Privacy Policy

Geographical Scope: The GDPR applies to all organizations processing the personal data of individuals within the EU, regardless of where the processing takes place.
Personal Data: Any information related to an identified or identifiable natural person (data subject).

Lawfulness, Fairness, and Transparency: Data processing must be lawful, fair, and transparent to the data subject.
Purpose Limitation: Data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimization: Only the data necessary for the purposes of processing should be collected.
Accuracy: Personal data must be accurate and kept up to date.
Storage Limitation: Data should not be kept in a form that permits identification of data subjects for longer than necessary.
Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Accountability: Data controllers are responsible for and must be able to demonstrate compliance with all GDPR principles.

Right to be Informed: Data subjects have the right to be informed about the collection and use of their personal data.
Right of Access: Data subjects have the right to access their personal data and obtain information about how it is being processed.
Right to Rectification: Data subjects can request the correction of inaccurate or incomplete data.
Right to Erasure (Right to be Forgotten): In certain circumstances, data subjects can request the deletion of their personal data.
Right to Restrict Processing: Data subjects can request the restriction of the processing of their personal data under specific conditions.
Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and transmit that data to another controller.
Right to Object: Data subjects can object to the processing of their personal data under certain conditions, especially for direct marketing purposes.
Rights Related to Automated Decision Making and Profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or significantly affects them.

Consent: The data subject has given explicit consent to the processing of their data.
Contract: Processing is necessary for the performance of a contract with the data subject.
Legal Obligation: Processing is necessary for compliance with a legal obligation.
Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person.
Public Task: Processing is necessary to perform a task in the public interest or exercise official authority.
Legitimate Interests: Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the data subject’s rights and freedoms.

Security Measures: Data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Data Protection Impact Assessment (DPIA): DPIAs must be conducted for high-risk processing activities.
Breach Notification: Data controllers must notify supervisory authorities of a data breach within 72 hours, and notify affected data subjects if there is a high risk to their rights and freedoms.

Data Protection Officer (DPO): Certain organizations must appoint a DPO to oversee data protection strategies and their implementation.
Penalties: Organizations in breach of the GDPR can be fined up to €20 million or 4% of their global annual revenue, whichever is higher.