XS2Content Logo
GDPR

Your GDPR Rights

Understanding your data protection rights under European law

GDPR Compliance Status: Fully Compliant | Last Assessment: November 2024

Table of Contents

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union, regardless of where the organization is located.

GDPR gives individuals greater control over their personal data and imposes strict obligations on organizations that collect, process, or store personal information. The regulation aims to harmonize data protection laws across Europe and strengthen individual privacy rights.

Key Principles of GDPR

  • Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and transparently
  • Purpose limitation: Data should only be collected for specified, explicit, and legitimate purposes
  • Data minimization: Only necessary data should be collected and processed
  • Accuracy: Personal data must be accurate and kept up to date
  • Storage limitation: Data should not be kept longer than necessary
  • Integrity and confidentiality: Data must be processed securely
  • Accountability: Organizations must demonstrate compliance with GDPR

2. Your GDPR Rights

Under GDPR, you have several important rights regarding your personal data. These rights apply to all EU residents and are designed to give you control over how your personal information is used.

Right of Access (Article 15)

You can request access to your personal data and information about how it's being processed.

  • • What data we have about you
  • • Why we're processing it
  • • Who we share it with
  • • How long we keep it

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

  • • Update incorrect information
  • • Complete missing data
  • • Verify accuracy
  • • Receive confirmation of changes

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you can request deletion of your personal data.

  • • Delete unnecessary data
  • • Withdraw consent
  • • Object to processing
  • • Remove outdated information

Right to Restrict Processing (Article 18)

You can request limitation of how your personal data is processed.

  • • Suspend processing temporarily
  • • Dispute data accuracy
  • • Object to deletion
  • • Await legal proceedings

Right to Data Portability (Article 20)

You can request your data in a portable format and transfer it to another service.

  • • Receive data in machine-readable format
  • • Transfer to another provider
  • • Maintain data ownership
  • • Enable service switching

Right to Object (Article 21)

You can object to processing of your personal data for specific purposes.

  • • Direct marketing
  • • Legitimate interests
  • • Research and statistics
  • • Automated decision-making

3. How to Exercise Your Rights

You can exercise your GDPR rights at any time by contacting our Data Protection Officer. We will respond to your request within 30 days (extendable to 90 days for complex requests).

GDPR Rights Request Form

Use this form to exercise your GDPR rights. All fields marked with * are required.

4. Our Data Processing Activities

We maintain detailed records of all data processing activities as required by GDPR Article 30. Our main processing activities include:

Service Provision

  • Purpose: Providing AI-powered content transformation services
  • Data Categories: Account information, content data, usage data
  • Legal Basis: Contract performance (Article 6(1)(b))
  • Retention: Duration of contract + 7 years for legal compliance

Customer Support

  • Purpose: Providing technical assistance and customer service
  • Data Categories: Contact information, communication records, technical data
  • Legal Basis: Legitimate interests (Article 6(1)(f))
  • Retention: 3 years after case closure

Marketing Communications

  • Purpose: Sending newsletters, product updates, and promotional materials
  • Data Categories: Contact information, preferences, engagement data
  • Legal Basis: Consent (Article 6(1)(a))
  • Retention: Until consent is withdrawn

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Legal Bases We Rely On

6a

Consent

You have given clear consent for us to process your personal data for specific purposes (e.g., marketing communications).

6b

Contract Performance

Processing is necessary to perform our contract with you or to take steps before entering into a contract.

6c

Legal Obligation

Processing is necessary for compliance with legal obligations (e.g., tax reporting, regulatory requirements).

6f

Legitimate Interests

Processing is necessary for our legitimate interests (e.g., improving services, security, fraud prevention).

6. Data Protection Measures

We implement comprehensive technical and organizational measures to ensure GDPR compliance:

Technical Measures

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Role-based access with multi-factor authentication
  • Data Minimization: Automated systems to collect only necessary data
  • Regular Backups: Secure, encrypted backups with limited retention periods

Organizational Measures

  • Data Protection Officer: Dedicated DPO overseeing compliance
  • Privacy by Design: Data protection built into all new systems
  • Staff Training: Regular GDPR training for all employees
  • Data Protection Impact Assessments: Conducted for high-risk processing

7. International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure adequate protection through:

  • Adequacy Decisions: Transfers only to countries with adequate protection levels
  • Standard Contractual Clauses: EU-approved clauses for secure transfers
  • Additional Safeguards: Extra security measures for sensitive data
  • Data Privacy Framework: Participation in recognized privacy frameworks

8. Data Breach Procedures

In the unlikely event of a data breach, we follow strict GDPR procedures:

  • Detection: Automated monitoring systems detect breaches immediately
  • Assessment: Risk assessment completed within 24 hours
  • Authority Notification: Supervisory authority notified within 72 hours
  • Individual Notification: Affected individuals notified without undue delay if high risk
  • Documentation: All breaches documented and analyzed for prevention

9. Contact Our Data Protection Officer

Data Protection Officer Contact Information

Our Data Protection Officer is available to assist with all GDPR-related matters:

Contact Details

Email: [email protected]

Phone: +31 20 123 4567

Response time: 2-3 business days

Office Hours

Monday - Friday: 9:00 AM - 5:00 PM CET

Emergency contact available 24/7

Languages: English, Dutch, German

Mailing Address

XS2Content B.V.
Attention: Data Protection Officer
Herengracht 124
1015 BT Amsterdam
The Netherlands

10. Filing Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to file a complaint with a supervisory authority. You can contact:

Dutch Data Protection Authority (Our Lead Authority)

Autoriteit Persoonsgegevens (AP)

Website: autoriteitpersoonsgegevens.nl

Phone: +31 70 888 8500

Email: [email protected]

Address: Postbus 93374, 2509 AJ Den Haag, Netherlands

Your Local Supervisory Authority

You may also contact the supervisory authority in your country of residence. A complete list of EU supervisory authorities is available at edpb.europa.eu.

Our GDPR Commitment

We are committed to full GDPR compliance and protecting your privacy rights. Our data protection practices are regularly reviewed and updated to ensure we meet the highest standards of data protection and privacy.