Skip to main content

GDPR Compliance

At ayona, we prioritize data protection and privacy, ensuring that all data processing activities comply with the General Data Protection Regulation (GDPR). This document provides an overview of how we handle your data, the measures we take to ensure compliance, and the steps we've implemented to protect personal data.

1. Data Processing Principles

We adhere to the core principles of GDPR in all our data processing activities:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and transparently. Customers are informed about how their data is processed, and we provide clear communication regarding our data handling practices.
  • Purpose Limitation: We only process personal data for specified, explicit, and legitimate purposes.
  • Data Minimization: We collect and process only the data necessary for the purposes outlined. Our APIs are designed to minimize data intake, rejecting unnecessary personal data fields.
  • Accuracy: We ensure that personal data is accurate and kept up to date.
  • Storage Limitation: We retain personal data only as long as necessary for the purposes for which it was collected.
  • Integrity and Confidentiality: We process personal data securely, protecting it against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

2. Legitimate Interests Assessment (LIA)

To comply with GDPR's requirement for a lawful basis for data processing, ayona conducted a Legitimate Interests Assessment (LIA) to ensure that our data processing activities align with the rights and interests of data subjects:

  • Purpose: The primary purpose of our data processing is to help our customers improve their services by analyzing user feedback. This processing is carried out under the lawful basis of legitimate interests as defined in Article 6(1)(f) of the GDPR.
  • Balancing Test: We have carefully evaluated the potential impact on data subjects and determined that our processing does not override their rights and freedoms. This is particularly due to our rigorous PII removal and anonymization processes, which minimize any potential privacy risks.
  • Mitigation Measures: To further protect data subjects' rights, we implement strong data security measures, provide transparency about our processing activities, and offer data subjects the ability to exercise their rights under GDPR.

3. PII Removal and Data Minimization

As part of our commitment to GDPR compliance, ayona has implemented advanced PII (Personally Identifiable Information) entity recognition and removal processes:

  • PII Removal: All data, whether from public or private sources, undergoes a rigorous PII filtering process before being stored in our databases. This ensures that any personal data is anonymized, significantly reducing the risk of personal data entering our systems.
  • Data Minimization: Our APIs are built with data minimization principles. We do not accept personal data fields, and when querying data from sources that might include personal information, we ignore such fields without processing them.

4. Data Subject Rights

We respect and facilitate the rights of data subjects under GDPR, including:

  • Right to Access: Data subjects can request access to the personal data we hold about them.
  • Right to Rectification: Data subjects can request corrections to any inaccurate or incomplete personal data.
  • Right to Erasure (Right to be Forgotten): Data subjects can request the deletion of their personal data under certain conditions.
  • Right to Restriction of Processing: Data subjects can request that the processing of their personal data be restricted under specific circumstances.
  • Right to Data Portability: Data subjects can request that their personal data be provided to them or transferred to another data controller in a structured, commonly used, and machine-readable format.
  • Right to Object: Data subjects can object to the processing of their personal data in certain situations.

Due to our extensive PII removal and anonymization processes, fulfilling certain requests, such as data access or deletion, may be limited for anonymized data in compliance with Article 89 GDPR.

5. Data Breach Response

In the unlikely event of a data breach, ayona has a robust Data Breach Response Plan:

  • Detection and Reporting: We promptly detect and report any data breaches to the relevant supervisory authority within 72 hours, as required by GDPR.
  • Notification: If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected data subjects without undue delay.
  • Containment and Recovery: Immediate measures are taken to contain the breach and mitigate its impact, followed by a thorough investigation and implementation of corrective actions.

6. Standard Contractual Clauses (SCCs) and International Data Transfers

ayona adheres to GDPR's requirements for international data transfers by incorporating Standard Contractual Clauses (SCCs) where necessary:

  • SCCs: When transferring personal data outside of the European Economic Area (EEA), we use SCCs to ensure that the data is afforded the same level of protection as within the EEA.
  • Data Transfers: Our data processing infrastructure is primarily based in Europe, but in cases where data is processed or transferred to countries outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Article 46.

7. Ongoing Compliance and Updates

We regularly review and update our data processing practices to ensure ongoing compliance with GDPR. This includes conducting Data Protection Impact Assessments (DPIAs), regular audits, and updating our internal policies and procedures.