GDPR Compliance Policy
Effective Date: January 1, 2024
1. Introduction
This GDPR Compliance Policy ("GDPR Policy") supplements our main Privacy
Policy and specifically addresses our compliance with the General Data Protection
Regulation (GDPR) (EU) 2016/679. This policy applies to all users, customers, and data
subjects whose personal data is processed by Mtraf Affiliate Network SRL in connection
with our services.
Company Information:
Company Name: MTRAF Affiliate Network SRL
Registered Address: Suite 101, 1st Floor, Eden Plaza, Eden Island, Mahe, Seychelles
Data Controller: Mtraf Affiliate Network SRL
Data Protection Officer: [email protected]
2. GDPR Applicability and User Obligations
2.1 Mandatory GDPR Declaration
IMPORTANT: Before activating your account or using our services, you MUST declare
whether you are subject to GDPR protection.
GDPR Declaration Requirement:
- All users must indicate whether they are EU residents, EU citizens, or otherwise
subject to GDPR protection
- This declaration is mandatory and cannot be bypassed
- Failure to provide accurate GDPR status may result in account suspension or
termination
- Users must update their GDPR status if their circumstances change
Declaration Options:
✅ I am subject to GDPR protection (EU resident, EU citizen, or processing occurs in
EU)
❌ I am not subject to GDPR protection (Non-EU resident with no EU connections)
2.2 Consequences of GDPR Status
For GDPR-Protected Users:
- Full GDPR rights and protections apply
- Enhanced data processing controls
- Specific consent mechanisms required
- Right to lodge complaints with EU authorities
For Non-GDPR Users:
- Standard privacy protections apply
- Simplified data processing procedures
- General consent mechanisms
- Local privacy laws may apply
3. Legal Basis for Data Processing
3.1 Primary Legal Bases
We process personal data under the following GDPR legal bases:
Consent (Article 6(1)(a)):
- Marketing communications and promotional activities
- Third-party data sharing for advertising purposes
- Special categories of data processing
- International data transfers outside the EU
Contract Performance (Article 6(1)(b)):
- Account creation and management
- Service delivery and support
- Payment processing and financial transactions
- Affiliate relationship management
Legitimate Interests (Article 6(1)(f)):
- Website analytics and performance optimization
- Fraud prevention and security measures
- Business development and market research
- Service improvement and innovation
Legal Obligations (Article 6(1)(c)):
- Tax and financial reporting requirements
- Regulatory compliance and audits
- Legal proceedings and dispute resolution
- Government requests and investigations
3.2 Special Categories of Data
For special categories of personal data (Article 9), we rely on:
- Explicit Consent: For sensitive data processing
- Legal Obligations: For employment and tax purposes
- Vital Interests: For emergency situations
- Public Interest: For regulatory compliance
4. Data Subject Rights Under GDPR
4.1 Right to Information and Transparency (Articles
12-14)
Right to be Informed:
- Clear information about data processing activities
- Purpose and legal basis for processing
- Data retention periods and storage locations
- Third-party recipients and international transfers
Right of Access (Article 15):
- Confirmation of data processing
- Copy of personal data being processed
- Information about processing purposes and recipients
- Data source and automated decision-making details
4.2 Right to Rectification and Erasure (Articles
16-17)
Right to Rectification (Article 16):
- Correction of inaccurate personal data
- Completion of incomplete personal data
- Verification of correction implementation
- Notification to third-party recipients
Right to Erasure (Article 17) - "Right to be
Forgotten":
- Deletion of personal data upon request
- Removal from all systems and backups
- Notification to third-party recipients
- Exceptions for legal obligations and public interest
4.3 Right to Restriction and Portability (Articles
18-20)
Right to Restriction (Article 18):
- Limitation of data processing activities
- Temporary suspension of processing
- Retention without further processing
- Notification of restriction to recipients
Right to Data Portability (Article 20):
- Receipt of data in structured, machine-readable format
- Direct transmission to another controller
- Technical feasibility considerations
- Format and delivery methods
4.4 Right to Object and Automated Decision-Making (Articles
21-22)
Right to Object (Article 21):
- Objection to processing based on legitimate interests
- Objection to direct marketing activities
- Objection to scientific/historical research
- Demonstration of compelling legitimate grounds
Right to Automated Decision-Making (Article 22):
- Human intervention in automated decisions
- Right to express point of view
- Right to contest automated decisions
- Explanation of decision logic and significance
5. Consent Management
5.1 Valid Consent Requirements
Consent Standards:
- Freely given, specific, informed, and unambiguous
- Clear affirmative action required
- Separate consent for different processing purposes
- Easy withdrawal mechanism provided
Consent Mechanisms:
- Checkbox confirmation for each processing purpose
- Granular consent options for different activities
- Clear explanation of consequences of consent/refusal
- Age verification for users under 16 (parental consent required)
5.2 Consent Withdrawal
Withdrawal Process:
- Easy-to-use withdrawal mechanisms
- Immediate effect of withdrawal
- Notification of withdrawal consequences
- Alternative legal bases for continued processing
Withdrawal Methods:
- Account settings and preference centers
- Email opt-out links and unsubscribe mechanisms
- Customer support channels
- Privacy dashboard controls
6. Data Processing Records
6.1 Controller's Processing Activities
Record of Processing Activities (Article 30):
- Name and contact details of controller
- Purposes of processing
- Categories of data subjects and personal data
- Categories of recipients
- International transfers and safeguards
- Retention periods and deletion procedures
- Security measures and technical safeguards
6.2 Processor's Processing Activities
Processor Records:
- Name and contact details of processor
- Categories of processing on behalf of controller
- International transfers and safeguards
- Security measures and technical safeguards
- Sub-processor relationships and agreements
7. Data Protection Impact Assessments (DPIAs)
7.1 DPIA Requirements
When DPIA is Required:
- Systematic and extensive evaluation of personal aspects
- Large-scale processing of special categories of data
- Systematic monitoring of publicly accessible areas
- Processing of personal data relating to criminal convictions
DPIA Process:
- Systematic description of processing operations
- Assessment of necessity and proportionality
- Risk assessment and mitigation measures
- Consultation with data protection authorities
7.2 High-Risk Processing
High-Risk Activities:
- Profiling and automated decision-making
- Large-scale data processing
- Special categories of data processing
- Innovative technology use
- Data matching and combining
8. Data Breach Notification
8.1 Breach Detection and Assessment
Breach Identification:
- 72-hour notification requirement
- Risk assessment and impact evaluation
- Documentation of breach details
- Containment and remediation measures
Risk Assessment Criteria:
- Nature, scope, context, and purposes of processing
- Likelihood and severity of risk to rights and freedoms
- Number of data subjects affected
- Categories of personal data involved
8.2 Notification Requirements
Supervisory Authority Notification:
- Breach description and categories of data subjects
- Name and contact details of DPO
- Likely consequences and measures taken
- Risk mitigation and remediation actions
Data Subject Notification:
- High-risk breaches requiring individual notification
- Clear and plain language communication
- Contact information for DPO
- Recommended protective measures
9. International Data Transfers
9.1 Transfer Mechanisms
Adequacy Decisions:
- Transfers to countries with adequate protection
- European Commission adequacy findings
- Ongoing adequacy monitoring and review
- Suspension of adequacy decisions if needed
Standard Contractual Clauses (SCCs):
- EU Commission-approved SCCs
- Appropriate safeguards and supplementary measures
- Transfer impact assessments
- Regular review and updates
Binding Corporate Rules (BCRs):
- Intra-group data transfer rules
- Approval by competent supervisory authority
- Binding and enforceable commitments
- Regular compliance monitoring
9.2 Transfer Safeguards
Technical Safeguards:
- Encryption of data in transit and at rest
- Access controls and authentication mechanisms
- Regular security assessments and audits
- Incident response and breach notification
Organizational Safeguards:
- Data processing agreements with recipients
- Staff training and awareness programs
- Regular compliance monitoring and reporting
- Audit rights and access for supervisory authorities
10. Data Protection Officer (DPO)
10.1 DPO Requirements
DPO Appointment:
- Mandatory appointment for public authorities
- Large-scale processing operations
- Special categories of data processing
- Systematic monitoring of data subjects
DPO Qualifications:
- Expert knowledge of data protection law
- Professional qualities and ability to perform duties
- Independence and conflict of interest management
- Direct reporting to highest management level
10.2 DPO Responsibilities
Core Duties:
- Inform and advise on GDPR compliance
- Monitor compliance with GDPR and policies
- Provide advice on data protection impact assessments
- Cooperate with supervisory authorities
Contact Information:
- DPO Email: [email protected]
- DPO Address: Mtraf Affiliate Network SRL, Suite 101, 1st Floor, Eden Plaza, Eden Island, Mahe,, Seychelles,
MD-2001
- Response Time: Within 30 days of receiving requests
11. Supervisory Authority Cooperation
11.1 Authority Cooperation
Cooperation Requirements:
- Respond to supervisory authority requests
- Provide access to processing facilities
- Submit to audits and inspections
- Implement authority recommendations
Lead Supervisory Authority:
- Primary authority for cross-border processing
- One-stop-shop mechanism
- Cooperation with concerned authorities
- Joint decision-making procedures
11.2 Complaint Handling
Complaint Process:
- Acknowledge receipt of complaints
- Investigate and respond to complaints
- Provide status updates and resolution
- Implement corrective measures if needed
Right to Lodge Complaints:
- Direct complaint to supervisory authority
- Complaint to controller or processor
- Judicial remedy and compensation
- Representative actions and collective redress
12. GDPR Compliance Monitoring
12.1 Regular Assessments
Compliance Monitoring:
- Regular GDPR compliance audits
- Policy and procedure reviews
- Staff training and awareness programs
- Technology and process updates
Risk Management:
- Data protection risk assessments
- Mitigation strategy development
- Regular risk monitoring and reporting
- Incident response and recovery planning
12.2 Documentation and Records
Required Documentation:
- Processing activity records
- Data protection impact assessments
- Breach notification records
- Training and awareness records
Record Retention:
- Minimum retention periods for GDPR records
- Secure storage and access controls
- Regular review and update procedures
- Disposal and destruction protocols
13. User Obligations and Responsibilities
13.1 Mandatory GDPR Declaration
Account Activation Requirement:
- BEFORE creating an account, users MUST declare GDPR status
- Declaration cannot be skipped or bypassed
- False declarations may result in account termination
- Users must update status if circumstances change
Declaration Process:
- User must select GDPR status during registration
- System validates declaration completeness
- Account activation requires valid declaration
- Periodic re-confirmation may be required
13.2 User Cooperation
Required Cooperation:
- Provide accurate and complete information
- Update personal data when changes occur
- Respond to verification requests
- Comply with reasonable security requirements
User Responsibilities:
- Maintain account security and credentials
- Report suspected security incidents
- Comply with terms of service and policies
- Respect other users' privacy rights
14. Enforcement and Penalties
14.1 Administrative Fines
Penalty Factors:
- Intentional or negligent character of infringement
- Degree of cooperation with supervisory authority
- Categories of personal data affected
- Measures taken to mitigate damage
14.2 Corrective Powers
Supervisory Authority Powers:
- Issue warnings and reprimands
- Order compliance with data subject requests
- Impose temporary or permanent processing bans
- Order data deletion or rectification
Enforcement Actions:
- Regular compliance monitoring
- Investigation of complaints and breaches
- Imposition of administrative fines
- Judicial proceedings and remedies
15. Contact Information and Support
15.1 GDPR-Specific Contacts
Data Protection Officer:
- Email: [email protected]
- Address: Mtraf Affiliate Network SRL, Suite 101, 1st Floor, Eden Plaza, Eden Island, Mahe,, Seychelles,
MD-2001
- Response Time: Within 30 days for GDPR requests
15.2 Supervisory Authority Contacts
Complaint Submission:
- Direct submission to supervisory authority
- Online complaint forms and procedures
- Required information and documentation
- Complaint tracking and follow-up
16. Policy Updates and Changes
16.1 Regular Review
Review Schedule:
- Updates based on regulatory changes
- Incorporation of best practices
- User feedback and improvement
Update Process:
- Legal review and approval
- User notification of changes
- Implementation timeline
- Training and awareness updates
16.2 Change Notification
Notification Methods:
- Email notification to registered users
- Website policy updates
- Account notification systems
- Public announcements and press releases
Effective Date:
- Immediate effect for new users
- Notice period for existing users
- Grace period for compliance
- Retroactive application where permitted
Last Updated: January 1, 2024
Version: 1.0
GDPR Declaration Required: ✅ MANDATORY
