Last Updated: October 1, 2025

For most client relationships:

• Client: Data Controller (determines purposes and means)
• InitiumX: Data Processor (processes on behalf of client)
• Relationship: Governed by Data Processing Agreement (DPA)

For our own operations:

• Website visitors and contact forms
• Marketing communications
• Business relationships and prospects

You have the right to obtain:

• Confirmation of processing
• Copy of personal data
• Information about processing purposes
• Categories of data processed
• Recipients of data
• Retention period
• Source of data (if not collected from you)

How to exercise:

• Email: gdpr@initiumx.dev
• Subject: “GDPR Article 15 - Right of Access”
• Timeline: 1 month (extendable to 3 months for complex requests)
• Format: Electronic copy (PDF, JSON, CSV)
• Free of charge for first request

You can request:

• Correction of inaccurate personal data
• Completion of incomplete personal data
• Update of outdated information

Timeline:

• Response: 1 month
• Completion: Without undue delay
• Notification to third parties: As required

Grounds for erasure:

• Data no longer necessary for purposes
• Withdrawal of consent
• Object to processing (legitimate grounds)
• Data processed unlawfully
• Legal obligation requires erasure
• Data collected from children (under 16)

Exceptions:

• Compliance with legal obligations
• Public interest or official authority
• Establishment, exercise, or defense of legal claims
• Archiving/research purposes

Timeline: 1 month to complete

When you can restrict:

• Accuracy of data is contested
• Processing is unlawful but you oppose erasure
• We no longer need data but you need it for legal claims
• You objected to processing (pending verification)

Effect: Data stored but not processed (except with consent or for legal claims)

You can receive:

• Personal data you provided to us
• In structured, commonly used, machine-readable format
• Transmitted directly to another controller (where technically feasible)

Applies when:

• Processing based on consent or contract
• Processing carried out by automated means

Formats available:

• JSON
• CSV
• XML
• SQL dump (for databases)

You can object to processing based on:

• Legitimate interests (Art. 6(1)(f))
• Public interest/official authority (Art. 6(1)(e))

Direct marketing:

• Absolute right to object (no exceptions)
• Immediate cessation upon request

Profiling and automated decision-making:

• Right to object to decisions based solely on automated processing
• Right to human intervention
• Right to contest the decision

• Email: gdpr@initiumx.dev
• DPO Email: dpo@initiumx.dev
• Postal: InitiumX GDPR Requests, San Pedro Sula, Honduras
• Online Form: https://initiumx.dev/legal/gdpr-request

• Acknowledgment: 72 hours
• Response: 1 month (standard)
• Extension: Up to 3 months (complex requests, notified within 1 month)

• Email verification (for low-risk requests)
• Additional information for high-risk requests
• Proportionate to risk of processing

InitiumX commits to:

• Process data lawfully with valid legal basis
• Process fairly without deception
• Provide clear information about processing
• Transparent privacy notices

We process data only for:

• Specified, explicit, and legitimate purposes
• No further processing incompatible with original purpose
• New purposes require new legal basis

We collect only:

• Data adequate for purposes
• Data relevant to purposes
• Data limited to what is necessary
• No excessive data collection

We ensure:

• Data is accurate and up-to-date
• Inaccurate data rectified without delay
• Regular review of data accuracy
• Mechanisms to update data

Retention periods:

• No longer than necessary for purposes
• See detailed retention schedule in Privacy Policy
• Archiving with appropriate safeguards
• Automatic deletion after retention period

Security measures:

• Encryption (TLS 1.3, AES-256)
• Access controls and authentication
• Regular security testing
• Incident response procedures
• Staff training on data protection

Primary mechanism for transfers:

• Commission Implementing Decision (EU) 2021/914
• Module Two: Controller-to-Processor
• Module One: Controller-to-Controller (when applicable)
• Binding and enforceable data subject rights

Supplementary measures (Schrems II):

• Encryption of data in transit and at rest
• Pseudonymization where appropriate
• Technical access controls
• Legal assessment of third country laws
• Regular review of transfers

• Full list in DPA Sub-processors
• Each sub-processor has appropriate safeguards
• Client notification of new sub-processors
• Right to object to sub-processors

You can:

• Request information about transfers
• Object to transfers to specific countries
• Request copy of appropriate safeguards
• Lodge complaint with supervisory authority

Direct contact:

• Email: dpo@initiumx.dev
• Subject: Clearly state your request/inquiry
• Response: Within 72 hours

DPO Responsibilities:

• Monitor GDPR compliance
• Advise on data protection obligations
• Cooperate with supervisory authorities
• Act as contact point for data subjects

Appropriate for:

• Complex GDPR requests
• Complaints about data processing
• Questions about data protection
• Data breach concerns
• Privacy impact assessments

You can complain to:

• Supervisory authority in your EU/EEA country
• Supervisory authority where infringement occurred
• No requirement to exhaust internal remedies first

• Germany: BfDI (Bundesbeauftragter für den Datenschutz)
• France: CNIL (Commission Nationale de l’Informatique)
• UK: ICO (Information Commissioner’s Office)
• Ireland: DPC (Data Protection Commission)
• Spain: AEPD (Agencia Española de Protección de Datos)
• Italy: Garante per la Protezione dei Dati Personali

Full list: https://edpb.europa.eu/about-edpb/about-edpb/members_en

InitiumX commits to:

• Full cooperation with supervisory authorities
• Timely responses to inquiries
• Participation in investigations
• Implementation of corrective measures

Timeline: 72 hours of becoming aware of breach

Information provided:

• Nature of personal data breach
• Categories and number of data subjects affected
• Categories and number of records affected
• Likely consequences of breach
• Measures taken or proposed to address breach

Delays justified if information not immediately available

When required:

• Breach likely to result in high risk to rights and freedoms
• Clear and plain language
• Direct communication where possible

Exceptions:

• Appropriate technical safeguards applied (e.g., encryption)
• Subsequent measures ensure no high risk
• Disproportionate effort (public communication instead)

Timeline: Without undue delay

We do NOT routinely process:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (for unique identification)
• Health data
• Sex life or sexual orientation

If required for specific project:

• Explicit consent obtained
• Additional security measures
• Enhanced Data Protection Impact Assessment (DPIA)
• Separate written agreement

Article 10 restrictions:

• Only processed under official authority or when authorized by Union/Member State law
• Appropriate safeguards for rights and freedoms

You have right not to be subject to:

• Decisions based solely on automated processing
• Decisions that produce legal effects or similarly significant effects

Exceptions:

• Necessary for contract performance
• Authorized by law with safeguards
• Based on explicit consent

If automated decisions are made:

• Right to human intervention
• Right to express your point of view
• Right to contest decision

If we use profiling:

• Clear information in privacy notice
• Logic involved explained
• Significance and envisaged consequences disclosed
• Right to object at any time

Varies by Member State:

• Minimum: 13 years (some countries)
• Maximum: 16 years (most countries)
• InitiumX standard: 16 years (highest protection)

For children under 16:

• Parental consent required
• Verifiable parental consent mechanisms
• Age-appropriate information
• Enhanced protections

Parents/guardians can:

• Exercise all GDPR rights on behalf of child
• Request deletion of child’s data
• Object to processing
• Access child’s data

Requirements:

• Prior consent for non-essential cookies
• Clear and comprehensive information
• Easy withdrawal of consent
• No cookie walls (access not conditional on consent)

See: Cookie Policy

Strictly Necessary: No consent needed

• Session management
• Security
• Load balancing

Functional, Analytics, Marketing: Consent required

• User preferences
• Usage analytics
• Targeted advertising

• Email: dpo@initiumx.dev
• Scope: All GDPR matters

• Email: gdpr@initiumx.dev
• Online form: https://initiumx.dev/legal/gdpr-request

• Email: eu@initiumx.dev
• Phone: +504 3253-6271
• Hours: CET/CEST business hours

Must read:

• Privacy Policy
• Data Processing Agreement
• Cookie Policy
• ARCO Rights

Official GDPR resources:

• GDPR Full Text: https://gdpr-info.eu/
• European Data Protection Board: https://edpb.europa.eu/
• Your Supervisory Authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Last Updated: October 1, 2025 Version: 1.0 Next Review: January 2026

EU/EEA Support: eu@initiumx.dev | DPO: dpo@initiumx.dev