1. Roles: Controller and Processor
Under the GDPR, a controller determines the purposes and means of processing personal data, while a processor processes personal data on behalf of a controller.
When we process personal data about our own website visitors and prospective clients, we act as a controller. When we process personal data on behalf of a client as part of delivering services, we act as a processor and follow that client's documented instructions.
2. Lawful Bases
Where we act as a controller, we rely on one or more lawful bases for processing, including consent, performance of a contract, compliance with a legal obligation, and our legitimate interests where they are not overridden by the rights of data subjects.
3. Data Processing Agreements (DPA)
Where we process personal data as a processor on behalf of a client, we enter into a Data Processing Agreement that sets out the subject matter, duration, nature and purpose of processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller.
The DPA includes commitments to process data only on documented instructions, maintain confidentiality, implement appropriate security measures, and assist the controller with data subject requests and compliance obligations.
4. Sub-Processors
We may engage sub-processors such as hosting, infrastructure, analytics and communication providers to help deliver our services. We impose data protection obligations on sub-processors that are consistent with those we owe to controllers, and we remain responsible for their performance.
Where required, we will inform clients of intended changes to sub-processors and provide an opportunity to object.
5. Data Subject Rights
We support the exercise of data subject rights under the GDPR, including the rights of access, rectification, erasure, restriction, data portability, objection, and rights related to automated decision-making.
Where we act as a processor, we assist the relevant controller in responding to data subject requests. Where we act as a controller, you can exercise your rights by contacting privacy@shakhawatllc.online.
6. International Transfers (SCCs)
Where personal data is transferred outside the European Economic Area or the United Kingdom, we put in place appropriate safeguards, such as Standard Contractual Clauses or the UK International Data Transfer Agreement, together with any supplementary measures required to ensure an adequate level of protection.
7. Data Breach Notification
We maintain procedures to detect, investigate and respond to personal data breaches. Where we act as a processor, we will notify the affected controller without undue delay after becoming aware of a personal data breach.
Where we act as a controller, we will notify the relevant supervisory authority and, where required, affected individuals within the timeframes set by applicable law.
8. Records of Processing
Where required, we maintain records of processing activities that document the categories of processing carried out, the purposes, the categories of data and data subjects, recipients, transfers and retention periods, and a general description of the security measures in place.
9. Data Protection Officer / Contact
For all data protection matters, including questions about this document, data subject requests and processing arrangements, contact our data protection point of contact at privacy@shakhawatllc.online or write to Shakhawat LLC at [Registered business address — to be customized before publishing].
10. Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, to comply with legal obligations, resolve disputes and enforce agreements. When we act as a processor, we return or delete personal data at the end of the engagement in accordance with the relevant DPA, except where retention is required by law.