GDPR Compliance

General Data Protection Regulation

Last Updated: November 20, 2025

Our Commitment to GDPR Compliance

Coreway Solution is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

This page outlines how we comply with GDPR requirements and your rights as a data subject under GDPR.

Legal Basis for Processing Personal Data

We process personal data only when we have a legal basis to do so. The legal bases we rely on include:

Consent

You have given clear consent for us to process your personal data for a specific purpose

Examples:

Newsletter subscriptionsMarketing communicationsCookie consent

Contract

Processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract

Examples:

Service deliveryProject executionPayment processing

Legal Obligation

Processing is necessary for us to comply with the law

Examples:

Tax complianceEmployment lawData retention requirements

Legitimate Interests

Processing is necessary for our legitimate interests or the legitimate interests of a third party, unless your interests and fundamental rights override those interests

Examples:

Fraud preventionNetwork securityBusiness analytics

Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

Right to Access

You have the right to request copies of your personal data. We may charge a small fee for this service.

How to exercise:

Submit a data access request via email to privacy@corewaysolution.com

Right to Rectification

You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

How to exercise:

Contact us with the details you wish to update

Right to Erasure

You have the right to request that we erase your personal data, under certain conditions.

How to exercise:

Submit a deletion request explaining why you want your data erased

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data, under certain conditions.

How to exercise:

Specify which processing activities you want restricted and why

Right to Data Portability

You have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.

How to exercise:

Request your data in a structured, commonly used format

Right to Object

You have the right to object to our processing of your personal data, under certain conditions.

How to exercise:

State your objection and the specific processing you want stopped

Right to Withdraw Consent

Where we rely on consent to process your data, you have the right to withdraw that consent at any time.

How to exercise:

Use unsubscribe links or contact us directly

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated.

How to exercise:

Contact your local data protection authority

How We Protect Your Data

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures

  • End-to-end encryption for data transmission (SSL/TLS)
  • Encrypted storage of sensitive personal data
  • Regular security assessments and penetration testing
  • Multi-factor authentication for system access
  • Automated backup and disaster recovery systems

Organizational Measures

  • Staff training on data protection and GDPR compliance
  • Strict access controls and need-to-know principles
  • Data protection impact assessments for high-risk processing
  • Regular review and update of security policies
  • Incident response and breach notification procedures

Contractual Measures

  • Data processing agreements with third-party processors
  • Vendor security assessments
  • Contractual confidentiality obligations
  • Regular audits of third-party compliance

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations.

Data TypeRetention PeriodReason
Customer Account DataDuration of relationship + 7 yearsContract performance and legal obligations
Marketing DataUntil consent is withdrawn + 30 daysMarketing purposes with consent
Website Analytics26 monthsLegitimate interest in site improvement
Financial Records7 yearsTax and accounting legal requirements
Support Inquiries3 years after resolutionCustomer service and quality improvement

International Data Transfers

We may transfer your personal data outside the European Economic Area (EEA). When we do, we ensure appropriate safeguards are in place to protect your data, including:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Binding Corporate Rules for intra-group transfers
  • Explicit consent for specific transfers where appropriate

We conduct transfer impact assessments to ensure the level of protection travels with your data.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with GDPR requirements.

Data Protection Officer

Email: dpo@corewaysolution.com

Responsibilities:

Monitoring GDPR compliance
Providing advice on data protection matters
Serving as point of contact for data subjects and supervisory authorities
Conducting data protection impact assessments

Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk
  • Document all data breaches, including facts, effects, and remedial actions taken
  • Take immediate steps to mitigate the breach and prevent future occurrences

Children's Privacy

We do not knowingly process personal data of children under 16 years of age without parental consent. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected data from a child without proper consent, please contact us immediately.

Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Any automated processing we conduct is limited to analytics and does not result in decisions that affect your rights or create legal obligations.

Exercising Your Rights

To exercise any of your GDPR rights, please contact us using the following methods:

We will respond to your request within one month, though this may be extended by two further months for complex requests. We will inform you of any extension within the first month.

Updates to This Policy

We may update this GDPR Compliance page from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website.

The "Last Updated" date at the top of this page indicates when this policy was last revised.

Contact Information

For any questions about GDPR compliance or to exercise your rights, please contact:

Coreway Solution

DPO: dpo@corewaysolution.com

Privacy: privacy@corewaysolution.com

Website: www.corewaysolution.com