GDPR compliance
Our compliance programme for the General Data Protection Regulation in Corp-Merch.IT Italy operations.
Programme pillars
Our GDPR programme has five pillars: (1) Records of Processing Activities (RoPA) maintained under Article 30, reviewed every 6 months. (2) Data Protection Impact Assessments (DPIA) for high-risk processing, including any new redemption portals. (3) A Data Protection Officer (DPO) reachable at [email protected], independent from product lines. (4) Incident and breach response procedure with a 72-hour notification SLA. (5) Annual training for all customer-facing and engineering staff.
Rights of data subjects
We respond to access, rectification, erasure, restriction, portability and objection requests within 30 days, extendable by 60 days for complex cases as permitted by Article 12(3). Identity is verified through a second-channel check (we email the address on file) — we will not send personal data based on an unverified email alone. Free of charge for the first request per year; manifestly unfounded or excessive requests may carry a reasonable fee.
Local supervisory authority
In Italy the supervisory authority is the Garante per la protezione dei dati personali (Italian DPA). Legislative Decree 196/2003 as amended by D.Lgs. 101/2018, transposing the GDPR provides national specificities. We register processing where required and cooperate with investigations under Article 31 GDPR. Our DPO maintains a register of supervisory-authority correspondence and is the single point of contact for any one-stop-shop or lead-supervisory-authority cooperation under Article 56.
FAQ
Do you appoint an EU representative?
Our group entity is established in the EU, so an Article 27 representative is not required for non-EU controllers; we are directly subject to GDPR.
What is your breach-notification timeline?
Internal escalation within 1 hour of detection; risk assessment within 24; notification to authority and affected controllers within 72 hours of awareness.
Do you train all employees?
Yes — annual mandatory training with completion tracking. Engineering staff additionally receive secure-coding training.
Where can I see your RoPA?
The RoPA is internal but a summary is published on the trust page; full extracts on request under NDA.
Do you process special-category data?
Rarely. Where unavoidable (e.g., dietary preferences for an event), we obtain explicit consent and apply strict access controls.