Home / Privacy Policy

Privacy Policy

This Privacy Policy explains how GDPRRegulation.eu (“we”, “us”, “our”) processes personal data in connection with the website
gdprregulation.eu (“Website”) and any related services, resources, tools, and communications (together, the “Services”).

We are committed to full compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”) and any applicable
national data protection laws. This Policy is intentionally detailed and written to reflect best-practice standards so that our processing
is transparent, lawful, and accountable.

1. Data Controller and Contact Details

The data controller responsible for the processing of personal data in connection with this Website is:

GDPRregulation.eu

Email: admin @ gdprregulation.eu

If you have any questions about this Privacy Policy or our data protection practices, you can contact us using the details above.

2. Data Protection Officer (DPO)

We have appointed a Data Protection Officer (“DPO”) to oversee our GDPR compliance and act as a central point of contact for data subjects
and supervisory authorities.

DPO: Tara Coleman
Email: admin @ gdprregulation.eu

You may contact our DPO for any issues regarding this Privacy Policy, our processing of personal data, or the exercise of your rights under the GDPR.

3. Scope and Who This Policy Applies To

This Privacy Policy applies to:

  • Visitors to our Website;
  • Individuals who contact us via contact forms, email, telephone, or social media;
  • Subscribers to our newsletters, guides, tools, or other resources;
  • Users of any free or paid audits, assessments, or tools we may offer via the Website;
  • Representatives of customers, partners, or suppliers with whom we interact in a business context.

This Policy does not apply to processing carried out by third parties that we do not control. Where you interact with
third-party websites or services (for example, via links or embedded content), their own privacy policies will apply.

4. Categories of Personal Data We Process

Depending on how you interact with us, we may process the following categories of personal data:

4.1 Identification and Contact Data

  • Name, title, job title or role;
  • Business name and contact details;
  • Email address, telephone number, postal address;
  • Country of residence and/or country of business.

4.2 Website Usage and Technical Data

  • IP address;
  • Device identifiers (such as browser type, operating system, device type);
  • Log data (pages visited, access dates and times, referring website);
  • Approximate geographic location (based on IP address);
  • Cookie identifiers and similar technologies (where applicable, see Section 10).

4.3 Communication and Interaction Data

  • Content of emails and messages you send to us;
  • Contact form submissions and support requests;
  • Record of your preferences (such as newsletter subscription and consent choices).

4.4 Audit and Assessment Data

If you use any GDPR audit or assessment tools on the Website (for example, to perform a website scan, compliance snapshot, or self-assessment),
we may process:

  • The URL(s) or domain(s) you submit for analysis;
  • Information you provide about your organisation (size, sector, jurisdiction);
  • Answers to questionnaires, form fields, or checklists;
  • Generated reports or scores relating to your GDPR readiness based on the inputs you provide.

4.5 Marketing and Preference Data

  • Newsletter subscription status;
  • Marketing preferences and communication history;
  • Engagement data relating to our emails (e.g. opens, clicks), where permitted by law.

5. Sources of Personal Data

We primarily obtain personal data directly from you when you:

  • Visit and use our Website;
  • Submit forms, subscribe to updates, or request resources;
  • Contact us by email, telephone, or other channels;
  • Use our audits, tools, or assessments.

We may also receive personal data from:

  • Publicly available sources (e.g., commercial registers, professional websites);
  • Business partners or service providers acting on our instructions;
  • Analytics or marketing tools (for aggregated statistics and performance insights).

6. Purposes and Legal Bases for Processing

We process personal data only where we have a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 for special categories of data).
Below we explain the purposes of our processing and the corresponding legal bases.

6.1 Operating and Securing the Website

Purposes:

  • Providing access to and functionality of the Website and Services;
  • Ensuring security, integrity, and availability of our systems;
  • Preventing fraud, abuse, and unauthorised access;
  • Monitoring performance, troubleshooting, and resolving technical issues.

Legal bases: Article 6(1)(f) GDPR – legitimate interests (operating a secure and functional Website).

6.2 Responding to Enquiries and Providing Support

Purposes:

  • Responding to your requests, questions, and support queries;
  • Managing our relationship with you and communicating important information.

Legal bases: Article 6(1)(b) GDPR – performance of a contract or steps prior to entering a contract; and/or Article 6(1)(f) GDPR –
legitimate interests (efficient communication and service).

6.3 Providing Audits, Assessments, and Tools

Purposes:

  • Delivering website scans, compliance snapshots, or other GDPR-related assessments;
  • Generating reports and recommendations based on your inputs;
  • Improving the accuracy and relevance of our tools and resources.

Legal bases: Article 6(1)(b) GDPR – performance of a contract or steps prior to entering a contract; and Article 6(1)(f) GDPR –
legitimate interests (improving and refining our services).

6.4 Newsletters, Updates, and Educational Content

Purposes:

  • Sending you newsletters, updates, and educational resources about GDPR and data protection;
  • Informing you about new tools, features, or events relevant to GDPR compliance.

Legal bases: Article 6(1)(a) GDPR – your consent (where required); and/or Article 6(1)(f) GDPR – legitimate interests
(providing relevant, professional content to our audience).
You can withdraw consent or object to marketing at any time (see Section 11).

6.5 Analytics and Performance Measurement

Purposes:

  • Understanding how our Website is used and which content is most valuable;
  • Optimising user experience, information architecture, and content;
  • Producing aggregated statistics that help us improve our Services.

Legal bases: Article 6(1)(a) GDPR – consent for non-essential cookies/analytics; and Article 6(1)(f) GDPR – legitimate interests
for strictly necessary analytics (such as basic server logs required for security).

6.6 Compliance, Legal Claims, and Risk Management

Purposes:

  • Complying with legal obligations and regulatory requirements;
  • Establishing, exercising, or defending legal claims;
  • Cooperating with supervisory authorities and law enforcement, where required by law.

Legal bases: Article 6(1)(c) GDPR – compliance with legal obligations; Article 6(1)(f) GDPR – legitimate interests
(protection of our rights and the rights of others).

7. Special Categories of Personal Data

We do not intentionally process special categories of personal data (such as health, political opinions, religious beliefs, or data concerning criminal convictions)
via this Website. If, in exceptional cases, such information is shared with us (e.g., spontaneously in communications), we will process it only where a legal basis under
Article 9 GDPR applies, such as Article 9(2)(f) – the establishment, exercise, or defence of legal claims – and will apply enhanced safeguards.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, unless a longer retention period is required or permitted by law.
Retention periods are determined based on criteria such as:

  • Duration of your relationship with us;
  • Legal limitation periods for potential claims;
  • Regulatory retention requirements;
  • Operational needs (e.g., keeping records of consents or audits performed).

By way of example (non-exhaustive):

  • Contact and enquiry data: typically kept for up to [X] years after the last interaction, unless needed longer for legal reasons;
  • Newsletter subscription data: kept until you unsubscribe or we cease sending newsletters;
  • Technical logs and security data: kept for a short period (usually a few weeks or months), unless required longer for incident investigation;
  • Audit and assessment reports: kept for up to [Y] years from completion, unless otherwise agreed or required by law.

Once data is no longer needed, it will be securely deleted, anonymised, or aggregated so that it can no longer be linked to an identifiable individual.

9. Cookies and Similar Technologies

Our Website may use cookies and similar technologies (such as pixels and local storage) to enable essential functions, improve performance,
and understand how our content is used.

We distinguish between:

  • Strictly necessary cookies: required for basic site operation and security. These are set on the basis of our legitimate interests and do not require consent.
  • Preference and functional cookies: used to remember your settings and enhance usability. These may require your consent depending on the jurisdiction.
  • Analytics and performance cookies: help us understand how visitors use the Website (e.g., pages visited, time spent).
    These are only placed with your consent, where required by law.
  • Marketing cookies: used for tracking and personalisation across sites. We do not deploy such cookies without explicit consent.

When you first visit our Website, you will be presented with a cookie banner or consent management tool that allows you to accept, reject,
or customise your cookie preferences. You can change your preferences at any time via the cookie settings link [insert location or mechanism].

For more detailed information, please refer to our dedicated Cookie Policy [link to Cookie Policy].

10. Recipients of Personal Data

We may share personal data with the following categories of recipients, strictly on a need-to-know basis:

  • Service providers (processors): such as hosting providers, IT and security vendors, email and newsletter platforms, analytics providers, and professional advisers who act on our instructions and are bound by confidentiality and data processing agreements.
  • Professional advisers: such as lawyers, accountants, or consultants, where necessary for legal, compliance, or business purposes.
  • Supervisory authorities and public bodies: where required by law or in connection with legal proceedings.
  • Business partners: in carefully controlled circumstances where we jointly offer services or content, and only where appropriate contractual and privacy safeguards are in place.

We do not sell or rent your personal data to third parties.

11. International Data Transfers

As a rule, we aim to store and process personal data within the European Economic Area (“EEA”). However, some of our service providers or partners may be located outside the EEA.
Where this results in international transfers of personal data, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as:

  • Transfers to countries that have been formally recognised by the European Commission as providing an adequate level of data protection;
  • Use of Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by additional technical and organisational measures where required;
  • Other lawful transfer mechanisms under the GDPR.

You may contact us for further details on the specific safeguards applied to your data in the context of international transfers.

12. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR, subject to the conditions and limitations set out in the Regulation:

  • Right of access (Article 15): to obtain confirmation as to whether we process your personal data and to receive a copy of that data, along with certain information.
  • Right to rectification (Article 16): to request correction of inaccurate or incomplete personal data.
  • Right to erasure (Article 17): to request deletion of your personal data where there is no legal basis for us to continue processing it (“right to be forgotten”).
  • Right to restriction of processing (Article 18): to request that we restrict processing in certain circumstances (e.g., where accuracy is contested).
  • Right to data portability (Article 20): to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.
  • Right to object (Article 21): to object, on grounds relating to your particular situation, to processing based on our legitimate interests, including profiling. You also have an absolute right to object to direct marketing at any time.
  • Rights related to automated decision-making (Article 22): to not be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you, unless certain conditions are met.

Where processing is based on your consent (Article 6(1)(a) GDPR), you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

How to exercise your rights

You can exercise your rights by contacting us or our DPO using the details in Sections 1 and 2. To protect your privacy and maintain security, we may require you to verify your identity before responding to your request.
We will respond without undue delay and in any event within one month of receiving a valid request, subject to any permissible extension under Article 12 GDPR.

13. Right to Lodge a Complaint with a Supervisory Authority

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Article 77 GDPR).

We would, however, appreciate the opportunity to address your concerns directly before you approach a supervisory authority, so please contact us in the first instance.

14. Security of Personal Data

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
These measures include, where appropriate:

  • Secure hosting environments and firewalls;
  • Encryption in transit and/or at rest;
  • Access controls and authentication procedures;
  • Regular security updates and patching;
  • Back-up and disaster recovery procedures;
  • Employee and contractor confidentiality obligations;
  • Policies and training on data protection and information security.

While we take security seriously, no method of transmission or storage is entirely risk-free. We therefore cannot guarantee absolute security, but we do continuously review and enhance our safeguards.

15. Children’s Data

Our Website and Services are not directed at children under the age of 16, and we do not knowingly collect personal data from children.
If you are a parent or guardian and believe that your child has provided personal data to us, please contact us so that we can take appropriate steps to delete such data if required.

16. Automated Decision-Making and Profiling

We do not use personal data to engage in decision-making based solely on automated processing that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
If this changes, we will update this Policy and provide all information required by the GDPR, including your related rights.

17. Links to Other Websites

Our Website may contain links to third-party websites, plug-ins, or services. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or industry standards.
The “Last updated” date at the top of this page indicates when this Policy was last revised.

We encourage you to review this Policy regularly. Where changes are material, we may also notify you by email or by displaying a prominent notice on the Website.

19. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy, our processing of your personal data, or your rights, please contact:

GDPRRegulation.eu
Email: admin @ gdprregulation.eu

Important: This Privacy Policy template is provided for general informational purposes and to reflect high standards of GDPR compliance.
It does not constitute legal advice. You should adapt it to your actual data processing activities and have it reviewed by qualified legal counsel in your jurisdiction before publishing it.