GDPR Compliance

1. Our Commitment to GDPR

50Data is fully committed to compliance with the EU General Data Protection Regulation (GDPR). As a professional compliance platform serving finance teams across Europe, we understand the critical importance of data protection and privacy.

This page provides detailed information about how we comply with GDPR requirements and protect your personal data.

2. Data Controller Information

3. Legal Basis for Data Processing

We process personal data based on the following legal grounds under GDPR Article 6:

3.1 Contract Performance (Article 6(1)(b))

• Account creation and management
• Service delivery (compliance calendars, notifications)
• Payment processing and subscription management
• Customer support and communications

3.2 Legitimate Interests (Article 6(1)(f))

• Website security and fraud prevention
• Service improvement and development
• Business operations and administration
• Analytics for service optimization

3.3 Legal Compliance (Article 6(1)(c))

• Tax and accounting record keeping
• Regulatory reporting requirements
• Anti-money laundering compliance

3.4 Consent (Article 6(1)(a))

• Marketing communications (where required)
• Non-essential cookies
• Optional data processing activities

4. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

4.1 Right of Access (Article 15)

You can request a copy of the personal data we hold about you, including information about how we process it.

4.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

4.3 Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, including when:

• The data is no longer necessary for the original purpose
• You withdraw consent (where processing is based on consent)
• The data has been unlawfully processed

4.4 Right to Restriction (Article 18)

You can request that we limit the processing of your personal data in certain situations.

4.5 Right to Data Portability (Article 20)

You can request your personal data in a structured, machine-readable format for transfer to another service.

4.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

4.7 Right to Withdraw Consent (Article 7)

Where processing is based on consent, you can withdraw it at any time.

5. How to Exercise Your Rights

To exercise any of your GDPR rights, contact us at:

5.1 Response Timeline

• Standard response: Within 1 month of receipt
• Complex requests: May be extended by 2 additional months with notification
• Identity verification: May be required for security purposes

5.2 No Cost

Exercising your GDPR rights is free of charge, unless requests are manifestly unfounded or excessive.

6. Data Processing Activities

6.1 User Account Management

6.2 Payment Processing

6.3 Service Analytics

6.4 Communication

7. International Data Transfers

When we transfer personal data outside the EEA, we ensure adequate protection through:

7.1 Adequacy Decisions

We transfer data to countries with EU adequacy decisions where possible.

7.2 Standard Contractual Clauses

For transfers to other countries, we use EU Standard Contractual Clauses (SCCs) with our service providers.

7.3 Current Transfers

• Paddle (UK): Adequacy decision
• ConvertKit (US): EU-US Data Privacy Framework + SCCs
• Cloudflare (US): EU-US Data Privacy Framework + SCCs

8. Data Security Measures

We implement appropriate technical and organizational measures to ensure data security:

8.1 Technical Measures

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for administrative access
• Regular security assessments and penetration testing
• Automated backup and disaster recovery systems

8.2 Organizational Measures

• Data protection training for all staff
• Access controls based on need-to-know principle
• Regular review of data processing activities
• Incident response and breach notification procedures

9. Data Breach Notification

In case of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours (where feasible)
• Inform affected individuals without undue delay (if high risk)
• Document all breaches and remedial actions taken
• Implement measures to prevent future occurrences

10. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that present high risks to individual rights and freedoms, including:

• New data processing technologies
• Large-scale processing of sensitive data
• Systematic monitoring of public areas
• Processing that affects vulnerable individuals

11. Children's Data

Our services are designed for professional business use. We do not knowingly process personal data of children under 16 years of age. If we become aware of such processing, we will delete the data immediately.

12. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR requirements.

13. Contact Information

For any GDPR-related questions or concerns:

14. Updates to GDPR Compliance

We regularly review and update our GDPR compliance measures. Significant changes will be communicated through:

• Email notifications to registered users
• Updates to this page with revision dates
• Platform notifications for important changes