tcheina

GDPR Compliance Document - In the Zone

Writing up a GDPR compliance document for a company

GDPR
compliance
document
legal
Tue Jul 15 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Today is a document sort of day.

Coming up with a GDPR compliance document so we have one in place to update as we progress:

Creating a document that outlines GDPR compliance within a company is crucial for demonstrating accountability and ensuring all employees, stakeholders, and regulators understand the company’s approach to handling personal data. Below is a template you can use to create a GDPR Compliance Document for your company. You can customize it based on your company’s specific operations, industry, and data processing activities.

GDPR Compliance Document

Company Name:

Studio Carbon

Document Version:

Version 0.1

Last Updated:

July 15, 2025

1. Introduction

This document outlines Studio Carbon’s commitment to complying with the General Data Protection Regulation (GDPR) (EU Regulation 2016/679). As a company that processes personal data of individuals in the European Union (EU), we ensure that all our activities involving personal data adhere to GDPR principles and requirements.

2. Scope

This document applies to:

  • All employees, contractors, and third-party service providers of Studio Carbon.
  • All personal data collected, processed, stored, or shared by Studio Carbon, including data from customers, employees, partners, and vendors.

3. Key GDPR Principles

We adhere to the following GDPR principles:

  1. Lawfulness, Fairness, and Transparency
  • Personal data is processed lawfully, fairly, and in a transparent manner.
  1. Purpose Limitation
  • Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  1. Data Minimization
  • Personal data collected is adequate, relevant, and limited to what is necessary for the intended purpose.
  1. Accuracy
  • Personal data is accurate and, where necessary, kept up to date.
  1. Storage Limitation
  • Personal data is retained only for as long as necessary for the purposes for which it was collected.
  1. Integrity and Confidentiality (Security)
  • Personal data is processed securely to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage.
  1. Accountability
  • Studio Carbon is responsible for ensuring GDPR compliance and can demonstrate adherence to its principles.

4. Data Protection Roles

4.1 Data Controller

As the data controller, Studio Carbon determines the purposes and means of processing personal data.

4.2 Data Processor

When acting as a data processor, Studio Carbon processes personal data on behalf of another organization (data controller) in compliance with GDPR.

4.3 Data Protection Officer (DPO)

  • DPO Name: [Insert Name]
  • Contact Email: [Insert Email Address]
  • Contact Number: [Insert Phone Number]
    The DPO is responsible for overseeing GDPR compliance, advising on data protection obligations, and acting as the point of contact for supervisory authorities and data subjects.

5. Data Collection and Processing

5.1 Types of Personal Data Collected

Studio Carbon collects the following types of personal data:

  • Customer Data: Anonymized user id linked to data we want to persist.
  • Website/App Data: IP addresses, cookies, location data, device identifiers, and usage data for troubleshooting production issues.

5.2 Purposes of Data Processing

Personal data is processed for the following purposes:

  • Providing products and services.
  • Communication.
  • Customer support.
  • Legal and regulatory compliance.

5.3 Lawful Bases for Processing

We process personal data under the following lawful bases:

  • Consent.
  • Performance of a contract.
  • Legal obligation.
  • Legitimate interests.

6. Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data:

  1. Right to Access: Individuals can request a copy of their personal data.
  2. Right to Rectification: Individuals can request corrections to inaccurate or incomplete data.
  3. Right to Erasure (Right to Be Forgotten): Individuals can request the deletion of their personal data.
  4. Right to Restrict Processing: Individuals can request the limitation of data processing.
  5. Right to Data Portability: Individuals can request their data in a portable format.
  6. Right to Object: Individuals can object to processing based on legitimate interests or direct marketing.
  7. Right Not to Be Subject to Automated Decision-Making: Individuals can opt out of decisions made solely by automated means.

How to Submit Requests:
Requests can be submitted via email to [Insert Email Address] or through our website at [Insert Website Link].

7. Data Security Measures

Studio Carbon implements technical and organizational measures to ensure data security, including:

  • Encryption: All sensitive data is encrypted during transmission and at rest.
  • Access Controls: Access to personal data is restricted to authorized personnel per need-to-know justification.
  • Regular Audits: Regular security audits and vulnerability testing are conducted.
  • Data Breach Response Plan: In the event of a data breach, we will notify the relevant supervisory authority within 72 hours and affected individuals, if required.

8. Third-Party Data Processors

We work with third-party service providers to process personal data. All third-party processors are vetted to ensure GDPR compliance and are required to sign Data Processing Agreements (DPAs).

Third-Party Processors:

  • Cloud storage providers: AWS
  • Payment processors: Google Pay, Apple Pay
  • Marketing tools:
  • Others:

9. Data Retention Policy

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations.

Retention Periods:

  • Customer data: In perpetuality until access is revoked per customer request or, the company ceases product support.
  • Marketing data: 365 days.

10. Data Breach Policy

In the event of a data breach: 1. The breach will be reported to the Data Protection Officer (DPO) immediately. 2. The DPO will assess the breach and notify the supervisory authority (e.g., the Data Protection Authority in the relevant EU country) within 72 hours if required. 3. Affected individuals will be notified if the breach poses a high risk to their rights and freedoms. 4. A full investigation will be conducted, and measures will be taken to prevent future breaches.

11. Employee Training

All employees handling personal data receive GDPR training, covering:

  • GDPR principles and requirements.
  • How to handle personal data securely.
  • Identifying and reporting potential data breaches.

12. Monitoring and Updates

This GDPR Compliance Document is reviewed annually or whenever there are significant changes to data processing activities, legal requirements, or organizational structure.

13. Contact Information

For questions or concerns about GDPR compliance, please contact:
Data Protection Officer (DPO):
[Insert Name]
[Insert Email Address]
[Insert Phone Number]

14. Approval

This document has been approved by [Insert Name], [Insert Position], on [Insert Date].

Signature:
[Insert Signature or Name]

Appendices

You may include appendices for additional details, such as:

  • Data Processing Inventory.
  • Data Processing Agreements (DPAs).
  • Data Breach Response Templates.