GDPR
Introduction
Since 25 May 2018, GDPR has been applicable across the European Union. Its implementation is supported through relevant personal data protection frameworks and overseen by designated supervisory authorities.
The regulation focuses on strengthening individual control over personal information, improving transparency in data handling, and clarifying responsibilities associated with data processing activities.
Ⅰ. Scope of Application
GDPR applies to:
-
entities established within the European Union, regardless of where processing takes place
-
entities located outside the EU that offer goods or services to individuals in the EU or monitor online behaviour, including through cookies or similar technologies
Processing carried out purely for personal or household purposes generally falls outside this scope.
Ⅱ. Core Processing Principles
Personal data handling under GDPR is guided by several key principles, including:
-
lawfulness and transparency, ensuring processing is based on a valid legal ground and clearly explained
-
purpose limitation, where data is collected only for defined and legitimate reasons
-
data minimisation, limiting collection to what is relevant and necessary
-
accuracy, keeping information up to date where appropriate
-
storage limitation, avoiding retention beyond what is required
-
integrity and confidentiality, supported by suitable technical and organisational safeguards
Ⅲ. Individual Rights
Individuals are granted a range of rights in relation to their personal data, such as:
-
the right to be informed and to access stored information
-
the ability to request correction of inaccurate or incomplete data
-
the right to request erasure where legal conditions allow
-
the option to restrict processing in certain circumstances
-
data portability, enabling transfer to another service provider
-
the right to object to specific processing activities, including those based on legitimate interests
-
enhanced protection for minors, with parental consent required for users under 18
Ⅳ. Responsibilities in Data Processing
Those involved in processing personal data are expected to:
-
act in line with documented instructions from the data controller
-
apply appropriate safeguards such as encryption, access control and system protection
-
respond to data-related requests within a reasonable timeframe
-
notify relevant authorities and affected individuals where a data breach is identified
-
maintain records of processing activities
-
conduct data protection impact assessments where required
-
designate a Data Protection Officer when applicable
Ⅴ. International Data Transfers
When personal data is transferred outside the European Economic Area, suitable protections are applied. These may include:
-
transfers to jurisdictions recognised as providing adequate data protection, or
-
use of approved Standard Contractual Clauses supported by additional security measures, such as end-to-end encryption
Ⅵ. Oversight and Consequences
Supervisory authorities may carry out reviews, request corrective actions or impose administrative penalties where serious non-compliance is identified.
In certain cases, data-related instructions may also be outlined through legal declarations, with applicable rights continuing to be exercised by authorised parties where permitted.
Ⅶ. Practical Relevance
For individuals, GDPR supports clearer visibility and improved safeguards around personal data.
For platforms operating across borders, it provides a structured compliance framework.
For the wider digital environment, it contributes to consistent standards aligned with prevailing advertising and marketplace requirements.
Ⅷ. Contact Information
Requests relating to data access, correction or privacy-related matters may be directed to the designated contact point:
-
Email: meuble@sofoluxe.com
Responses are generally provided within a reasonable period, with additional time applied where requests involve complex review.