Skip to content
DONNA LogoDONNA

GDPR Compliance

Last updated: 1/18/2026

1. Our Commitment to GDPR

DONNA is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller and Processor

When you use DONNA, you act as the data controller for any personal data you process through our services. DONNA acts as a data processor, processing data on your behalf according to your instructions.

3. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right to Access: Request access to your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Request restriction of processing
  • Right to Data Portability: Receive your data in a structured format
  • Right to Object: Object to processing of your data
  • Rights Related to Automated Decision-Making: Not be subject to automated decisions

4. Legal Basis for Processing

We process personal data based on:

  • Contract: To provide our services to you
  • Legitimate Interests: To improve and secure our services
  • Consent: Where you have given explicit consent
  • Legal Obligation: To comply with legal requirements

5. Data Protection Measures

We implement appropriate technical and organizational measures including:

  • Encryption of data in transit and at rest
  • Regular security assessments and audits
  • Access controls and authentication
  • Employee training on data protection
  • Incident response procedures
  • Data minimization practices

6. Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. You can request deletion of your data at any time.

8. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay
  • Document the breach and our response

9. Data Protection Officer

For questions about data protection or to exercise your rights, contact our Data Protection Officer at derek@bem.studio.

10. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR requirements.

11. Customer Responsibilities

As a customer using DONNA to process personal data, you must:

  • Have a lawful basis for processing personal data
  • Provide appropriate privacy notices to data subjects
  • Obtain necessary consents
  • Respond to data subject requests
  • Implement appropriate security measures
  • Report data breaches as required

12. Data Processing Agreement

Our Data Processing Agreement (DPA) is available to all customers and includes:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Security measures and sub-processing arrangements

13. Contact Us

For GDPR-related inquiries, please contact us at derek@bem.studio.