Employee Self-Service Agent - GDPR Art. 12-17 SAR, ADA Title III, WCAG 2.1 AA | Gosign

Three parallel privacy frameworks with different mechanics for employee data access requests. EU GDPR Regulation 2016/679 Art. 15 right of access: data subject confirmation + copy + categories of data + recipients + retention + rights + source + automated decision-making logic + cross-border transfers + 30-day response one-month + extension 2 months for complex requests with notification + free first copy + reasonable fee subsequent + electronic format. UK GDPR + DPA 2018 Section 45 SAR + ICO Subject Access Request guidance: identical scope to EU GDPR Art. 15 + 30-day response + 2-month extension + ICO Employment Practices Code Section 4 medical information + redaction third-party data + privileged communications + verifiable identity proportionate. US California CCPA Civil Code 1798.100-1798.199 + CPRA Proposition 24 Right to Know: categories of personal information + sources + business purposes + 45-day response + extension 45 days + verifiable consumer request + employee carve-out expired 1 January 2023 + California Privacy Protection Agency CPPA enforcement. State variations Virginia VCDPA + Colorado CPA + Connecticut CTDPA + Utah UCPA + 12+ state privacy laws with similar but not identical mechanics. The agent automates DSAR consolidation across EU + UK + US with 30-day calendar + 2-month extension + redaction third-party + categories + sources + recipients + retention + rights + automated decision-making logic + cross-system DSAR consolidation.

EU Pay Transparency Directive 2023/970 transposition by 7 June 2026 requires employers to provide pay transparency information to employees. Information right: pay levels + average pay levels by sex + criteria for pay determination + pay progression. Employee right to request: own pay level + average pay levels by sex for same work or work of equal value + pay determination criteria + pay progression. Reporting obligation: 100+ employees biennial reporting + 250+ employees annual reporting + gender pay gap by category of worker + reasons for gap exceeding 5 percent + remedial action. Pay transparency in recruitment: pay range disclosure + ban on asking salary history. Burden of proof reversal: complainant establishes facts + employer proves no discrimination. UK Pay Transparency Reporting Regulations 2017 (existing) + UK Equal Pay Act + Section 78 Equality Act 2010 + 250+ employees gender pay gap reporting. US California Pay Transparency Law SB 1162 + Colorado Equal Pay for Equal Work Act + New York State Pay Transparency Law + Washington State Pay Transparency Law + Illinois Equal Pay Act + Massachusetts Equal Pay Act + state-specific salary range disclosure in job postings. The agent automates Pay Transparency Auskunft via self-service portal with own pay level + average pay levels by sex + criteria for pay determination + pay progression + 30-day response + cross-reference to Compensation-Benchmarking-Agent Cluster #26.

US ADA Title III Americans with Disabilities Act 42 USC 12181-12189 prohibits discrimination on the basis of disability in places of public accommodation including websites. DOJ Final Rule 28 CFR Part 36 effective 2026 requires websites of public accommodations to conform to WCAG 2.1 AA Web Content Accessibility Guidelines. WCAG 2.1 AA conformance: 4 principles perceivable + operable + understandable + robust + 50 success criteria including text alternatives + captions + adaptable + distinguishable + keyboard accessible + sufficient time + seizures and physical reactions + navigable + readable + predictable + input assistance + compatible. US Section 508 Rehabilitation Act 29 USC 794d + 36 CFR Part 1194 Revised Section 508 Standards federal contractor + WCAG 2.1 AA. UK Equality Act 2010 Section 20 reasonable adjustments + Section 21 failure to make reasonable adjustments + UK Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018 + EN 301 549 V3.2.1 + WCAG 2.1 AA. EU Web Accessibility Directive 2016/2102 + EAA Directive 2019/882 effective 28 June 2025 + WCAG 2.1 AA. ADA Title I 42 USC 12112 employment + reasonable accommodation interactive process + 29 CFR 1630.2(o) for individual employee requests. Litigation exposure: Title III civil penalties up to USD 75,000 first violation + USD 150,000 subsequent + state AG coordination + private right of action + class action exposure (Robles v. Domino's Pizza 2019 + Gil v. Winn-Dixie 2017 + Andrews v. Blick Art Materials 2017). The agent automates WCAG 2.1 AA conformance with automated testing axe-core + Lighthouse + manual testing assistive technology screen reader keyboard navigation + reasonable accommodation interactive process + accessibility statement + audit trail.

EU AI Act Regulation 2024/1689 Article 4 AI literacy provider deployer obligations require providers and deployers to ensure sufficient level of AI literacy among staff and other persons dealing with AI systems on their behalf. Article 50 transparency obligations: providers ensure AI systems intended to interact with natural persons inform that they are interacting with AI system + biometric categorisation + emotion recognition + AI-generated content disclosure deepfakes + text published on matter of public interest. Article 26 deployer obligations: appropriate technical and organisational measures + human oversight + monitoring + record-keeping + transparency to affected persons. Article 13 transparency information to deployers + Article 14 human oversight + Article 86 right to explanation high-risk AI decisions. GDPR Art. 22 prohibition fully automated decision-making with legal effects or similarly significantly affect data subjects + Art. 22(2) exceptions necessary for contract + authorised by Union or Member State law with safeguards + explicit consent + Art. 22(3) safeguards right to human intervention + right to express point of view + right to contest decision. The Self-Service Agent NOT classified as EU AI Act high-risk Annex III Point 4 HR-Recruitment AI System (information-only without making employment-affecting decisions). The agent enforces Article 50 transparency with chatbot identifies itself as AI + AI-generated content disclosure + interaction with AI system disclosure + source citations grounded in policy documents + confidence threshold + escalation to human specialist + GDPR Art. 22 no automated decisions + audit trail + cross-reference to Employee-Data-Management-Agent Cluster #30.

eIDAS Regulation 910/2014 establishes three signature levels per Annex I: Simple Electronic Signature SES (data in electronic form + attached or logically associated + indicating signing); Advanced Electronic Signature AdES (uniquely linked to signatory + capable of identifying + created using means under sole control + linked in such a way that subsequent change detectable per Article 26); Qualified Electronic Signature QSig (AdES + qualified certificate + qualified signature creation device per Article 28). Trust Service Providers TSP + ETSI EN 319 411 + ETSI EN 319 412 + UK eIDAS Regulations 2016 post-Brexit. US E-SIGN Act 15 USC 7001 Electronic Signatures in Global and National Commerce Act + UETA Uniform Electronic Transactions Act state-level adoption + ESIGN consumer disclosure + intent to conduct electronically + accuracy of records + retention + admissibility evidence. Signature level selection per transaction type and risk: SES sufficient for low-risk transactions (address change + emergency contact + read-only acknowledgement); AdES sufficient for routine transactions (leave request + sickness notification + W-4 withholding + 401(k) deferral + benefits elections + acknowledgement of policy); QSig required for legally binding transactions (employment contract amendments + termination acceptance + severance agreement + non-compete acknowledgement + intellectual property assignment). Audit trail of signature: signatory identity + timestamp + IP address + signed document hash + certificate validity + retention. The agent automates signature level selection per transaction type + jurisdiction + risk + audit trail + cross-reference to HR-Document-Management-Agent.

All three agents work in HR governance but with different focuses. The Employee Self-Service Agent (this one) focuses on employee self-service portal lifecycle + GDPR Art. 12-17 Subject Access Request + Right to Erasure + Right to Data Portability + Self-Service Applications (Leave + Sickness + Certifications + Address changes) + Pay Slip + Pay Transparency Auskunft + qualified electronic signature QSig + Mobile App + Chatbot + ADA Title III + WCAG 2.1 AA accessibility + EU AI Act Article 4 AI literacy + Article 50 transparency. The Employee Relations Case Agent (Cluster #31) focuses on case management lifecycle + grievance + harassment investigation + disciplinary action + whistleblower + retaliation + termination preparation + Performance Improvement Plan PIP + Severance Agreement + Class Action Risk Mitigation + Title VII Faragher-Ellerth Affirmative Defense + EEOC McDonnell Douglas burden-shifting + UK Equality Act Section 109 employer liability + ACAS Code of Practice + EU Whistleblower Directive 2019/1937. The Employee Data Management Agent (Cluster #30) focuses on employee data lifecycle management + Master Data synchronisation + GDPR Art. 5+9+22+88 + UK GDPR + CCPA/CPRA + 12+ state privacy laws + HIPAA + ADA + ERISA + FCRA + Privacy by Design + Pseudonymisation + Encryption + Right to Erasure cross-system cascade + DSAR + DPIA + RAT + Article 28 DPA + Cross-Border Transfer + Breach Notification 72h. Cross-reference: Employee Self-Service Agent provides employee-facing portal that triggers Employee Data Management Agent for DSAR + Right to Erasure + cross-system propagation. Employee Self-Service Agent escalates judgement questions (grievance + harassment + retaliation + whistleblower) to Employee Relations Case Agent. Consistency check: all three agents reference GDPR Art. 12-22 + Art. 88 + UK GDPR + CCPA/CPRA. The Employee Self-Service Agent is the gateway to the entire HR self-service ecosystem with information provision + transactional workflows + accessibility + AI transparency.

The self-service portal includes a dedicated whistleblower channel as required by EU Whistleblower Directive 2019/1937. Three parallel whistleblower frameworks coexist. EU Whistleblower Directive 2019/1937 (transposition national law): protected reporting channels (internal + external + public) + 100+ employee threshold + retaliation prohibition + reverse burden of proof Article 21 + 7-day acknowledgement + 3-month feedback + 5-year retention + cross-border reporting Article 13 + qualifying disclosures (Union law breaches + financial services + product safety + environment + public procurement + AML + consumer protection + data protection + privacy + nuclear safety + food safety + animal welfare + public health + competition law + corporate tax + Union financial interests). UK PIDA 1998 Public Interest Disclosure Act + ERA 1996 Section 43A-43L: qualifying disclosures (criminal offence + legal obligation breach + miscarriage of justice + health and safety + environmental damage + concealment) + reasonable belief test + public interest test (Chesterton Global Ltd v Nurmohamed 2017) + protected disclosures internal + prescribed persons + ERA Section 47B detriment + Section 103A automatic unfair dismissal. US SOX 806 18 USC 1514A whistleblower protection publicly traded companies + Dodd-Frank §922 15 USC 78u-6 SEC Whistleblower Program 10-30 percent monetary award sanctions exceeding USD 1M + 2024 DOJ Whistleblower Award Program criminal corporate misconduct + 22 sectoral whistleblower statutes administered by OSHA Whistleblower Protection Program. The Self-Service Agent identifies whistleblower disclosure intent + routes to protected reporting channel + maintains confidentiality + tracks reverse burden + escalates to compliance function and outside counsel where required + cross-reference to Employee-Relations-Case-Agent Cluster #31.