GDPR Compliance

1. Introduction

At Codelify, we take data protection very seriously and are committed to complying with the General Data Protection Regulation (GDPR) of the European Union. This page explains how we process personal data in accordance with GDPR principles and outlines your rights under this regulation.

The GDPR is a comprehensive data protection law that came into effect on May 25, 2018. It strengthens the rights of individuals regarding their personal data and aims to unify data protection regulations throughout the EU.

2. Our Role Under GDPR

Under the GDPR, Codelify acts as both a "data controller" and a "data processor" depending on the circumstances:

• Data Controller: We act as a data controller when we determine the purposes and means of processing personal data, such as when we collect information about our customers and users for account management, marketing, and business operations.
• Data Processor: We act as a data processor when we process personal data on behalf of our clients who use our services for their own business purposes.

In both roles, we are committed to handling personal data responsibly and in compliance with GDPR requirements.

3. Our GDPR Compliance Measures

We have implemented several measures to ensure compliance with GDPR principles:

3.1 Data Protection by Design and Default

We've incorporated data protection principles into our business processes and software development lifecycle. Our systems are designed to collect only the personal data that is necessary for the specific purpose and to ensure appropriate security measures are in place.

3.2 Data Processing Records

We maintain detailed records of our data processing activities, including the purposes of processing, categories of personal data processed, recipients of data, and security measures implemented.

3.3 Data Protection Impact Assessments

For new projects that involve processing personal data that may result in a high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments (DPIAs) to identify and minimize privacy risks.

3.4 Data Processing Agreements

We have implemented data processing agreements with our vendors and partners who process personal data on our behalf, ensuring they meet GDPR requirements and provide appropriate safeguards.

3.5 Security Measures

We have implemented robust technical and organizational security measures to protect personal data, including encryption, access controls, regular security assessments, and staff training.

3.6 Data Breach Procedures

We have established procedures for detecting, reporting, and investigating personal data breaches, in line with the GDPR's 72-hour notification requirement.

4. Lawful Bases for Processing

Under the GDPR, we process personal data on one or more of the following lawful bases:

• Consent: The individual has given clear, specific consent for us to process their personal data for a specific purpose.
• Contract: The processing is necessary for a contract we have with the individual or to take steps at the individual's request before entering into a contract.
• Legal Obligation: The processing is necessary for us to comply with the law.
• Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.

We clearly identify the lawful basis for each processing activity in our Privacy Policy and internal documentation.

5. Data Subject Rights

Under the GDPR, individuals have several rights regarding their personal data. We have implemented procedures to ensure these rights can be exercised:

5.1 Right to Access

Individuals have the right to request a copy of their personal data and information about how we process it.

5.2 Right to Rectification

Individuals have the right to have inaccurate personal data rectified or completed if it is incomplete.

5.3 Right to Erasure

Also known as the 'right to be forgotten,' individuals can request the deletion of their personal data in certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

5.4 Right to Restrict Processing

Individuals can request that we restrict the processing of their personal data in certain circumstances, such as when they contest the accuracy of the data.

5.5 Right to Data Portability

Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format, or have it transmitted directly to another data controller where technically feasible.

5.6 Right to Object

Individuals have the right to object to the processing of their personal data in certain circumstances, including when the processing is based on legitimate interests or for direct marketing purposes.

5.7 Rights Related to Automated Decision Making

Individuals have rights regarding automated individual decision-making and profiling, including the right not to be subject to decisions based solely on automated processing which produce legal or similarly significant effects.

6. International Data Transfers

When transferring personal data outside the European Economic Area (EEA), we implement appropriate safeguards to ensure that the data receives an adequate level of protection, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (BCRs) for transfers within a corporate group
• Transfers to countries with an adequacy decision from the European Commission

We regularly review and update our international transfer mechanisms to align with evolving regulatory requirements and guidance.

7. Data Protection Officer

To oversee our data protection strategy and implementation, we have appointed a Data Protection Officer (DPO) who is responsible for:

• Informing and advising our organization and employees about GDPR obligations
• Monitoring compliance with the GDPR and other data protection laws
• Providing advice regarding Data Protection Impact Assessments
• Cooperating with supervisory authorities
• Acting as a contact point for data subjects on privacy matters

You can contact our DPO at dpo@codelify.com for any questions related to GDPR or data protection.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. Our data retention policies specify retention periods for different types of data, after which the data is securely deleted or anonymized.

Factors we consider when determining appropriate retention periods include:

• The amount, nature, and sensitivity of the personal data
• The potential risk of harm from unauthorized use or disclosure
• The purposes for which we process the data
• Whether we can achieve those purposes through other means
• Legal, regulatory, and contractual requirements

9. GDPR Compliance for Our Clients

We provide tools and features to help our clients comply with the GDPR when using our services, including:

• Data Processing Agreement: A comprehensive DPA that addresses GDPR requirements for data processors.
• Data Subject Request Tools: Features to help clients respond to data subject requests, such as access, deletion, or export of personal data.
• Security Features: Tools and settings to implement appropriate technical and organizational measures to protect personal data.
• Documentation: Clear guidance on how our services can be used in a GDPR-compliant manner.

10. How to Exercise Your Rights

If you would like to exercise any of your GDPR rights regarding your personal data, you can contact us through the following methods:

• By email: privacy@codelify.com
• By phone: +90 123 456 7890
• By mail: Codelify, Istanbul, Turkey
• Through our online form: [link to data subject request form]

We aim to respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

If you are not satisfied with our response to your request, you have the right to lodge a complaint with a supervisory authority. However, we would appreciate the chance to address your concerns before you approach the authority, so please contact us in the first instance.