia Lift assigns a default, resolvable identifier (tracking ID) to each visitor profile. Other identifier values (such as email address, name, and Facebook ID) may be set for profiles by using API endpoints.

For more information about profiles fields, see the following resources:

Data subject rights

Data subjects may be users of the Acquia Lift set of products, visitors of websites that use Acquia Lift (which can included hosted customers), or potentially both.

Data subject rights for users

Using the Profile Manager interface, you can read, remove, or rectify the gathered data for users. Depending on your needs, you can also use the Users API endpoint to accomplish these tasks.

Data subject rights for visitors

The following table describes how the data subject rights for visitors may be administered by Acquia Lift product users:

Right Description
Right to be informed Acquia Lift identifies visitors based on browser cookies, and the visitor data that can be obtained is configured by Acquia Lift users. Acquia Lift users should communicate both the data that is being gathered to website visitors and the users’ privacy policies.
Right of access Acquia Lift users can use either the Visitor Query API endpoint or a file export from Profile Manager to view gathered information that pertains to a visitor profile.
Right to rectification To modify person fields, users can either use the updatePerson Javascript function or do a file import with updatePerson as event_name. To modify identifiers, users can utilize a combination of the PUT and DELETE endpoints of the capture identity API.
Right to erasure Using the File Import API, users can import a purgePerson event to erase a specific visitor profile. This will process removes any personal identifiers from the profile (including the tracking ID, email address, and name) and invalidates the profile by assigning it an anonymous tracking ID.
Right to restrict processing

Acquia Lift provides a setDoNotTrack flag for visitors. Setting this flag causes Acquia Lift to gather no data for this profile.

Users can implement the setDoNotTrack flag with custom website code, such as by providing visitors a checkbox which will trigger setting/unsetting the value of the setDoNotTrack flag. For more information, see setDoNotTrack - Acquia Lift JavaScript API.

Right to data portability Acquia Lift allows users to bulk export visitor data as comma-separated value (CSV) files to S3 storage on Amazon Web Services (AWS) by using either the Profile Manager interface or an API endpoint. Alternately, Acquia Lift users can use the Visitor Query API endpoint to fetch data that pertains to individual visitor profiles.
Right to object The setDoNotTrack flag may be set for individual visitors when Acquia Lift users want to pause processing for those visitors. For more information about the setDoNotTrack flag, see setDoNotTrack - Acquia Lift JavaScript API.
Rights in relation to automated decision making and profiling Acquia Lift users define both the data collection parameters and how those parameters are used for defining segments. Additionally, users decide which content is served to which segment. Acquia suggests that users (as a part of their own GDPR efforts) have their own policies that answer profiling- and decision making-related queries from their data subjects.