GDPR Compliance Statement

Last updated: August 2025

1. Introduction

Elevanty BV is committed to full compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and Belgian data protection laws. This GDPR Compliance Statement outlines our comprehensive approach to data protection and demonstrates our commitment to protecting your fundamental rights and freedoms.

We have implemented robust technical and organizational measures to ensure that your personal data is processed lawfully, fairly, and transparently, in accordance with GDPR requirements.

2. Our Commitment to GDPR Compliance

As a data controller and processor, we are fully committed to:

  • Protecting your fundamental rights and freedoms
  • Ensuring lawful, fair, and transparent data processing
  • Implementing appropriate technical and organizational measures
  • Maintaining accountability and demonstrating compliance
  • Regularly reviewing and updating our data protection practices

3. Legal Basis for Data Processing

We process personal data based on the following legal grounds as defined in GDPR Article 6:

3.1 Contract Performance (Article 6(1)(b))

  • Providing consultation services and fulfilling agreements
  • Processing necessary for the performance of our services
  • Managing client relationships and project delivery

3.2 Legitimate Interest (Article 6(1)(f))

  • Improving our services and website functionality
  • Preventing fraud and ensuring security
  • Direct marketing to existing clients (with opt-out rights)
  • Business development and relationship management

3.3 Consent (Article 6(1)(a))

  • Marketing communications to prospects
  • Non-essential cookies and tracking technologies
  • Newsletter subscriptions
  • Optional data processing activities

3.4 Legal Obligation (Article 6(1)(c))

  • Compliance with tax and accounting regulations
  • Fulfilling regulatory reporting requirements
  • Responding to legal requests and court orders

4. Data Subject Rights Implementation

We have implemented comprehensive systems and procedures to ensure you can exercise your GDPR rights effectively:

4.1 Right of Access (Article 15)

  • Dedicated data subject request portal
  • Response within 30 days (or 60 days for complex requests)
  • Free of charge for the first request
  • Clear information about data processing activities

4.2 Right of Rectification (Article 16)

  • Easy-to-use correction mechanisms
  • Prompt processing of correction requests
  • Notification to third parties when required
  • Verification of identity before processing

4.3 Right of Erasure (Article 17)

  • Comprehensive data deletion procedures
  • Assessment of legal grounds for retention
  • Secure deletion of data from all systems
  • Notification to third parties when required

4.4 Right to Restrict Processing (Article 18)

  • Ability to limit data processing activities
  • Clear communication about restrictions
  • Maintenance of data for legal purposes when required

4.5 Right to Data Portability (Article 20)

  • Structured, commonly used, machine-readable format
  • Direct transfer to another controller when feasible
  • Comprehensive data export capabilities

4.6 Right to Object (Article 21)

  • Clear objection mechanisms
  • Immediate processing of objections
  • Assessment of compelling legitimate grounds
  • Right to object to direct marketing

4.7 Right to Withdraw Consent (Article 7(3))

  • Easy consent withdrawal mechanisms
  • Immediate effect of withdrawal
  • Clear communication about withdrawal consequences

5. Technical and Organizational Measures

We have implemented comprehensive technical and organizational measures to ensure data security and protection:

5.1 Technical Security Measures

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Multi-factor authentication and role-based access
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Data Backup: Encrypted backups with geographic redundancy
  • Vulnerability Management: Regular security assessments and updates

5.2 Organizational Security Measures

  • Data Protection Officer: Appointed and accessible
  • Employee Training: Regular GDPR and security training
  • Incident Response: Documented procedures and response team
  • Vendor Management: Due diligence and contractual safeguards
  • Audit Procedures: Regular compliance assessments

6. Data Processing Records

We maintain comprehensive records of data processing activities as required by GDPR Article 30:

6.1 Processing Activities Inventory

  • Client consultation and project management
  • Website analytics and performance monitoring
  • Marketing and communication activities
  • Customer support and service delivery
  • Financial and administrative operations

6.2 Data Flow Documentation

  • Data collection points and methods
  • Data processing purposes and legal bases
  • Data sharing and third-party relationships
  • Data retention schedules and deletion procedures
  • International data transfer safeguards

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities:

  • Systematic Evaluation: Assessment of processing risks
  • Risk Mitigation: Implementation of appropriate safeguards
  • Consultation: Engagement with data protection authorities when required
  • Regular Review: Periodic reassessment of processing activities

8. International Data Transfers

We ensure that international data transfers comply with GDPR Chapter V requirements:

8.1 Adequacy Decisions

  • Recognition of adequate protection in recipient countries
  • Monitoring of adequacy decisions and updates

8.2 Standard Contractual Clauses

  • Use of EU Commission-approved clauses
  • Regular review and updates of contractual terms
  • Assessment of local laws and regulations

8.3 Binding Corporate Rules

  • Intra-group data transfer safeguards
  • Approval by competent data protection authorities

9. Data Breach Response

We have implemented comprehensive data breach response procedures in accordance with GDPR Articles 33 and 34:

9.1 Breach Detection and Assessment

  • 24/7 monitoring and detection systems
  • Immediate risk assessment procedures
  • Documentation of all breach details

9.2 Notification Procedures

  • 72-hour notification to Belgian Data Protection Authority
  • Individual notification when high risk to rights and freedoms
  • Clear communication about breach details and mitigation

9.3 Breach Response Team

  • Designated incident response coordinator
  • Technical and legal expertise available
  • Communication and notification procedures

10. Data Protection Officer

We have appointed a Data Protection Officer (DPO) as required by GDPR Article 37:

  • Contact Information: privacy@elevanty.com
  • Independence: DPO operates independently of business operations
  • Expertise: Qualified in data protection law and practices
  • Accessibility: Available to data subjects and supervisory authorities
  • Responsibilities: Monitoring compliance and providing guidance

11. Third-Party Data Processors

We ensure that all third-party data processors comply with GDPR requirements:

11.1 Processor Agreements

  • GDPR-compliant data processing agreements
  • Clear specification of processing purposes and duration
  • Obligation to implement appropriate security measures
  • Right to audit and monitor compliance

11.2 Vendor Due Diligence

  • Assessment of technical and organizational measures
  • Review of data protection policies and procedures
  • Verification of compliance certifications
  • Regular monitoring and reassessment

12. Training and Awareness

We maintain a comprehensive training and awareness program for all employees:

  • Initial Training: GDPR fundamentals for all new employees
  • Regular Updates: Annual refresher training and updates
  • Role-Specific Training: Specialized training for data handlers
  • Testing and Assessment: Regular knowledge assessments
  • Documentation: Training records and compliance tracking

13. Compliance Monitoring and Auditing

We regularly monitor and audit our GDPR compliance:

13.1 Internal Audits

  • Quarterly compliance assessments
  • Review of data processing activities
  • Assessment of technical and organizational measures
  • Identification of improvement opportunities

13.2 External Assessments

  • Annual third-party security assessments
  • GDPR compliance audits by legal experts
  • Penetration testing and vulnerability assessments

14. Contact Information and Complaints

For GDPR-related inquiries, complaints, or to exercise your rights:

14.1 Data Protection Officer

Email: privacy@elevanty.com

Phone: +32 (0) 499 411 000

Address: Elevanty BV, Bd Roi Albert II 4, 1000 Bruxelles, Belgium

14.2 Supervisory Authority

You have the right to lodge a complaint with the Belgian Data Protection Authority:

Autorité de protection des données (APD)
Gegevensbeschermingsautoriteit (GBA)

Address: Rue de la Presse 35, 1000 Bruxelles, Belgium

Phone: +32 (0)2 274 48 00

Email: contact@apd-gba.be

Website: www.autoriteprotectiondonnees.be

15. Updates and Maintenance

This GDPR Compliance Statement is regularly reviewed and updated to reflect:

  • Changes in data processing activities
  • Updates to legal and regulatory requirements
  • Improvements in technical and organizational measures
  • Feedback from data subjects and supervisory authorities

We are committed to maintaining the highest standards of data protection and will continue to enhance our compliance program as requirements evolve.