GDPR Compliance
We are committed to protecting the personal data of EU/EEA residents in full compliance with the General Data Protection Regulation (GDPR). Learn about your rights and how we safeguard your information.
⚡Quick Summary — GDPR at a Glance
Here's the short version of how we approach GDPR compliance:
1Introduction to GDPR
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It regulates how organizations process the personal data of individuals residing in the European Union (EU) and European Economic Area (EEA).
1.1 What is GDPR?
GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council. It establishes:
- Rules for the processing of personal data
- Rights for individuals regarding their personal data
- Obligations for organizations that process personal data
- Significant penalties for non-compliance (up to €20 million or 4% of global turnover)
1.2 Who Does GDPR Apply To?
GDPR applies to:
- Data Subjects: Individuals residing in the EU/EEA, regardless of nationality
- Data Controllers: Organizations that determine the purposes and means of processing
- Data Processors: Organizations that process data on behalf of controllers
- Geographic Scope: Any organization offering goods/services to EU/EEA residents
1.3 Our Commitment
Debasis Bhattacharjee is fully committed to GDPR compliance. We:
- Process personal data lawfully, fairly, and transparently
- Collect data only for specified, explicit, and legitimate purposes
- Ensure data is adequate, relevant, and limited to what is necessary
- Maintain data accuracy and keep it up to date
- Retain data only as long as necessary
- Implement appropriate security measures
- Respect and facilitate your GDPR rights
This GDPR Compliance page should be read in conjunction with our Privacy Policy, which provides comprehensive details about our data practices. This page specifically addresses GDPR requirements for EU/EEA residents.
2Data Controller Information
Under GDPR, the data controller is the entity that determines the purposes and means of processing personal data.
2.1 Data Controller Details
| Field | Information |
|---|---|
| Business Name | Debmedia Technologies LLP |
| Proprietor | Debasis Bhattacharjee |
| Registered Location | West Bengal, India |
| Website | https://www.debasisbhattacharjee.com |
| privacy@debasisbhattacharjee.com |
2.2 Representative in the EU
As we are based outside the EU but process data of EU residents, we have appointed (or are in the process of appointing) an EU representative in accordance with Article 27 GDPR.
- Status: Under appointment process
- Contact: eu-representative@debasisbhattacharjee.com
- Purpose: To serve as a point of contact for EU data subjects and supervisory authorities
2.3 Data Protection Officer (DPO)
For GDPR-related inquiries, you can contact our Data Protection Officer:
- Email: dpo@debasisbhattacharjee.com
- Role: Oversees GDPR compliance, handles data subject requests
- Response Time: Within 30 days as required by GDPR
2.4 Data Processors We Use
We engage third-party data processors who process personal data on our behalf:
- Cloud Hosting Providers: For website hosting and data storage
- Email Service Providers: For email communications
- Payment Processors: For transaction processing
- Analytics Providers: For website analytics
All data processors are contractually bound to GDPR compliance through Data Processing Agreements (DPAs).
3Legal Basis for Processing
Under GDPR Article 6, personal data can only be processed if at least one of the following lawful bases applies:
3.1 Consent (Article 6(1)(a))
We process your data based on your explicit consent for:
- Marketing communications and newsletters
- Non-essential cookies and tracking
- Sharing data with third parties (where not otherwise required)
- Participation in surveys, contests, or promotions
You can withdraw consent at any time through your account settings or by contacting us.
3.2 Contract Performance (Article 6(1)(b))
Processing is necessary to fulfill our contractual obligations with you:
- Creating and managing your account
- Processing orders and delivering services
- Providing customer support
- Processing payments
3.3 Legal Obligation (Article 6(1)(c))
We process data to comply with legal obligations:
- Tax and accounting requirements
- Responding to legal requests
- Fraud prevention and detection
- Compliance with consumer protection laws
3.4 Legitimate Interest (Article 6(1)(f))
We process data where necessary for our legitimate interests:
- Website security: Protecting against fraud and abuse
- Business operations: Improving services and user experience
- Communications: Sending service-related notifications
- Analytics: Understanding website usage patterns
We balance our legitimate interests against your rights and freedoms to ensure fairness.
3.5 Vital Interests (Article 6(1)(d))
In rare cases, processing may be necessary to protect vital interests:
- Emergency situations involving life or death
- Preventing serious harm to individuals
3.6 Public Task (Article 6(1)(e))
Not applicable to our operations.
We clearly identify the legal basis for each processing activity and inform you at the point of data collection. Our Privacy Policy provides detailed information about specific processing activities and their legal bases.
4Your GDPR Rights
Under GDPR, you have comprehensive rights regarding your personal data. We are committed to respecting and facilitating these rights.
4.1 How to Exercise Your Rights
To exercise any of your GDPR rights:
- Email us: dpo@debasisbhattacharjee.com or privacy@debasisbhattacharjee.com
- Subject Line: "GDPR Rights Request - [Your Request Type]"
- Include: Your name, email address, account details (if applicable), and specific request
- Verification: We may request additional information to verify your identity
4.2 Response Timeline
- We will respond within one month of receiving your request
- Complex requests may be extended by two additional months with notification
- You will be informed of any delays and the reasons
- Requests are handled free of charge unless manifestly unfounded or excessive
4.3 Limitations
Some rights may be limited in certain circumstances:
- When we have a legal obligation to retain data
- For the establishment, exercise, or defense of legal claims
- When deletion would prejudice our legitimate interests
- For compliance with regulatory requirements
We take your GDPR rights seriously. If we cannot fulfill your request, we will explain why and inform you of your right to lodge a complaint with the relevant supervisory authority.
5Data We Collect
We collect only the personal data necessary to provide our services and comply with our legal obligations. Here's what we collect and why:
5.1 Categories of Personal Data
| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Identity Data | Name, username, title | Account management, personalization | Contract |
| Contact Data | Email, phone number, address | Communication, service delivery | Contract |
| Financial Data | Payment card details, billing address | Payment processing | Contract |
| Transaction Data | Purchase history, order details | Order fulfillment, customer service | Contract |
| Technical Data | IP address, browser, device info | Security, website functionality | Legitimate Interest |
| Usage Data | Pages viewed, time spent, clicks | Website improvement, analytics | Legitimate Interest |
| Marketing Data | Preferences, communication consent | Marketing communications | Consent |
| Profile Data | Interests, preferences, feedback | Personalization, service improvement | Legitimate Interest |
5.2 Special Category Data
We do NOT intentionally collect special category personal data (sensitive data) such as:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic or biometric data
- Health data
- Sex life or sexual orientation
If such data is inadvertently collected, it will be deleted immediately upon discovery.
5.3 Children's Data
Our services are not directed at children under 16 years of age (or the applicable age of consent in your country). We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will delete it immediately.
5.4 Data Minimization
In accordance with GDPR principles, we:
- Collect only data that is necessary for specified purposes
- Avoid collecting excessive or irrelevant information
- Regularly review data collection practices
- Delete unnecessary data
6Data Processing Activities
We process your personal data for specific, explicit, and legitimate purposes as outlined in our Privacy Policy and this GDPR compliance page.
6.1 Purpose Limitation
We process personal data only for the purposes for which it was collected:
- Service Provision: Delivering products and services you've requested
- Communication: Responding to inquiries and providing support
- Transaction Processing: Processing payments and orders
- Security: Protecting against fraud and unauthorized access
- Legal Compliance: Meeting regulatory and legal obligations
- Service Improvement: Enhancing user experience and functionality
- Marketing: Sending promotional communications (with consent)
6.2 Automated Decision-Making and Profiling
We do NOT engage in automated decision-making that produces legal effects or similarly significantly affects you.
We may use limited profiling for:
- Personalizing website content and recommendations
- Improving marketing relevance (with consent)
- Fraud detection and prevention
You have the right to object to profiling and request human review of automated decisions.
6.3 Data Accuracy
We take steps to ensure personal data is accurate and up-to-date:
- Providing self-service account management tools
- Regularly reviewing and updating data
- Correcting inaccuracies when notified
- Deleting outdated information
6.4 Processing Records
In compliance with Article 30 GDPR, we maintain records of processing activities including:
- Name and contact details of the controller
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- Details of international transfers
- Retention periods
- Security measures
We maintain transparent processing practices and are happy to provide additional information about our data processing activities upon request.
7International Data Transfers
As we are based outside the EU/EEA, your personal data may be transferred to and processed in countries that do not provide the same level of data protection as the EU.
7.1 Transfer Mechanisms
We ensure adequate protection for international data transfers through:
- Standard Contractual Clauses (SCCs): EU Commission-approved contracts with data processors (Article 46)
- Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
- Binding Corporate Rules: For transfers within corporate groups (when applicable)
- Explicit Consent: In specific circumstances where you provide informed consent
7.2 Countries We Transfer Data To
- India: Our primary operations and data storage location
- United States: Some third-party service providers (with appropriate safeguards)
- Other Countries: As necessary for service providers with SCCs in place
7.3 Safeguards for Transfers
When transferring data outside the EU/EEA, we:
- Conduct transfer impact assessments
- Implement supplementary measures where necessary
- Ensure contractual commitments from recipients
- Maintain the same security standards globally
- Monitor and review transfers regularly
7.4 Your Rights Regarding Transfers
You have the right to:
- Request information about transfers and safeguards
- Obtain a copy of relevant SCCs
- Object to transfers in certain circumstances
- Withdraw consent for transfers based on consent
7.5 Data Localization
While we cannot guarantee all data remains within the EU/EEA:
- We minimize transfers where possible
- We use EU-based service providers when feasible
- We maintain copies of essential data within the EU where required
- We comply with local data residency requirements
IMPORTANT: While we are based in India, we implement GDPR-compliant practices for all EU/EEA data subjects. Your data is protected with the same high standards regardless of where it is processed.
8Data Retention Periods
In accordance with GDPR's storage limitation principle, we retain personal data only for as long as necessary to fulfill the purposes for which it was collected.
8.1 Retention Criteria
We determine retention periods based on:
- The purpose for which the data was collected
- Legal and regulatory requirements
- Contractual obligations
- Legitimate business needs
- Your preferences and consent duration
8.2 Specific Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Until deletion + 30 days | Service provision, legal obligations |
| Transaction Records | 7 years | Tax, accounting, legal compliance |
| Marketing Consent | Until withdrawn + 90 days | Marketing communications |
| Customer Support | 3 years | Quality assurance, dispute resolution |
| Website Analytics | 26 months | Business analysis, service improvement |
| Security Logs | 1 year | Security, fraud prevention |
| Legal Claims | Duration of claim + 6 years | Legal defense |
8.3 Deletion Process
When retention periods expire:
- Data is securely deleted or anonymized beyond recovery
- Backups are overwritten within 90 days
- Physical records are shredded
- Electronic data uses secure erasure methods
- Deletion is logged and verified
8.4 Extended Retention
We may retain data beyond standard periods when:
- Required by law or regulation
- Necessary for legal claims or disputes
- Subject to legal hold or investigation
- You have explicitly requested extended retention
8.5 Right to Erasure
You can request early deletion of your data if:
- The data is no longer necessary for the original purpose
- You withdraw consent and there's no other legal basis
- You object and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Legal obligations require deletion
9Data Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR.
9.1 Technical Security Measures
- Encryption: 256-bit SSL/TLS for data in transit, AES-256 for data at rest
- Access Controls: Role-based access, multi-factor authentication
- Network Security: Firewalls, intrusion detection/prevention systems
- Secure Development: Security by design and default principles
- Regular Updates: Timely security patches and updates
- Monitoring: 24/7 security monitoring and logging
- Data Backups: Regular encrypted backups with secure storage
9.2 Organizational Security Measures
- Data Protection Policies: Comprehensive internal policies
- Employee Training: Regular GDPR and security training
- Confidentiality Agreements: All staff sign NDAs
- Access Logging: All data access is logged and reviewed
- Incident Response Plan: Documented breach response procedures
- Regular Audits: Internal and external security assessments
- Vendor Management: Due diligence on all data processors
9.3 Data Breach Notification
In the unlikely event of a data breach:
- Supervisory Authority: Notified within 72 hours (Article 33)
- Affected Individuals: Notified without undue delay if high risk (Article 34)
- Documentation: All breaches documented, even if not reported
- Mitigation: Immediate steps taken to contain and remediate
- Communication: Clear, plain language notifications
9.4 Data Protection Impact Assessments (DPIA)
We conduct DPIAs for high-risk processing activities:
- Before implementing new technologies or systems
- For large-scale processing of special category data
- When using innovative processing methods
- For systematic monitoring or profiling
9.5 Pseudonymization and Anonymization
Where appropriate, we:
- Pseudonymize data to reduce identification risks
- Anonymize data for analytics and research
- Separate identifying information from other data
- Use data minimization techniques
We continuously review and update our security measures to address emerging threats and maintain compliance with evolving security standards and GDPR requirements.
10Cookies & Tracking Technologies
We use cookies and similar tracking technologies in compliance with the ePrivacy Directive and GDPR requirements.
10.1 Cookie Consent
In accordance with EU law:
- Essential Cookies: Used without consent (strictly necessary)
- Non-Essential Cookies: Require explicit opt-in consent
- Cookie Banner: Clear information before consent
- Granular Control: Category-specific consent options
- Easy Withdrawal: Simple opt-out mechanisms
10.2 Cookie Categories
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Essential website functionality, security | No |
| Performance | Analytics, site optimization | Yes |
| Functionality | Remember preferences, settings | Yes |
| Marketing | Targeted advertising, tracking | Yes |
10.3 Managing Cookie Preferences
You can manage cookies through:
- Cookie Settings: Access from our cookie banner or footer
- Browser Settings: Block or delete cookies directly
- Opt-Out Tools: Third-party opt-out mechanisms
- Do Not Track: We respect DNT signals where feasible
10.4 Third-Party Cookies
We use some third-party cookies:
- Google Analytics (with IP anonymization)
- Social media plugins (if you interact with them)
- Payment processors (during checkout)
Third-party cookies are subject to the privacy policies of those providers.
10.5 Detailed Cookie Information
For comprehensive cookie details, including:
- Cookie names and durations
- Specific purposes
- Third-party cookie providers
- How to opt out of specific cookies
Please refer to our detailed Cookie Policy or contact us for more information.
11Data Protection Officer
In accordance with Article 37 GDPR, we have designated a Data Protection Officer (DPO) to oversee our GDPR compliance program.
11.1 DPO Contact Information
- Email: dpo@debasisbhattacharjee.com
- Postal Address: Data Protection Officer, Debmedia Technologies LLP, West Bengal, India
- Response Time: Within 30 days as mandated by GDPR
11.2 DPO Responsibilities
Our DPO is responsible for:
- Monitoring GDPR compliance across the organization
- Advising on data protection impact assessments
- Providing training and awareness to staff
- Acting as the point of contact for data subjects
- Cooperating with supervisory authorities
- Investigating data protection concerns
- Maintaining records of processing activities
11.3 When to Contact the DPO
You should contact our DPO for:
- Exercising your GDPR rights
- Questions about how your data is processed
- Complaints about data handling
- Data breach concerns
- GDPR compliance inquiries
- General data protection questions
11.4 DPO Independence
Our DPO operates independently and:
- Reports directly to senior management
- Is not penalized for performing DPO duties
- Has sufficient resources and access
- Maintains professional confidentiality
- Is free from conflicts of interest
You can communicate directly with our DPO regarding any data protection matters. Your communications with the DPO are treated with the highest level of confidentiality.
12Complaints & Supervisory Authority
If you believe your GDPR rights have been violated, you have the right to lodge a complaint.
12.1 Internal Complaint Process
We encourage you to contact us first:
- Contact our DPO: dpo@debasisbhattacharjee.com
- Describe the Issue: Provide details of your concern
- We Investigate: We will thoroughly investigate your complaint
- Response: You will receive a detailed response within 30 days
- Resolution: We will work with you to resolve the matter
12.2 Right to Lodge a Complaint with Supervisory Authority
You have the right to lodge a complaint with a supervisory authority, particularly in:
- Your EU/EEA member state of habitual residence
- Your place of work
- The place of the alleged infringement
12.3 Finding Your Supervisory Authority
You can find your relevant data protection authority at:
- EDPB Website: https://edpb.europa.eu/about-edpb/board/members_en
- Each EU Member State has its own data protection authority
- Examples:
- Germany: Bundesdatenschutzbeauftragte
- France: CNIL (Commission Nationale de l'Informatique et des Libertés)
- UK: Information Commissioner's Office (ICO)
- Ireland: Data Protection Commission (DPC)
12.4 Judicial Remedy
Under Article 79 GDPR, you also have the right to:
- Bring proceedings against us in the courts
- Seek judicial remedy for GDPR violations
- Claim compensation for damages
12.5 No Retaliation
We guarantee:
- No retaliation for filing complaints
- Continued service regardless of complaints
- Fair and impartial investigation
- Respectful treatment throughout the process
IMPORTANT: Lodging a complaint with a supervisory authority or court does not affect any other administrative or judicial remedy you may have. You can pursue multiple avenues simultaneously if desired.
13Updates & Additional Information
13.1 Policy Updates
We may update this GDPR compliance page to reflect:
- Changes in our processing activities
- New GDPR guidance or requirements
- Feedback from supervisory authorities
- Improvements to our practices
Material changes will be communicated via email to registered EU/EEA users.
13.2 Compliance Documentation
Available upon request:
- Records of processing activities (Article 30)
- Data Protection Impact Assessments
- Standard Contractual Clauses
- Data Processing Agreements
- Security certifications and audits
13.3 Brexit Considerations
For UK residents:
- We comply with the UK GDPR and Data Protection Act 2018
- The ICO is the relevant supervisory authority
- Your rights remain essentially the same as under EU GDPR
13.4 Further Information
For more details, please review our related policies:
- Privacy Policy – Comprehensive data practices
- Terms of Service – General terms and conditions
- Contact Us – Get in touch with questions
Have a GDPR Request?
Contact our Data Protection Officer to exercise any of your rights under GDPR — we respond within 30 days.
Contact DPO →