GDPR & Data Protection

Roles

Customer = Data Controller. Owns the data and determines purposes and means.
ByTek = Data Processor (Art. 28 GDPR). Processes only on the customer's documented instructions, for the contracted purpose, no secondary use. A Data Processing Agreement (DPA) is executed with each client; ByTek maintains an Art. 30(2) Record of Processing Activities (ROPA).

Governance

External DPO: SAPG Legal Tech S.r.l., registered with the Garante.
Internal Privacy Point of Contact appointed under Art. 2-quaterdecies.
Privacy by Design & by Default policy in force; Data Classification Policy with four levels (Restricted, Confidential, Internal Use, Public).

Data subject rights — right to erasure

BPP supports the right to be forgotten end-to-end: on a deletion request the user is purged from the reconciliation identity graph and the internal user ID is nullified across all of the customer's BigQuery tables. Suppression can be triggered in the customer's warehouse and propagates to BPP models and activations.

Breach notification

Authority notification (Art. 33) within 72 hours of becoming aware, coordinated by the DPO; data-subject notification (Art. 34) where high risk; the controller (customer) is notified per the DPA.

Retention & deletion

Customer data retained only for the contracted purpose and the customer's retention policy.
Secure deletion: crypto-shredding (key destruction) for cloud data; secure overwriting or physical destruction for media; all logged in the data-retention register.

Exit & portability

Cloud Exit Strategy: ≥90-day transition/notice; data returned in machine-readable format (CSV/JSON/XML) within 30 days; credentials and API keys revoked at cutover; documented migration and rollback; certified complete and irreversible destruction within 60 days of migration. Reviewed annually, tested at least every two years.

Roles​

Governance​

Data subject rights — right to erasure​

Breach notification​

Retention & deletion​

Exit & portability​