GDPR Positioning
What this document is:
An overview of how Clawscan is designed to support organizations operating under the General Data Protection Regulation (GDPR).
Why this matters:
Organizations evaluating Clawscan must understand how the platform fits within GDPR roles, responsibilities, and data protection principles.
Who should read this:
Data protection officers (DPOs), legal teams, compliance officers, and procurement reviewers.
When to use this:
DPIA preparation, vendor risk assessments, legal reviews, and procurement processes.
Overview
Clawscan is designed to support organizations in identifying potential legal and compliance risks in internal communications while respecting data protection principles.
The platform architecture and governance model aim to support key GDPR principles such as:
- data minimisation
- purpose limitation
- transparency
- accountability
Clawscan provides technical capabilities for compliance monitoring, while organizations remain responsible for determining how those capabilities are used within their governance framework.
See:
Roles and responsibilities
The deployment of Clawscan involves several actors whose roles must be clearly distinguished.
Unless explicitly stated:
- The organization deploying Clawscan acts as the data controller
- GOlegal acts as a service provider supporting the Clawscan platform
The organization remains responsible for determining:
- whether communications monitoring is appropriate
- which communications may be analyzed
- how compliance signals are handled internally
GOlegal provides the technical platform enabling analysis but does not determine monitoring policies.
See:
Data minimisation
Clawscan is designed to minimize the amount of personal data transmitted outside the client environment.
Key design choices include:
- communication analysis performed within the client tenant
- monitoring scope determined by the client organization
- email retention policies determined by the client organization
- transmission of derived analysis results only
- no storage of email content within GOlegal infrastructure
These safeguards help reduce the exposure of personal data during operation.
See:
Privacy by design and scope control
Clawscan is designed to support a privacy-by-design approach, allowing organizations to configure and limit monitoring in a proportionate and controlled manner.
Key principles include:
-
Client-defined monitoring scope
Organizations determine which users, mailboxes, and domains are included in the analysis scope. They further have the ability (optional) to tailor detection configurations to align with specific compliance objectives. -
Ability to exclude personal or sensitive communications
Clawscan is designed to allow organizations to define exclusions on communications marked as "private". -
Granular configuration of detection domains
Monitoring can be limited to specific risk areas (e.g. competition law, anti-corruption), avoiding unnecessary analysis of unrelated communications. -
No generalized or continuous surveillance by default
Clawscan provides targeted detection capabilities, but does not impose broad or indiscriminate monitoring.
These controls allow organizations to align the use of Clawscan with:
- proportionality requirements
- employee privacy expectations
- internal governance policies
Clawscan provides the technical means to implement privacy-by-design, while organizations remain responsible for defining and enforcing appropriate monitoring policies.
See:
Purpose limitation
Clawscan is designed to support targeted compliance risk detection, not general employee monitoring.
Organizations deploying Clawscan should define clear purposes for monitoring activities, such as:
- detecting potential competition law risks
- identifying corruption-related signals
- supporting internal compliance governance
These purposes should be reflected in the organization’s internal policies and transparency measures.
See:
Transparency and employee information
Where communications monitoring is implemented, organizations may be required to inform employees about monitoring practices.
Transparency measures may include:
- updating internal policies
- informing employees about monitoring objectives
- describing how alerts are reviewed internally
Clawscan documentation is intended to support organizations in explaining how the system operates.
Data protection impact assessments
Organizations deploying Clawscan may consider conducting a Data Protection Impact Assessment (DPIA) depending on the applicable regulatory context.
The Clawscan Trust Center provides documentation that can assist in such assessments, including:
- architecture and data flow descriptions
- security and privacy safeguards
- governance positioning
See:
Data subject rights
Clawscan is designed in a way that allows organizations to respect data subject rights under GDPR.
Because communication content remains within the client tenant environment:
- organizations maintain direct control over the underlying data
- data subject rights requests can be handled through existing systems
Clawscan does not alter the organization’s ability to respond to such requests.
Security safeguards
Clawscan implements technical and organisational measures intended to support secure processing of compliance signals.
Examples include:
- tenant-resident processing of communication content
- limited data transmission
- operational monitoring safeguards
A detailed description of these measures is available in: