1. Scope & Applicability
This GDPR Compliance Policy applies to all processing of personal data relating to EU/EEA data subjects by GoNexel, regardless of where the processing takes place. GoNexel acts as a Data Controller for client account data and as a Data Processor when handling data on behalf of clients.
While GDPR specifically protects EU/EEA residents, GoNexel applies GDPR principles as a baseline for all client data, regardless of geography.
2. Data Protection Principles
GoNexel adheres to all seven GDPR principles:
| Principle | How GoNexel Implements It |
|---|---|
| Lawfulness, Fairness & Transparency | Clear privacy policy, explicit consent mechanisms, transparent data practices |
| Purpose Limitation | Data collected only for specified, legitimate purposes stated at the time of collection |
| Data Minimisation | Only essential data collected; no unnecessary personal data processing |
| Accuracy | Regular data reviews, client self-service updates, correction within 5 business days |
| Storage Limitation | 90 days post-deletion; data purged per retention schedule |
| Integrity & Confidentiality | AES-256 encryption, access controls, regular security audits |
| Accountability | DPO appointed, DPIA conducted, processing records maintained |
3. Legal Bases for Processing
| Processing Activity | Legal Basis (Article 6) | Details |
|---|---|---|
| Account Creation & Service Delivery | Contractual Necessity (6.1.b) | Required to fulfil service contract |
| Payment Processing | Contractual Necessity (6.1.b) | Required for billing and invoicing |
| Marketing Emails | Consent (6.1.a) | Explicit opt-in required; withdraw anytime |
| Service Improvement | Legitimate Interest (6.1.f) | Analytics and feedback analysis (with opt-out) |
| Tax & Legal Obligations | Legal Obligation (6.1.c) | GST, financial records retention |
| Fraud Prevention | Legitimate Interest (6.1.f) | Monitoring and detection systems |
4. Data Subject Rights
EU/EEA data subjects have the following rights under GDPR. GoNexel will respond to all requests within 30 days:
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Obtain a copy of your personal data | Email request — data provided in portable format within 7 days |
| Right to Rectification (Art. 16) | Correct inaccurate data | Email request — corrected within 5 business days |
| Right to Erasure (Art. 17) | Request deletion of your data | Email request — deleted within 90 days (subject to legal exceptions) |
| Right to Restrict (Art. 18) | Restrict how your data is processed | Email request — processing restricted within 7 days |
| Right to Portability (Art. 20) | Receive data in a portable format | Data provided in JSON, CSV, or PDF format |
| Right to Object (Art. 21) | Object to processing based on legitimate interest | Email request — processing halted pending review |
| Right re: Automated Decisions (Art. 22) | Not be subject to solely automated decisions | Human review available on request |
5. Data Protection Officer (DPO)
GoNexel has designated a Data Protection Officer responsible for GDPR compliance oversight:
Email: info@gonexel.com (Subject: "DPO Inquiry")
Response Time: Within 5 business days
Responsibilities: Compliance monitoring, DPIA oversight, data subject rights coordination, regulatory liaison
6. International Data Transfers
When transferring personal data outside the EU/EEA, GoNexel employs appropriate safeguards:
- Standard Contractual Clauses (SCCs): EU-approved clauses in all cross-border agreements
- Adequacy Decisions: Transfers to countries with EU adequacy decisions
- Data Processing Agreements (DPAs): Binding agreements with all processors
- Primary Storage: AWS Mumbai, India — with data processed in compliance with EU requirements
7. Data Protection Impact Assessments
GoNexel conducts Data Protection Impact Assessments (DPIAs) when:
- Introducing new processing technologies or systems
- Processing large-scale sensitive personal data
- Systematic monitoring of public areas
- Automated decision-making with legal or significant effects
DPIAs are reviewed by the DPO and results are documented. The supervisory authority is consulted when high residual risk is identified.
8. Breach Notification
Supervisory Authority: Notified within 72 hours of a confirmed personal data breach.
Affected Data Subjects: Notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
Breach Register: All breaches documented in our breach register, regardless of severity.
9. Sub-Processors
GoNexel uses the following sub-processors for EU data:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| AWS | Cloud infrastructure & storage | India (Mumbai) | SCCs, DPA |
| Stripe | Payment processing | USA / EU | SCCs, PCI DSS |
| Google Analytics | Website analytics | USA | Anonymisation, SCCs |
| Cloudflare | CDN & DDoS protection | Global | SCCs, DPA |
Clients are notified of any changes to sub-processors with 30 days' advance notice. Objections considered in good faith.
10. Contact
GoNexel — Data Protection Officer
Email: info@gonexel.com (Subject: "GDPR Request")
Website: gonexel.com
Supervisory Authority Complaint: You have the right to lodge a complaint with your local EU data protection authority.