GDPR Compliance

Effective Date: January 1, 2024
Last Updated: January 1, 2024

1. Introduction to GDPR Compliance

GrowthyW is committed to protecting the privacy and personal data of all individuals, particularly those in the European Union. This document outlines our compliance with the General Data Protection Regulation (GDPR) and your rights under this regulation.

2. Legal Basis for Data Processing

We process personal data based on the following legal grounds under Article 6 of the GDPR:

2.1 Consent (Article 6(1)(a))

• Marketing communications
• Non-essential cookies
• Optional data collection
• Market research participation

2.2 Contract Performance (Article 6(1)(b))

• Digital marketing service delivery
• Account management
• Payment processing
• Customer support
• Advertising campaign management

2.3 Legal Obligation (Article 6(1)(c))

• Tax reporting
• Regulatory compliance
• Legal proceedings
• Accounting record retention

2.4 Legitimate Interest (Article 6(1)(f))

• Website security
• Fraud prevention
• Business analytics
• Service improvement
• Direct business communications

3. Your Rights Under GDPR

As a data subject, you have the following rights:

3.1 Right of Access (Article 15)

You have the right to:

• Know whether we process your personal data
• Access your personal data
• Receive information about processing activities
• Obtain a copy of your data

How to exercise: Contact our Data Protection Officer at privacy@growthyw.com

3.2 Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data
• Update outdated information

How to exercise: Update your account settings or contact us directly

3.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data when:

• Data is no longer necessary for the original purpose
• You withdraw consent
• Data has been unlawfully processed
• Legal obligation requires deletion

How to exercise: Submit a deletion request to privacy@growthyw.com

3.4 Right to Restrict Processing (Article 18)

You can request restriction of processing when:

• You contest the accuracy of data
• Processing is unlawful but you don't want deletion
• We no longer need the data but you need it for legal claims
• You object to processing pending verification

3.5 Right to Data Portability (Article 20)

You have the right to:

• Receive your data in a structured, machine-readable format
• Transmit your data to another controller
• Have data transmitted directly when technically feasible

3.6 Right to Object (Article 21)

You can object to processing based on:

• Legitimate interests
• Direct marketing
• Scientific or historical research
• Statistical purposes

3.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects you.

4. Data Protection Measures

4.1 Technical Safeguards

• Encryption: Data encrypted in transit and at rest
• Access Controls: Role-based access to personal data
• Authentication: Multi-factor authentication for admin access
• Monitoring: Continuous monitoring for security threats
• Backup Security: Encrypted and secure data backups

4.2 Organizational Safeguards

• Staff Training: Regular GDPR training for all employees
• Data Protection Officer: Designated DPO for compliance oversight
• Privacy by Design: Privacy considerations in all new projects
• Vendor Management: GDPR compliance requirements for all vendors
• Documentation: Comprehensive records of processing activities

4.3 Data Minimization

We implement data minimization by:

• Collecting only necessary personal data
• Limiting data retention periods
• Regular data audits and cleanup
• Purpose limitation for data use

5. International Data Transfers

5.1 Transfer Mechanisms

When transferring data outside the EU, we use:

• Adequacy Decisions: Transfers to countries with adequate protection
• Standard Contractual Clauses: EU-approved contract terms
• Binding Corporate Rules: Internal data transfer rules
• Certification Schemes: Approved certification mechanisms

5.2 Third-Party Processors

We ensure all third-party processors:

• Provide adequate data protection
• Sign data processing agreements
• Comply with GDPR requirements
• Implement appropriate security measures

6. Data Breach Procedures

6.1 Breach Detection

We have systems in place to detect breaches within 72 hours through:

• Automated monitoring systems
• Regular security audits
• Staff reporting procedures
• Third-party security assessments

6.2 Breach Notification

In case of a data breach, we will:

• Notify supervisory authorities within 72 hours
• Inform affected individuals without undue delay
• Document the breach and response actions
• Implement measures to prevent future breaches

6.3 Breach Response

Our breach response includes:

• Immediate containment of the breach
• Assessment of risks to individuals
• Implementation of remedial measures
• Communication with stakeholders
• Review and improvement of security measures

7. Privacy Impact Assessments

We conduct Privacy Impact Assessments (PIAs) for:

• New processing activities with high risk
• Systematic monitoring of public areas
• Large-scale processing of special categories
• Automated decision-making with legal effects
• New technologies with privacy implications

8. Data Retention

8.1 Retention Periods

Data Type	Retention Period	Legal Basis
Account Information	Duration of relationship + 7 years	Contract/Legal
Marketing Data	Until consent withdrawn	Consent
Website Analytics	26 months	Legitimate Interest
Financial Records	7 years	Legal Obligation
Support Tickets	3 years	Legitimate Interest
Campaign Data	3 years	Contract

8.2 Deletion Procedures

We have automated and manual procedures to:

• Delete data when retention periods expire
• Respond to deletion requests
• Securely destroy physical records
• Verify complete data removal

9. Children's Data Protection

We do not knowingly process personal data of children under 16 without parental consent. If we discover such processing, we will:

• Immediately cease processing
• Delete the data
• Notify parents/guardians
• Implement additional safeguards

10. Supervisory Authority

Our lead supervisory authority is: Spanish Data Protection Agency (AEPD)

• Address: C/ Jorge Juan, 6, 28001 Madrid
• Website: www.aepd.es
• Email: consultas@aepd.es

You have the right to lodge a complaint with any supervisory authority in the EU.

11. Data Protection Officer

Our Data Protection Officer can be reached at:

Data Protection Officer

• Email: dpo@growthyw.com
• Address: [DPO Address]
• Phone: [DPO Phone]

The DPO is responsible for:

• Monitoring GDPR compliance
• Conducting privacy impact assessments
• Serving as contact point for supervisory authorities
• Providing data protection training
• Handling data subject requests

12. Regular Compliance Reviews

We conduct regular reviews of our GDPR compliance:

• Monthly: Data processing activity reviews
• Quarterly: Security measure assessments
• Annually: Comprehensive compliance audits
• As needed: Impact assessments for new processing

13. Updates to GDPR Compliance

We regularly update our GDPR compliance measures to reflect:

• Changes in data processing activities
• New legal requirements
• Guidance from supervisory authorities
• Best practice developments
• Technology changes

14. Contact Information

For GDPR-related inquiries, please contact:

Privacy Team

• Email: privacy@growthyw.com
• Subject Line: "GDPR Inquiry"
• Response Time: Within 30 days

Data Subject Requests

• Email: requests@growthyw.com
• Subject Line: "Data Subject Request"
• Response Time: Within 30 days (1 month)

---

This GDPR compliance document was last updated on January 1, 2024 and is reviewed regularly to ensure continued compliance with applicable regulations.