How to Manage Requests from Authorities under the GDPR

The General Data Protection Regulation (GDPR) sets the rules for the collection, processing, and transfer of personal data within the European Economic Area.
In certain cases, competent authorities may request information about users, systems, or services hosted by Jotelulu.

This tutorial explains how Jotelulu handles such requests, the role of each party (Jotelulu and the partner), and the responsibilities you need to know to ensure compliance.


1. Introduction

In this tutorial, you will learn to:

  • Identify the role of Jotelulu and the partner under the GDPR.

  • Understand how requests from competent authorities are handled.

  • Know the transparency and security principles applied.

  • Understand which steps to follow when a request concerns your clients.

Objective: to provide operational and legal clarity on data handling under the GDPR and to avoid errors or misinterpretations in communications with the authorities.

 

2. Roles under the GDPR

 

3. Types of authority requests

Competent authorities (e.g., data protection authorities, law enforcement, health authorities) may request:

  • Identification of users (e.g., ownership of an IP address).

  • Technical information about hosted servers or systems.

  • Contact details of clients using the HDS service, when required by the French health authority.

Note: any request must be submitted via a formal order in accordance with applicable legislation.

 

4. How Jotelulu handles these requests

 

5. Special cases

HDS clients (France)
French regulations may require contact details to be provided to the health authority—specifically, the contact designated when registering the organisation under the HDS service.
Jotelulu will inform the partner beforehand, unless the law expressly prohibits such notification.

 

Requests from foreign authorities
These requests will only be handled if they are covered by European law or valid international treaties.
Any order outside this framework will be formally rejected.

 

6. Transparency and security principles

Jotelulu applies the fundamental GDPR principles to all processes:

  • DPO involvement (Data Protection Officer): all requests are reviewed and validated by the DPO.

  • Data minimisation: only the information that is necessary is provided.

  • Traceability and record-keeping: the entire process is documented, from receipt to final response.

  • Confidentiality: communications are secured and encrypted, in line with privacy-by-design principles.

     

7. What you must do as a partner

Your cooperation is essential to ensure compliance.

  • Keep your clients’ information up to date on the Jotelulu platform.

  • Designate a valid point of contact for privacy or compliance communications.

  • Coordinate with the Jotelulu team if a request concerns your clients or services.

  • Inform end clients when required by regulation.

  • Keep an internal log of requests and responses handled.

Tip: if you manage clients with HDS services, also consult the tutorial How to enrol a client in the HDS service to learn about the specific obligations in France.

 

8. Limitation of liability

Jotelulu will always act in accordance with applicable legislation and the provisions of the GDPR.

However:

  • Final responsibility for clients’ data lies with the partner when acting as the Data Controller.

  • Jotelulu cannot be held responsible for penalties or claims resulting from misuse of data by the partner or third parties.

  • In case of doubt, the partner must consult their legal advisers or DPO before responding to any authority.

     

9. Contact

For questions related to handling requests under the GDPR:
📧 dpd@jotelulu.com

🛈 Note: this channel is exclusively for compliance and privacy matters.

 

10. Conclusion

Proper handling of requests under the GDPR requires coordination, transparency, and traceability.
Knowing your role as a partner will allow you to act with legal certainty and maintain your clients’ compliance.
For its part, Jotelulu guarantees that all processes comply with the principles of lawfulness, minimisation, and proactive accountability established by the European Regulation.

Jose Pastor
November 17, 2025