← Back to Website
EU Data Protection
GDPR Compliance Policy
Last updated: January 1, 2024 · Applies to: EU/EEA residents · Regulation: EU 2016/679
SuperTek Media is fully GDPR compliant. We act as both a Data Controller (for our own client data) and a Data Processor (when running campaigns on behalf of clients). A full Data Processing Agreement (DPA) is available upon request.
1. Our Role Under GDPR
As a Data Controller
When you contact us, visit our website, or become a client, SuperTek Media is the Data Controller. We determine how and why your data is processed.
As a Data Processor
When we run lead generation or email campaigns on behalf of our clients, we act as a Data Processor. The client is the Data Controller and instructs us on how data must be handled. We sign a DPA with every client before processing begins.
2. Lawful Bases We Rely On
- Consent (Art. 6(1)(a)): For marketing emails, newsletter subscriptions, and cookie usage. Consent is freely given, specific, informed, and unambiguous. You can withdraw at any time.
- Contract (Art. 6(1)(b)): Processing necessary to deliver our services to clients and respond to service enquiries.
- Legitimate Interests (Art. 6(1)(f)): For B2B direct outreach where our interests do not override individual rights. We conduct Legitimate Interest Assessments (LIAs) before relying on this basis.
- Legal Obligation (Art. 6(1)(c)): Compliance with tax, employment, and other legal requirements.
3. Data Subject Rights (EU Residents)
EU/EEA residents have the following rights under GDPR:
- Right to Access (Art. 15): Obtain confirmation of whether we process your data and receive a copy
- Right to Rectification (Art. 16): Have inaccurate or incomplete data corrected
- Right to Erasure / “Right to be Forgotten” (Art. 17): Have your data deleted in certain circumstances
- Right to Restriction (Art. 18): Restrict processing while a dispute is resolved
- Right to Data Portability (Art. 20): Receive your data in a portable format to transfer to another provider
- Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing
- Rights re: Automated Decision-Making (Art. 22): Not to be subject to solely automated decisions with significant effects
To exercise any right: email info@supertekmedia.com with subject “GDPR Data Request”. We will respond within 30 days (extendable by 2 months for complex requests). No fee is charged for reasonable requests.
4. Data Processing Agreement (DPA)
All clients who engage SuperTek Media to process personal data on their behalf will receive and sign a Data Processing Agreement before campaign launch. The DPA covers:
- Subject matter, duration, nature, and purpose of processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller (client)
- Our obligations as processor including sub-processor management
- Security measures, breach notification procedures, and audit rights
To request a DPA, email info@supertekmedia.com with the subject “DPA Request”.
5. International Data Transfers
When transferring personal data from the EU/EEA to India or other third countries, we use:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914)
- Transfer Impact Assessments (TIAs) to verify appropriate safeguards
- Supplementary technical measures (encryption, pseudonymisation) where necessary
6. Data Breach Notification
In the event of a personal data breach, we will:
- Notify relevant supervisory authorities within 72 hours of becoming aware (Art. 33)
- Notify affected data subjects without undue delay if the breach is likely to result in high risk (Art. 34)
- Document all breaches internally regardless of whether notification is required
- Notify our clients (as Data Controllers) immediately upon discovering any breach affecting their campaign data
7. Sub-Processors
We use the following sub-processors when handling personal data. All sub-processors are bound by DPAs and comply with GDPR:
- EmailJS — Form submission delivery (EU-compliant servers)
- Google Analytics — Website analytics (data anonymisation enabled)
- HubSpot — CRM and campaign management
- Amazon Web Services (AWS) — Cloud infrastructure (EU region where applicable)
Clients will be notified of any changes to our sub-processor list with at least 30 days’ notice.
8. Supervisory Authority
EU/EEA residents have the right to lodge a complaint with their national data protection authority. A directory of EU supervisory authorities is available at edpb.europa.eu.