At Xoxoday, we ensure that the data is gathered, stored and handled with respect towards individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. They now understand the importance of GDPR and information security. Our controls are placed based on the data protection impact assessment (DIPA) conducted.

What is GDPR?

GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It sets out the principles for data management and the rights of the individual. GDPR was adopted on 14 April 2016, and became enforceable from 25 May 2018.

Principles of GDPR

Confidentiality and data security

Personal data is subject to data secrecy. Our Data Protection Officer is responsible for maintaining the confidentiality and data security and secured suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.

Fairness and lawfulness

When personal data is processed, the individual rights of the data subjects are protected. Personal data is collected and processed in a legal and fair manner.

Restriction to a specific purpose

Personal data is processed only for the purpose that was defined before the data was collected. Our data Protection Officer is responsible for restriction on processing of the data.


When the data is collected, the data subject will be made aware of, or informed by us.

What is xoxoday doing for GDPR

Xoxoday’s Data Security Policy

As part of the Xoxoday operations, information is obtained from the Controllers and processed. This information shall include any offline or online data that makes a person identifiable. Xoxoday collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available, the following rules shall apply.

We exercise data protection by:

  • Restricting and monitoring access to sensitive data by providing access to employees on need basis
  • Training employees in online privacy and security measure
  • Building secure network connections to access the data by using encryption techniques, firewalls and password protection
  • Establishing clear procedures for reporting privacy breaches or data misuse
  • Including contract clauses or communicate statements on how we handle data
  • Establishing data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)
Data Storage
  • Information and records relating to Individuals are stored securely and accessible only to authorised person.
  • Information is stored as long as it is needed or required by statute and will be disposed of appropriately in line with the Retention, Archiving and Destruction of Information procedure.
  • It is the Xoxoday and Data Protection Officer responsibility to ensure all personal and company data is not recoverable from any computer system previously used within the organisation which has been passed on/sold to a third party.
  • Xoxoday has a detailed process outlined for the erasure/deletion of personal data in accordance with the retention, archiving and destruction policy; as per the service agreement with the data controllers.
Access Control

Xoxoday has established the Data Management System and Information Security Management system to ensure that the data is managed during the conduct of business in a safe and secure manner in delivering the business values to the interested parties. Xoxoday is committed to protect the data and personally identifiable information through an organized process and prevent any breaches that may be caused due to intrusion and enforce effective access controls for applicable information assets. The company has chosen to adopt the Access Control principles established in ISO 27001: 2013 as the official policy access control domain.

Breach notification procedure

At Xoxoday we have a data breach response team. It is a multi-disciplinary team comprised of knowledgeable and skilled individuals in IT Department, IT Security and Legal. The team ensures readiness for a personal data breach response, along with the needed resources and preparation (such as call lists, substitution of key roles, required review of company policies, procedures and practices). The Data Breach Response Team is prepared to respond to a suspected/alleged or actual personal data breach 24/7, year-round. The Data Breach Response Process will be initiated when anyone notices that a suspected/alleged or actual personal data breach occurs. The data breach shall be immediately notified to the Data Protection Officer.


We adapt appropriate cryptographic methodology to mask the data in rest and transit to protect the confidentiality, integrity, availability and privacy of information. Encryption of data at rest: AES 256 bit encryption, Data in transit: TLS 1.2

  • Develop and implement the organisation’s Data Protection Policy.
  • Create ‘best practice’ guidance for data processors, preferably in written form for future reference.
  • Train and advise staff on the provisions of the Data Protection Act.
  • Identify and monitor the data processors whilst at work, ensuring that they deal with data in a manner consistent with the key data protection principles.
  • Process and respond to all requests for information, correction, or erasure by data controller or data subjects.
  • Ensure data remains up-to-date and is destroyed when necessary.
  • To report to the supervisory authority in-case of breach.
  • Review the policy annually with the management and update policies if required.
  • There is no conflict of interest between the duties of the individual as a DPO and other duties.
  • Notify data controller and other concerned stakeholders in the event of data breach identified.
Privacy by design

Privacy by design has always been an implicit requirement of GDPR principles. When developing new systems we have conducted Data Protection Impact assessment (DPIA), and our controls are placed based on the results of DPIA. By default, our processing activities are performed with data security and, more generally, compliance with the GDPR in mind. Personal data necessary for a specific purpose of processing are made accessible only with the consent of the data subjects.


GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It sets out the principles for data management and the rights of the individual. GDPR was adopted on 14 April 2016, and became enforceable from 25 May 2018.

€ 20 million or 4% of global annual turnover of the company, would be applicable when a company fails to demonstrate compliance with basic principles like applying fair conditions for consent, does not process personal data for legitimate purposes and fails to respect rights of data subjects.

Personally Identifiable information is any information related to an identified or identifiable natural person, such as name, identification number, location data, online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. Our team of data protection specialists have put together a series of controls and resources to help with GDPR compliance.

GDPR is applicable to all organisations that:

  • Process personal data and if the processing happens in the context of the activities of an organization established in the EU (regardless of where the processing takes place);
  • Processing of personal data of individuals who reside in the EU

DPOs must be appointed in companies that routinely process large volumes of sensitive data.

Data Controller:

  • A natural or legal ‘person’ or group of people that determines the purpose and means of processing any personal data
  • Exercises overall control over the ‘why’ and the ‘how’ of a data processing activity.

Data Processor:

  • Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • It is an intermediary between the Data subjects and Data controller.

Data Subjects:

  • Any person, who is a citizen of EU whose personal data is being collected, held or processed.
  • In order to process the personal data, data subjects must give their consent.
  • Data breach is breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • The Company shall report the personal data breach to the Data Protection Officer.
  • Data Protection Officer will notify the data controller about the breach.
  • Data controller shall maintain an internal breach register.
Additional resources on GDPR

Data Protection Commission -

GDPR – wiki


GDPR Fundamental rights -

Note: Xoxoday does not endorse these links and is not responsible for the content in these pages