GDPR & Data Protection
Understanding how GDPR compliance intersects with CRA requirements for comprehensive data protection.
GDPR and CRA: Complementary Regulations
While CRA focuses on cybersecurity requirements for products with digital elements, GDPR governs the processing of personal data. Organizations must comply with both regulations, and they often reinforce each other's objectives.
The General Data Protection Regulation (GDPR) and the Cyber Resilience Act (CRA) work together to create a comprehensive framework for digital security and privacy in the EU. Understanding their intersection is crucial for effective compliance.
Key Intersections
Data Security
Both regulations require appropriate technical and organizational measures to ensure data security. CRA's security by design principles support GDPR's data protection by design requirements.
Breach Notification
Both regulations have incident reporting requirements. Organizations must notify relevant authorities about security incidents that may affect personal data or product security.
Documentation
Both require comprehensive documentation of security measures, risk assessments, and compliance activities to demonstrate accountability and enable audits.
Third-Party Management
Both regulations require due diligence on third parties. GDPR for data processors, CRA for suppliers and components that could affect product security.
Our GDPR Compliance Approach
Data Collection & Processing
- Minimal data collection principle
- Clear consent mechanisms
- Purpose limitation and data minimization
- Transparent privacy notices
Data Protection Measures
- End-to-end encryption
- Access controls and authentication
- Regular security assessments
- Data breach response procedures
Your Rights Under GDPR
Right to Information
You have the right to know what personal data we collect, how we use it, and who we share it with through clear and transparent privacy notices.
Right of Access
You can request access to your personal data and receive a copy of the information we hold about you.
Right to Rectification
You can request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
You can request deletion of your personal data under certain circumstances, also known as the "right to be forgotten."
Right to Data Portability
You can request your personal data in a structured, commonly used format to transfer to another service provider.
Data Processing Activities
| Activity | Data Types | Legal Basis | Retention |
|---|---|---|---|
| Account Management | Name, Email, Company | Contract Performance | Account lifetime + 3 years |
| Service Delivery | Usage Data, Preferences | Legitimate Interest | Service period + 1 year |
| Marketing Communications | Email, Preferences | Consent | Until consent withdrawn |
International Data Transfers
We process data primarily within the European Economic Area (EEA). Any transfers outside the EEA are protected by appropriate safeguards such as:
- • European Commission adequacy decisions
- • Standard Contractual Clauses (SCCs)
- • Binding Corporate Rules where applicable
- • Certification schemes and codes of conduct
Contact Our Data Protection Officer
If you have questions about our data processing activities, want to exercise your rights, or have concerns about how we handle your personal data, please contact our Data Protection Officer.
dpo@cracomplianceplatform.eu
Response Time
We respond to all requests within 30 days