GDPR Compliance

1. Our Commitment to GDPR

As a global digital trust platform, ACTAVOUCH recognizes the importance of data protection and privacy rights. We have implemented comprehensive measures to ensure full compliance with GDPR requirements, protecting the personal data of all EU residents who use our services.

Key Compliance Areas

• Lawful Basis: All data processing activities have clearly defined lawful bases under GDPR Article 6
• Data Minimization: We collect only the minimum data necessary for service provision
• Purpose Limitation: Personal data is used only for specified, explicit, and legitimate purposes
• Accuracy: We maintain accurate and up-to-date personal information
• Storage Limitation: Data is retained only as long as necessary for legitimate purposes
• Security: Appropriate technical and organizational measures protect your data

2. Your Rights Under GDPR

As a data subject under GDPR, you have specific rights regarding your personal data. ACTAVOUCH respects and facilitates the exercise of these rights:

3. Exercising Your Rights

How to Submit Requests

You can exercise your GDPR rights through multiple channels:

• Account Dashboard: Many rights can be exercised directly through your account settings
• Email Requests: Send detailed requests to our Data Protection Officer
• Support Portal: Submit tickets through our customer support system
• Written Requests: Send formal written requests to our registered address

Request Processing

• Response Time: We respond to requests within 30 days (extendable to 60 days for complex requests)
• Identity Verification: We may request additional information to verify your identity
• Free of Charge: Most requests are processed without charge (fees may apply for excessive requests)
• Status Updates: We provide regular updates on request processing status

4. Lawful Bases for Processing

We process personal data under the following lawful bases as defined in GDPR Article 6:

Contract Performance (Article 6(1)(b))

• Processing necessary to perform our service agreements with you
• Account management and service delivery
• Transaction processing and escrow services
• Identity verification for security purposes

Legitimate Interests (Article 6(1)(f))

• Fraud prevention and platform security
• Analytics and service improvement
• Direct marketing communications (with opt-out options)
• Network and information security

Legal Obligation (Article 6(1)(c))

• Anti-money laundering (AML) compliance
• Know Your Customer (KYC) requirements
• Tax reporting obligations
• Regulatory reporting and compliance

Consent (Article 6(1)(a))

• Marketing communications and newsletters
• Optional data processing activities
• Cookies and tracking technologies (non-essential)
• Data sharing with third parties for enhanced services

5. Special Categories of Data

We may process special categories of personal data under specific circumstances:

Biometric Data

• Purpose: Identity verification and fraud prevention
• Legal Basis: Explicit consent and substantial public interest
• Safeguards: Encrypted storage and limited access controls
• Retention: Deleted upon account closure or consent withdrawal

Financial Information

• Purpose: Transaction processing and regulatory compliance
• Legal Basis: Contract performance and legal obligations
• Protection: PCI DSS compliance and encryption
• Sharing: Limited to authorized payment processors and regulators

6. International Data Transfers

ACTAVOUCH may transfer personal data outside the European Economic Area (EEA) under appropriate safeguards:

Transfer Mechanisms

• Adequacy Decisions: Transfers to countries with adequacy decisions from the European Commission
• Standard Contractual Clauses: EU-approved contractual protections for international transfers
• Binding Corporate Rules: Internal policies ensuring consistent data protection standards
• Certification Schemes: Participation in recognized privacy certification programs

Transfer Safeguards

• Due diligence assessments of transfer risks
• Additional contractual protections where necessary
• Regular monitoring of transfer arrangements
• Suspension of transfers if adequate protection cannot be ensured

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities:

DPIA Triggers

• Systematic monitoring of public areas
• Large-scale processing of special categories of data
• Automated decision-making with legal effects
• New technologies or innovative processing methods

DPIA Process

• Risk Assessment: Identification and evaluation of privacy risks
• Mitigation Measures: Implementation of appropriate safeguards
• Consultation: Engagement with stakeholders and experts
• Documentation: Comprehensive records of assessment outcomes

8. Privacy by Design and Default

ACTAVOUCH implements privacy by design and default principles:

Technical Measures

• Data Minimization: Systems collect only necessary data
• Purpose Binding: Data processing limited to specified purposes
• Accuracy: Automated data quality checks and validation
• Storage Limitation: Automated data retention and deletion

Organizational Measures

• Staff Training: Regular GDPR training for all employees
• Privacy Policies: Clear internal policies and procedures
• Vendor Management: Privacy requirements in supplier contracts
• Incident Response: Procedures for data breach notification

9. Data Breach Notification

We have robust procedures for detecting, investigating, and reporting data breaches:

Detection and Response

• 24/7 Monitoring: Continuous security monitoring and alerting
• Incident Team: Dedicated team for breach investigation and response
• Impact Assessment: Rapid evaluation of breach severity and consequences
• Containment: Immediate measures to limit breach impact

Notification Timeline

• Supervisory Authority: Notification within 72 hours of awareness
• Data Subjects: Notification without undue delay if high risk exists
• Documentation: Comprehensive records of all breach incidents
• Follow-up: Ongoing communication and remediation efforts

10. Supervisory Authority

You have the right to lodge complaints with supervisory authorities:

EU Lead Supervisory Authority

Irish Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28, Ireland
Phone: +353 57 868 4800
Email: info@dataprotection.ie

Your Local Authority

You may also contact the supervisory authority in your EU member state. Find your local authority at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

11. Regular Compliance Reviews

We conduct regular reviews to ensure ongoing GDPR compliance:

Internal Audits

• Quarterly privacy compliance assessments
• Annual comprehensive GDPR audits
• Continuous monitoring of processing activities
• Regular updates to privacy documentation

External Validation

• Independent privacy audits by certified professionals
• ISO 27001 and SOC 2 Type II compliance certifications
• Participation in industry privacy frameworks
• Regular legal review of compliance measures

12. Data Protection Officer

ACTAVOUCH has appointed a qualified Data Protection Officer (DPO) to oversee GDPR compliance:

DPO Responsibilities

• Monitoring compliance with GDPR requirements
• Conducting privacy impact assessments
• Serving as contact point for supervisory authorities
• Providing guidance on data protection matters
• Training staff on privacy obligations