GDPR Compliance

General Data Protection Regulation (EU) 2016/679

Last updated: 10/16/2025

Our Commitment to GDPR Compliance

Conecxt is fully committed to complying with the General Data Protection Regulation (GDPR) and protecting the fundamental rights and freedoms of individuals within the European Union. We implement comprehensive technical and organizational measures to ensure that all personal data processing meets GDPR requirements.

Data Controller Information:

Company: Conecxt

Data Protection Officer (DPO): dpo@conecxt.com

GDPR Inquiries: gdpr@conecxt.com

Address: [Your Company Address]

GDPR Principles We Follow

We process personal data in accordance with the six GDPR principles:

1. Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and transparently. We inform you about data collection and processing activities through our Privacy Policy.

2. Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes. We do not process data in ways incompatible with those purposes.

3. Data Minimization

We collect only the data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

4. Accuracy

We take reasonable steps to ensure personal data is accurate and up-to-date. You can request corrections at any time.

5. Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with our retention policy.

6. Integrity and Confidentiality

We implement appropriate security measures to protect personal data against unauthorized access, loss, destruction, or damage.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

1. Right to Access (Article 15)

You have the right to obtain:

Confirmation whether we process your personal data
Access to your personal data
Information about how we process your data
Copies of your personal data (first copy free of charge)

2. Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete data.

3. Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

Data is no longer necessary for the purposes it was collected
You withdraw consent and there's no other legal basis for processing
You object to processing and there are no overriding legitimate grounds
Data has been unlawfully processed
Legal obligation requires erasure

4. Right to Restriction of Processing (Article 18)

You can request restriction of processing when:

Accuracy of data is contested
Processing is unlawful but you prefer restriction to erasure
We no longer need the data but you need it for legal claims
You've objected to processing pending verification of legitimate grounds

5. Right to Data Portability (Article 20)

You have the right to:

Receive your personal data in a structured, commonly used, machine-readable format
Transmit your data to another controller without hindrance
Request direct transmission between controllers where technically feasible

6. Right to Object (Article 21)

You have the right to object to:

Processing based on legitimate interests or public interest
Direct marketing (including profiling for marketing purposes)
Processing for scientific, historical research, or statistical purposes

7. Rights Related to Automated Decision-Making and Profiling (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects.

8. Right to Withdraw Consent (Article 7)

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9. Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you reside, work, or where the alleged infringement occurred.

How to Exercise Your Rights

Submit a Request

To exercise any of your GDPR rights, please contact us:

Email: gdpr@conecxt.com or dpo@conecxt.com
Subject Line: "GDPR Rights Request - [Specify Right]"
Include: Your name, contact information, account details, and specific request

Response Timeline

We will respond to your request within one month of receipt. If your request is complex or we receive multiple requests, we may extend this period by two additional months. We will inform you of any extension within one month of receiving your request.

Verification

To protect your privacy, we may request additional information to verify your identity before responding to rights requests. This may include asking for identification documents or account verification questions.

Legal Bases for Processing

We process personal data under the following legal bases:

Consent (Article 6(1)(a)): Marketing communications, non-essential cookies, WhatsApp messaging (explicit opt-in)

Contract Performance (Article 6(1)(b)): Account management, service delivery, billing

Legal Obligation (Article 6(1)(c)): Tax records, compliance with legal requirements

Legitimate Interests (Article 6(1)(f)): Fraud prevention, security, service improvement, analytics

Data Security Measures

We implement technical and organizational measures to ensure data security:

Technical Measures

End-to-end encryption for sensitive communications
SSL/TLS encryption for data in transit
AES-256 encryption for data at rest
Multi-factor authentication
Regular security audits and penetration testing
Automated backup systems with encryption
Intrusion detection and prevention systems

Organizational Measures

Access controls based on least-privilege principle
Employee training on GDPR and data protection
Data Protection Impact Assessments (DPIAs) for high-risk processing
Incident response and data breach notification procedures
Regular review and update of security policies
Third-party vendor security assessments
Data Processing Agreements with all processors

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
Notify affected individuals without undue delay if the breach is likely to result in high risk
Document all data breaches and their effects
Implement measures to mitigate potential adverse effects

International Data Transfers

When transferring personal data outside the European Economic Area (EEA), we ensure adequate safeguards:

Standard Contractual Clauses (SCCs): EU Commission-approved clauses for data transfers
Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate protection
Binding Corporate Rules: For intra-group transfers within multinational organizations
Data Processing Agreements: Contracts with all third-party processors

Children's Data

We do not knowingly process personal data of children under 16 years of age without parental consent. If you believe we have collected data from a child without proper consent, please contact us immediately at gdpr@conecxt.com.

Supervisory Authority Contact Information

If you believe we have violated your GDPR rights or you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:

European Data Protection Board:

Website: https://edpb.europa.eu

Find Your National Supervisory Authority:

List of EU Data Protection Authorities

UK Information Commissioner's Office (ICO):

Website: https://ico.org.uk

Email: casework@ico.org.uk

Phone: 0303 123 1113