Configure Privacy Request Types
Fides supports eight privacy request types that map to data subject rights under GDPR, CCPA, and other privacy regulations: access, erasure, portability, consent, correction, restrict processing, automated decision review, and complaint. Each type has a seeded default policy that Fides creates automatically at startup.
Available request types
| Request type | Action type | Default policy key | Requires user input | Relevant regulations |
|---|---|---|---|---|
| Access | access | default_access_policy | Optional | GDPR Art. 15, CCPA |
| Erasure | erasure | default_erasure_policy | Optional | GDPR Art. 17, CCPA |
| Portability | portability | default_portability_policy | Optional | GDPR Art. 20 |
| Consent | consent | default_consent_policy | Optional | GDPR Art. 7, CCPA |
| Correction / Rectification | update | default_correction_policy | Required | GDPR Art. 16 |
| Restrict Processing | restrict_processing | default_restrict_processing_policy | Required | GDPR Art. 18 |
| Automated Decision Review | automated_decision | default_automated_decision_policy | Required | GDPR Art. 22 |
| Complaint | complaint | default_complaint_policy | Required | GDPR Art. 77 |
Automated request types
Access, erasure, portability, and consent requests are processed through Fides integrations. These can include automated integrations, manual task integrations, or a combination of both.
Portability requests use the same pipeline as access requests and produce a data package in the same format, delivered to the same storage destination. No additional configuration is needed beyond what is required for access requests.
Manual request types
Correction, restrict processing, automated decision review, and complaint requests cannot be fulfilled automatically, they require user input. These request types create manual tasks that a user must complete.
The "Automated Decision Review" request type is named for the right it exercises (GDPR Art. 22, the right to contest automated decisions). The request itself is fulfilled manually by a human reviewer.
When a manual request is submitted, the request transitions to a "Requires Input" status. At this point the configured manual tasks are available for completion and assigned to the relevant users. For details on which roles can complete tasks, see Processing manual requests.
Configure the Privacy Center
To make a request type available to data subjects, add a privacy request action to the Privacy Center configuration on your property. Each action references the request type and defines the intake form that the data subject fills out.
- Navigate to Settings > Properties and select your property.
- Click the edit button on a privacy request action, or add a new one by choosing the request type you want to offer (e.g. "Correction / Rectification").
- Use the form builder to design the intake form, including identity fields and any custom fields.
You can also configure actions via the API or directly in config.json. See Configure Privacy Request Options for the JSON-based approach.
Set up manual tasks
Manual request types require a manual task integration so that users know what action to take when a request arrives.
Step 1: Create tasks
- Navigate to Integrations in the Admin UI.
- Click Add Integration and select Manual Task.
- Give the integration a name (e.g. "Customer data correction team").
Step 2: Configure task fields
- Open the integration and navigate to the Configure Tasks tab.
- Add a field for each request type you want to support. Select the request type from the dropdown:
- Access
- Erasure
- Consent
- Correction / Rectification
- Restrict Processing
- Automated Decision Review
- Complaint
- Choose a field type (text, checkbox, or attachment) and provide a label that describes what the user should do (e.g. "Update customer info", "Confirm processing restricted").
The label you configure here is what users will see in the Admin UI when completing the task, so use something descriptive that tells them what action is expected.
Step 3: Assign users
Assign users to the integration. When a request of the matching type is submitted, assigned users will be notified and can complete the task from the Admin UI or the external portal.
For more details on task configuration and the completion workflow, see Processing manual requests.
Complete manual requests
When a data subject submits a manual request (correction, restrict processing, automated decision review, or complaint):
- Fides creates a manual task and transitions the request to "Requires Input" status.
- Assigned users receive a notification (via the digest email or the Admin UI).
- The user opens the task in the Manual Tasks tab of the Request Manager.
- Any custom fields the data subject provided (e.g. the field to correct, reason for restriction, complaint details) are displayed alongside the task.
- The user completes the task by providing the required response or confirming the action was taken.
- Once all tasks are complete, Fides marks the request as fulfilled and sends the completion email to the data subject.
Enable completion email templates
Each request type has its own completion email template that can be sent to the data subject when the request is fulfilled. These templates are automatically created at startup but are disabled by default. An administrator must enable each template before emails will be sent.
| Request type | Template name |
|---|---|
| Access | Privacy request complete (access) |
| Erasure | Privacy request complete (erasure) |
| Consent | Privacy request complete (consent) |
| Portability | Privacy request complete (portability) |
| Correction | Privacy request complete (correction) |
| Restrict Processing | Privacy request complete (restrict processing) |
| Automated Decision Review | Privacy request complete (automated decision) |
| Complaint | Privacy request complete (complaint) |
For details on enabling and customizing email templates, see Email template types.
Choose custom fields for each request type
The custom_privacy_request_fields configuration lets you collect structured information from data subjects at intake time. While these fields are optional, certain request types benefit from specific fields that help users fulfill the request efficiently.
| Request type | Recommended fields | Why |
|---|---|---|
| Correction | Select field for which data to correct, text field for the corrected value | Users need to know what is wrong and what the correct value should be |
| Restrict Processing | Select field for reason, optional textarea for details | The legal basis for restriction determines how it should be handled |
| Automated Decision Review | Text field for which decision, optional textarea for reasoning | Users need to identify which automated process is in question |
| Complaint | Select field for complaint type, required textarea for details, optional file upload | Complaints need enough detail to investigate, and supporting documents can be helpful |
| Access | Generally not needed | The automated pipeline handles retrieval without additional input |
| Erasure | Generally not needed | The automated pipeline handles deletion without additional input |
| Portability | Generally not needed | Uses the same pipeline as access requests |
For information on configuring custom fields, including conditional display logic and file upload support, see Custom request fields.