GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It regulates how organizations process the personal data of individuals residing in the European Union (EU) and European Economic Area (EEA).

1.1 What is GDPR?

GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council. It establishes:

• Rules for the processing of personal data
• Rights for individuals regarding their personal data
• Obligations for organizations that process personal data
• Significant penalties for non-compliance (up to €20 million or 4% of global turnover)

1.2 Who Does GDPR Apply To?

GDPR applies to:

• Data Subjects: Individuals residing in the EU/EEA, regardless of nationality
• Data Controllers: Organizations that determine the purposes and means of processing
• Data Processors: Organizations that process data on behalf of controllers
• Geographic Scope: Any organization offering goods/services to EU/EEA residents

1.3 Our Commitment

Debasis Bhattacharjee is fully committed to GDPR compliance. We:

• Process personal data lawfully, fairly, and transparently
• Collect data only for specified, explicit, and legitimate purposes
• Ensure data is adequate, relevant, and limited to what is necessary
• Maintain data accuracy and keep it up to date
• Retain data only as long as necessary
• Implement appropriate security measures
• Respect and facilitate your GDPR rights

Under GDPR, the data controller is the entity that determines the purposes and means of processing personal data.

2.1 Data Controller Details

2.2 Representative in the EU

As we are based outside the EU but process data of EU residents, we have appointed (or are in the process of appointing) an EU representative in accordance with Article 27 GDPR.

• Status: Under appointment process
• Contact: eu-representative@debasisbhattacharjee.com
• Purpose: To serve as a point of contact for EU data subjects and supervisory authorities

2.3 Data Protection Officer (DPO)

For GDPR-related inquiries, you can contact our Data Protection Officer:

• Email: dpo@debasisbhattacharjee.com
• Role: Oversees GDPR compliance, handles data subject requests
• Response Time: Within 30 days as required by GDPR

2.4 Data Processors We Use

We engage third-party data processors who process personal data on our behalf:

• Cloud Hosting Providers: For website hosting and data storage
• Email Service Providers: For email communications
• Payment Processors: For transaction processing
• Analytics Providers: For website analytics

All data processors are contractually bound to GDPR compliance through Data Processing Agreements (DPAs).

Under GDPR Article 6, personal data can only be processed if at least one of the following lawful bases applies:

3.1 Consent (Article 6(1)(a))

We process your data based on your explicit consent for:

• Marketing communications and newsletters
• Non-essential cookies and tracking
• Sharing data with third parties (where not otherwise required)
• Participation in surveys, contests, or promotions

You can withdraw consent at any time through your account settings or by contacting us.

3.2 Contract Performance (Article 6(1)(b))

Processing is necessary to fulfill our contractual obligations with you:

• Creating and managing your account
• Processing orders and delivering services
• Providing customer support
• Processing payments

3.3 Legal Obligation (Article 6(1)(c))

We process data to comply with legal obligations:

• Tax and accounting requirements
• Responding to legal requests
• Fraud prevention and detection
• Compliance with consumer protection laws

3.4 Legitimate Interest (Article 6(1)(f))

We process data where necessary for our legitimate interests:

• Website security: Protecting against fraud and abuse
• Business operations: Improving services and user experience
• Communications: Sending service-related notifications
• Analytics: Understanding website usage patterns

We balance our legitimate interests against your rights and freedoms to ensure fairness.

3.5 Vital Interests (Article 6(1)(d))

In rare cases, processing may be necessary to protect vital interests:

• Emergency situations involving life or death
• Preventing serious harm to individuals

3.6 Public Task (Article 6(1)(e))

Not applicable to our operations.

Under GDPR, you have comprehensive rights regarding your personal data. We are committed to respecting and facilitating these rights.

4.1 How to Exercise Your Rights

To exercise any of your GDPR rights:

1. Email us: dpo@debasisbhattacharjee.com or privacy@debasisbhattacharjee.com
2. Subject Line: "GDPR Rights Request - [Your Request Type]"
3. Include: Your name, email address, account details (if applicable), and specific request
4. Verification: We may request additional information to verify your identity

4.2 Response Timeline

• We will respond within one month of receiving your request
• Complex requests may be extended by two additional months with notification
• You will be informed of any delays and the reasons
• Requests are handled free of charge unless manifestly unfounded or excessive

4.3 Limitations

Some rights may be limited in certain circumstances:

• When we have a legal obligation to retain data
• For the establishment, exercise, or defense of legal claims
• When deletion would prejudice our legitimate interests
• For compliance with regulatory requirements

We collect only the personal data necessary to provide our services and comply with our legal obligations. Here's what we collect and why:

5.1 Categories of Personal Data

5.2 Special Category Data

We do NOT intentionally collect special category personal data (sensitive data) such as:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic or biometric data
• Health data
• Sex life or sexual orientation

If such data is inadvertently collected, it will be deleted immediately upon discovery.

5.3 Children's Data

Our services are not directed at children under 16 years of age (or the applicable age of consent in your country). We do not knowingly collect personal data from children. If we discover we have collected data from a child, we will delete it immediately.

5.4 Data Minimization

In accordance with GDPR principles, we:

• Collect only data that is necessary for specified purposes
• Avoid collecting excessive or irrelevant information
• Regularly review data collection practices
• Delete unnecessary data

We process your personal data for specific, explicit, and legitimate purposes as outlined in our Privacy Policy and this GDPR compliance page.

6.1 Purpose Limitation

We process personal data only for the purposes for which it was collected:

• Service Provision: Delivering products and services you've requested
• Communication: Responding to inquiries and providing support
• Transaction Processing: Processing payments and orders
• Security: Protecting against fraud and unauthorized access
• Legal Compliance: Meeting regulatory and legal obligations
• Service Improvement: Enhancing user experience and functionality
• Marketing: Sending promotional communications (with consent)

6.2 Automated Decision-Making and Profiling

We do NOT engage in automated decision-making that produces legal effects or similarly significantly affects you.

We may use limited profiling for:

• Personalizing website content and recommendations
• Improving marketing relevance (with consent)
• Fraud detection and prevention

You have the right to object to profiling and request human review of automated decisions.

6.3 Data Accuracy

We take steps to ensure personal data is accurate and up-to-date:

• Providing self-service account management tools
• Regularly reviewing and updating data
• Correcting inaccuracies when notified
• Deleting outdated information

6.4 Processing Records

In compliance with Article 30 GDPR, we maintain records of processing activities including:

• Name and contact details of the controller
• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Details of international transfers
• Retention periods
• Security measures

As we are based outside the EU/EEA, your personal data may be transferred to and processed in countries that do not provide the same level of data protection as the EU.

7.1 Transfer Mechanisms

We ensure adequate protection for international data transfers through:

• Standard Contractual Clauses (SCCs): EU Commission-approved contracts with data processors (Article 46)
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
• Binding Corporate Rules: For transfers within corporate groups (when applicable)
• Explicit Consent: In specific circumstances where you provide informed consent

7.2 Countries We Transfer Data To

• India: Our primary operations and data storage location
• United States: Some third-party service providers (with appropriate safeguards)
• Other Countries: As necessary for service providers with SCCs in place

7.3 Safeguards for Transfers

When transferring data outside the EU/EEA, we:

• Conduct transfer impact assessments
• Implement supplementary measures where necessary
• Ensure contractual commitments from recipients
• Maintain the same security standards globally
• Monitor and review transfers regularly

7.4 Your Rights Regarding Transfers

You have the right to:

• Request information about transfers and safeguards
• Obtain a copy of relevant SCCs
• Object to transfers in certain circumstances
• Withdraw consent for transfers based on consent

7.5 Data Localization

While we cannot guarantee all data remains within the EU/EEA:

• We minimize transfers where possible
• We use EU-based service providers when feasible
• We maintain copies of essential data within the EU where required
• We comply with local data residency requirements

In accordance with GDPR's storage limitation principle, we retain personal data only for as long as necessary to fulfill the purposes for which it was collected.

8.1 Retention Criteria

We determine retention periods based on:

• The purpose for which the data was collected
• Legal and regulatory requirements
• Contractual obligations
• Legitimate business needs
• Your preferences and consent duration

8.2 Specific Retention Periods

8.3 Deletion Process

When retention periods expire:

• Data is securely deleted or anonymized beyond recovery
• Backups are overwritten within 90 days
• Physical records are shredded
• Electronic data uses secure erasure methods
• Deletion is logged and verified

8.4 Extended Retention

We may retain data beyond standard periods when:

• Required by law or regulation
• Necessary for legal claims or disputes
• Subject to legal hold or investigation
• You have explicitly requested extended retention

8.5 Right to Erasure

You can request early deletion of your data if:

• The data is no longer necessary for the original purpose
• You withdraw consent and there's no other legal basis
• You object and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Legal obligations require deletion

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR.

9.1 Technical Security Measures

• Encryption: 256-bit SSL/TLS for data in transit, AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication
• Network Security: Firewalls, intrusion detection/prevention systems
• Secure Development: Security by design and default principles
• Regular Updates: Timely security patches and updates
• Monitoring: 24/7 security monitoring and logging
• Data Backups: Regular encrypted backups with secure storage

9.2 Organizational Security Measures

• Data Protection Policies: Comprehensive internal policies
• Employee Training: Regular GDPR and security training
• Confidentiality Agreements: All staff sign NDAs
• Access Logging: All data access is logged and reviewed
• Incident Response Plan: Documented breach response procedures
• Regular Audits: Internal and external security assessments
• Vendor Management: Due diligence on all data processors

9.3 Data Breach Notification

In the unlikely event of a data breach:

• Supervisory Authority: Notified within 72 hours (Article 33)
• Affected Individuals: Notified without undue delay if high risk (Article 34)
• Documentation: All breaches documented, even if not reported
• Mitigation: Immediate steps taken to contain and remediate
• Communication: Clear, plain language notifications

9.4 Data Protection Impact Assessments (DPIA)

We conduct DPIAs for high-risk processing activities:

• Before implementing new technologies or systems
• For large-scale processing of special category data
• When using innovative processing methods
• For systematic monitoring or profiling

9.5 Pseudonymization and Anonymization

Where appropriate, we:

• Pseudonymize data to reduce identification risks
• Anonymize data for analytics and research
• Separate identifying information from other data
• Use data minimization techniques

We use cookies and similar tracking technologies in compliance with the ePrivacy Directive and GDPR requirements.

10.1 Cookie Consent

In accordance with EU law:

• Essential Cookies: Used without consent (strictly necessary)
• Non-Essential Cookies: Require explicit opt-in consent
• Cookie Banner: Clear information before consent
• Granular Control: Category-specific consent options
• Easy Withdrawal: Simple opt-out mechanisms

10.2 Cookie Categories

10.3 Managing Cookie Preferences

You can manage cookies through:

• Cookie Settings: Access from our cookie banner or footer
• Browser Settings: Block or delete cookies directly
• Opt-Out Tools: Third-party opt-out mechanisms
• Do Not Track: We respect DNT signals where feasible

10.4 Third-Party Cookies

We use some third-party cookies:

• Google Analytics (with IP anonymization)
• Social media plugins (if you interact with them)
• Payment processors (during checkout)

Third-party cookies are subject to the privacy policies of those providers.

10.5 Detailed Cookie Information

For comprehensive cookie details, including:

• Cookie names and durations
• Specific purposes
• Third-party cookie providers
• How to opt out of specific cookies

Please refer to our detailed Cookie Policy or contact us for more information.

In accordance with Article 37 GDPR, we have designated a Data Protection Officer (DPO) to oversee our GDPR compliance program.

11.1 DPO Contact Information

• Email: dpo@debasisbhattacharjee.com
• Postal Address: Data Protection Officer, Debmedia Technologies LLP, West Bengal, India
• Response Time: Within 30 days as mandated by GDPR

11.2 DPO Responsibilities

Our DPO is responsible for:

• Monitoring GDPR compliance across the organization
• Advising on data protection impact assessments
• Providing training and awareness to staff
• Acting as the point of contact for data subjects
• Cooperating with supervisory authorities
• Investigating data protection concerns
• Maintaining records of processing activities

11.3 When to Contact the DPO

You should contact our DPO for:

• Exercising your GDPR rights
• Questions about how your data is processed
• Complaints about data handling
• Data breach concerns
• GDPR compliance inquiries
• General data protection questions

11.4 DPO Independence

Our DPO operates independently and:

• Reports directly to senior management
• Is not penalized for performing DPO duties
• Has sufficient resources and access
• Maintains professional confidentiality
• Is free from conflicts of interest

If you believe your GDPR rights have been violated, you have the right to lodge a complaint.

12.1 Internal Complaint Process

We encourage you to contact us first:

1. Contact our DPO: dpo@debasisbhattacharjee.com
2. Describe the Issue: Provide details of your concern
3. We Investigate: We will thoroughly investigate your complaint
4. Response: You will receive a detailed response within 30 days
5. Resolution: We will work with you to resolve the matter

12.2 Right to Lodge a Complaint with Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in:

• Your EU/EEA member state of habitual residence
• Your place of work
• The place of the alleged infringement

12.3 Finding Your Supervisory Authority

You can find your relevant data protection authority at:

• EDPB Website: https://edpb.europa.eu/about-edpb/board/members_en
• Each EU Member State: Has its own data protection authority
• Examples:
  • Germany: Bundesdatenschutzbeauftragte
  • France: CNIL (Commission Nationale de l'Informatique et des Libertés)
  • UK: Information Commissioner's Office (ICO)
  • Ireland: Data Protection Commission (DPC)

12.4 Judicial Remedy

Under Article 79 GDPR, you also have the right to:

• Bring proceedings against us in the courts
• Seek judicial remedy for GDPR violations
• Claim compensation for damages

12.5 No Retaliation

We guarantee:

• No retaliation for filing complaints
• Continued service regardless of complaints
• Fair and impartial investigation
• Respectful treatment throughout the process

13.1 Policy Updates

We may update this GDPR compliance page to reflect:

• Changes in our processing activities
• New GDPR guidance or requirements
• Feedback from supervisory authorities
• Improvements to our practices

Material changes will be communicated via email to registered EU/EEA users.

13.2 Compliance Documentation

Available upon request:

• Records of processing activities (Article 30)
• Data Protection Impact Assessments
• Standard Contractual Clauses
• Data Processing Agreements
• Security certifications and audits

13.3 Brexit Considerations

For UK residents:

• We comply with the UK GDPR and Data Protection Act 2018
• The ICO is the relevant supervisory authority
• Your rights remain essentially the same as under EU GDPR

13.4 Further Information

For more details, please review:

• Privacy Policy - Comprehensive data practices
• Terms of Service - General terms and conditions
• Contact Us - Get in touch with questions