GDPR Compliance Policy
Introduction
At Viral Trill, we are committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This GDPR Compliance Policy explains how we comply with the GDPR and outlines the rights of data subjects when using our anonymous communication platform.
This policy applies to all personal data we process regardless of the media on which it is stored. It applies to all staff and contractors working for and on behalf of Viral Trill. This policy should be read in conjunction with our Privacy Policy and Cookie Policy.
Data Protection Principles
We adhere to the principles set out in the GDPR when processing personal data:
- Lawfulness, fairness, and transparency: We process personal data lawfully, fairly, and in a transparent manner.
- Purpose limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
- Data minimization: We ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy: We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date.
- Storage limitation: We keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.
- Integrity and confidentiality: We process personal data in a manner that ensures appropriate security of the personal data.
- Accountability: We are responsible for and can demonstrate compliance with the GDPR principles.
Legal Basis for Processing
We only process personal data where we have a lawful basis for doing so. The lawful bases we rely on are:
- Consent: The data subject has given clear consent for us to process their personal data for a specific purpose.
- Contract: The processing is necessary for a contract we have with the data subject, or because they have asked us to take specific steps before entering into a contract.
- Legal obligation: The processing is necessary for us to comply with the law.
- Vital interests: The processing is necessary to protect someone's life.
- Legitimate interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.
Your Rights as a Data Subject
Under the GDPR, data subjects have the following rights:
1. The Right to be Informed
You have the right to be informed about the collection and use of your personal data. We provide this information in our Privacy Policy and at the point of data collection.
2. The Right of Access
You have the right to request a copy of your personal data and information about how we process it.
3. The Right to Rectification
You have the right to have inaccurate or incomplete personal data corrected or completed.
4. The Right to Erasure
Also known as 'the right to be forgotten,' you have the right to request the deletion of your personal data in certain circumstances.
5. The Right to Restrict Processing
You have the right to request the restriction or suppression of your personal data in certain circumstances.
6. The Right to Data Portability
You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format and/or request that we transfer it to another controller.
7. The Right to Object
You have the right to object to the processing of your personal data in certain circumstances, including direct marketing and processing based on legitimate interests.
8. Rights Related to Automated Decision Making and Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
How to Exercise Your Rights
You can exercise any of these rights by contacting us at privacy@viraltrill.com or through our Contact Page. We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Data Protection Officer (DPO)
We have designated a point of contact for data protection matters. If you have any questions about this GDPR policy or how we handle your personal information, please contact:
GDPR Contact: Data Privacy Team
Email: dpo@viraltrill.com
Address: Viral Trill, 123 Privacy Boulevard, Secure City, SC1 2DP
Data Breach Notification
In the case of a personal data breach, we will, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the relevant supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the personal data breach to the data subject without undue delay.
International Data Transfers
We may need to transfer your personal data to countries outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- Transferring data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Using standard contractual clauses approved by the European Commission which give personal data the same protection it has in Europe.
- For transfers to the US, working with providers that are part of approved data protection frameworks.
Data Protection Impact Assessments (DPIAs)
Where processing is likely to result in a high risk to the rights and freedoms of individuals, we will carry out a Data Protection Impact Assessment (DPIA) before commencing the processing. The DPIA will include a description of the processing, its purpose, an assessment of necessity and proportionality, an assessment of risks to individuals, and the measures to address these risks.
Records of Processing Activities
We maintain records of our processing activities as required by the GDPR. These records include the purposes of processing, categories of data subjects and personal data, categories of recipients, information about transfers, retention schedules, and a general description of technical and organizational security measures.
Training and Awareness
We ensure that our staff and contractors understand the importance of protecting personal data, are familiar with our data protection policies, and receive appropriate training to maintain awareness of their responsibilities.
Data Minimization and Anonymity
As an anonymous communication platform, we are committed to data minimization principles. We collect only the minimum amount of data necessary to provide our services. While we strive to maximize anonymity, we also maintain appropriate safeguards to prevent abuse of our platform.
Changes to This Policy
We may update this GDPR Policy from time to time. Any changes we make to this policy will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our GDPR Policy.
Complaints
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
You also have the right to lodge a complaint with us directly. To do so, please contact us at privacy@viraltrill.com.