GDPR Compliance
1. Introduction
EU Data Privacy.At OmniRoles ("we," "our," or "us"), we are committed to protecting the privacy and security of your personal data. This GDPR Compliance Policy explains our commitment to the General Data Protection Regulation (GDPR).
"The GDPR is a regulation in EU law on data protection and privacy that applies to all individuals within the European Union and the European Economic Area."
2. Data Protection Principles
Core Values. We adhere to the six fundamental principles set out in the GDPR:
Lawfulness & transparency
Processed lawfully, fairly, and in a transparent manner.
Purpose limitation
Collected for specified, explicit, and legitimate purposes.
Data minimization
Adequate, relevant, and limited to what is necessary.
Accuracy
Accurate and, where necessary, kept up to date.
Storage limitation
Kept in a form permitting identification no longer than necessary.
Integrity & security
Processed in a manner that ensures appropriate security.
3. Lawful Basis for Processing
Legal Foundation. We only process personal data when we have a valid legal justification:
- Consent: You have given clear, affirmative consent.
- Contract: Necessary for a contract we have with you.
- Legal obligation: Necessary for us to comply with the law.
- Legitimate interests: Necessary for our legitimate business interests, unless overridden by your rights.
4. Data Subject Rights
Your Control. Under the GDPR, you maintain comprehensive control over your personal data:
Right to Access
Request a copy of the data we hold about you and how it's processed.
Right to Rectification
Correct any inaccurate or incomplete personal information.
Right to Erasure
Also known as the "Right to be Forgotten"—request your data be deleted.
Right to Portability
Receive your data in a structured, machine-readable format.
5. How to Exercise Your Rights
Requests. To exercise any of your rights regarding your personal data, you must submit a written request to our Data Protection Officer (DPO).
- Verification: We may request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
- Time Limit: We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
- Fees: You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
Submit your requests to: our Contact Page.
6. Data Protection Officer
Governance. We have appointed a Data Protection Officer (DPO) to oversee our privacy practices and handle all data inquiries.
Contact our DPO
For formal GDPR inquiries or to exercise your rights, please contact our Data Protection Officer directly.
Contact DPO7. Data Security
Protection. We use state-of-the-art technical and organizational measures to ensure your data is secure against unauthorized access.
8. Data Breach Notification
Notification. We have put in place procedures to deal with any suspected personal data breach. In the event of a breach, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
- Communicate the breach directly to affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- Maintain a comprehensive internal log of all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken.
If you suspect a data breach has occurred, please immediately contact our incident response team via our DPO at our Contact Page.
9. International Data Transfers
Cross-Border Transfers. As a global service operated by BrandXpoint, your data may be transferred to, stored, and processed in countries outside the European Economic Area (EEA), including the United States and Georgia. We ensure such transfers are subject to appropriate safeguards, primarily through the use of Standard Contractual Clauses approved by the European Commission, and supplementary technical and organizational measures such as encryption in transit and at rest.
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers, we may use specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data the same protection it has in Europe.
10. Data Retention
Timelines. We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including legal and reporting requirements.
11. Data Protection Impact Assessments
Assessments. We proactively conduct Data Protection Impact Assessments (DPIAs) to identify and minimize the data protection risks of any new project or system. A DPIA is mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons.
Our DPIA process involves:
- Systematically describing the processing operations and their purposes.
- Assessing the necessity and proportionality of the processing operations.
- Evaluating the risks to the rights and freedoms of data subjects.
- Identifying the measures envisioned to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data.
12. Records of Processing Activities
Records. Under Article 30 of the GDPR, we maintain detailed, up-to-date Records of Processing Activities (RoPA). These records contain:
- The name and contact details of the controller, any joint controller, the controller's representative, and the data protection officer.
- The purposes of the processing.
- A description of the categories of data subjects and of the categories of personal data.
- The categories of recipients to whom the personal data have been or will be disclosed.
- Where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization.
These records are made available to supervisory authorities upon formal request.
13. Training and Awareness
Training. We recognize that technical controls must be supported by organizational awareness. We ensure that:
- All new employees and contractors undergo mandatory data protection training during onboarding.
- Annual refresher training is required for all staff handling personal data.
- Specialized training is provided for personnel involved in high-risk processing or security infrastructure.
- Internal policies and data handling procedures are regularly reviewed and audited for compliance.
14. Changes to This Policy
Agility. We may update this GDPR Compliance Policy. Significant changes will be communicated via our service or email.
15. Complaints
Complaints. We take privacy complaints very seriously. If you have any concerns about our use of your personal information, you can make a complaint to us via our Contact Page.
You also have the right to lodge a complaint with your local supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. However, we would appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.
16. Contact Us
Inquiries. If you have any questions about this GDPR Compliance Policy, please reach out: Contact Us