GDPR Compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It strengthens and unifies data protection for individuals within the European Union (EU) and addresses the export of personal data outside the EU.

At Heldus, we are committed to protecting your personal data and respecting your privacy rights in accordance with GDPR requirements.

Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

How We Protect Your Data

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk:

• • Encryption of personal data in transit and at rest
• • Regular security assessments and penetration testing
• • Access controls and authentication mechanisms
• • Regular staff training on data protection
• • Incident response and breach notification procedures
• • Data minimization and purpose limitation

Legal Basis for Processing

We process your personal data based on the following legal grounds:

• • Consent: When you have given clear consent for us to process your personal data for specific purposes
• • Contract: When processing is necessary for the performance of a contract with you
• • Legal Obligation: When processing is necessary for compliance with legal obligations
• • Legitimate Interest: When processing is necessary for our legitimate interests or those of a third party

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• • Customer data: Retained for the duration of the business relationship plus 7 years for legal compliance
• • Marketing data: Retained until consent is withdrawn or for 3 years of inactivity
• • Website analytics: Retained for 26 months
• • Support tickets: Retained for 3 years after resolution

International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• • Standard Contractual Clauses (SCCs) approved by the European Commission
• • Adequacy decisions by the European Commission
• • Binding Corporate Rules (BCRs) where applicable
• • Certification schemes and codes of conduct

Data Breach Notification

In the event of a personal data breach, we will:

• • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• • Inform affected individuals without undue delay if the breach is likely to result in high risk
• • Document all data breaches and their effects
• • Take immediate steps to contain and remedy the breach

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us using the information below. We will respond to your request within one month.

When making a request, please provide:

• • Your full name and contact information
• • Proof of identity (copy of ID document)
• • Specific details of your request
• • Any relevant reference numbers or account information

There is no charge for most requests, but we may charge a reasonable fee for excessive or repetitive requests.

Contact Information

For any GDPR-related inquiries or to exercise your rights, please contact:

You also have the right to lodge a complaint with your local supervisory authority if you believe we have not handled your personal data in accordance with GDPR.