GDPR & Regulatory Compliance

Version 1.0 — October 2025

This document outlines Conformo’s compliance with EU GDPR, eIDAS, and Italian privacy regulations.

Table of Contents

  1. Compliance Overview
  2. GDPR Compliance
  3. eIDAS Compliance
  4. Italian Privacy Law
  5. Data Processing
  6. User Rights
  7. Cookie Policy
  8. Data Protection Officer
  9. Implementation Checklist

Compliance Overview

Conformo is designed to help Italian SMEs achieve GDPR compliance while being fully compliant itself.

Applicable Regulations:

  • GDPR: EU General Data Protection Regulation (2016/679)
  • eIDAS: EU Electronic Identification and Trust Services (910/2014)
  • Italian Privacy Code: Legislative Decree 196/2003 (as amended)
  • Italian Cookie Law: Implementation of EU Directive 2009/136/EC

GDPR Compliance

Article 6 GDPR - Lawfulness of Processing:

  1. Consent (Art. 6(1)(a))
    • User registration and account creation
    • Marketing communications
    • Optional features (2FA, analytics)
  2. Contract Performance (Art. 6(1)(b))
    • Service delivery
    • User authentication
    • Account management
  3. Legal Obligation (Art. 6(1)(c))
    • Tax compliance
    • Audit logs (where required by law)
    • Data retention for legal purposes
  4. Legitimate Interest (Art. 6(1)(f))
    • Fraud prevention
    • Security monitoring
    • Service improvement

Data Minimization (Article 5)

Principle: Collect only data necessary for specified purposes.

Implementation:

  • Required fields limited to essentials
  • Optional fields clearly marked
  • No unnecessary data collection
  • Regular data audits

Data Collected: | Data Field | Purpose | Legal Basis | Retention | |————|———|————-|———–| | Email | Authentication, communication | Contract | Account lifetime | | Password (hashed) | Authentication | Contract | Account lifetime | | Name | Personalization, legal | Contract | Account lifetime | | Company Name | Service delivery | Contract | Account lifetime | | Business Info | Service customization | Contract | Account lifetime | | IP Address | Security, fraud prevention | Legitimate interest | 90 days | | Auth Logs | Security, compliance | Legal obligation | 90 days | | Session Data | Authentication | Contract | Session end |

Privacy by Design (Article 25)

Implemented Measures:

  • ✅ Data encryption (in transit and at rest)
  • ✅ Pseudonymization where possible
  • ✅ Access controls (RBAC)
  • ✅ Audit logging
  • ✅ Secure defaults
  • ✅ Minimal data collection
  • ✅ Regular security updates

User Rights Implementation

Right to Access (Article 15)

Implementation:

  • User profile page shows all personal data
  • API endpoint for data export
  • Response time: Within 30 days

Right to Rectification (Article 16)

Implementation:

  • User profile editing
  • Contact form for corrections
  • Update processed within 5 business days

Right to Erasure (Article 17)

Implementation:

  • Account deletion feature
  • Complete data removal (except legal retention)
  • Confirmation email sent
  • Processing within 30 days

Code: Account deletion endpoint

// DELETE /api/user/account
// Removes all personal data except legally required records

Right to Data Portability (Article 20)

Implementation:

  • Export data in JSON format
  • Machine-readable format
  • Includes all personal data
  • Available via user dashboard

Right to Object (Article 21)

Implementation:

  • Opt-out of marketing communications
  • Withdraw consent for optional features
  • Object to legitimate interest processing

Data Breach Notification (Article 33-34)

Procedure:

  1. Detection: Security monitoring and alerts
  2. Assessment: Impact and severity evaluation
  3. Notification:
    • Supervisory authority within 72 hours
    • Affected users without undue delay
  4. Documentation: Breach record maintained
  5. Remediation: Security improvements

Breach Record Template:

  • Date and time of breach
  • Nature of breach
  • Categories and number of affected users
  • Data categories affected
  • Likely consequences
  • Measures taken
  • Notification timeline

eIDAS Compliance

Electronic Identification (eIDAS Regulation)

Current Status: Not yet implemented

Planned Implementation:

  • SPID integration (Sistema Pubblico di Identità Digitale)
  • CIE integration (Carta d’Identità Elettronica)
  • eIDAS node connection for EU recognition

Electronic Signatures

Current Status: Not required for current features

Future Considerations:

  • Advanced Electronic Signatures (AdES)
  • Qualified Electronic Signatures (QES)
  • Timestamps for legal documents

Trust Services

Implementation:

  • ✅ TLS certificates from trusted CA
  • ✅ Secure email delivery
  • Timestamping for audit logs
  • Long-term document preservation

Italian Privacy Law

Legislative Decree 196/2003 (Privacy Code)

Key Requirements Met:

  1. Information Notice (Art. 13)
    • Privacy policy page created
    • Clear, concise information
    • Available before data collection
    • In Italian language
  2. Consent (Art. 23)
    • ✅ Explicit consent for registration
    • ✅ Separate consent for marketing
    • ✅ Granular consent options
    • ✅ Easy withdrawal
  3. Security Measures (Art. 31-35)
    • ✅ Technical safeguards (encryption, access control)
    • ✅ Organizational measures (policies, training)
    • ✅ Regular security assessments
    • ✅ Incident response plan
  4. Data Processor Agreement (Art. 28 GDPR)
    • Contract with service providers (Vercel, SendGrid, Neon)
    • Data processing terms documented
    • Sub-processor approval

Garante per la Protezione dei Dati Personali

Italian Data Protection Authority Requirements:

  • Register processing activities (if required)
  • Appoint DPO if required (criteria: public authority, large-scale monitoring, special categories)
  • Conduct DPIA for high-risk processing
  • Maintain processing register

Current Assessment: DPO not required (small-scale processing, no special categories)

Data Processing

Processing Activities Record

Controller: Conformo (GrewingM)

Processing Activity 1: User Authentication

  • Purpose: Account management and access control
  • Legal Basis: Contract performance (Art. 6(1)(b))
  • Data Categories: Email, password hash, name, login timestamps
  • Recipients: None (internal processing only)
  • Retention: Account lifetime + 30 days post-deletion
  • Security: Encryption, access control, audit logs

Processing Activity 2: Audit Logging

  • Purpose: Security monitoring, fraud prevention, compliance
  • Legal Basis: Legal obligation (Art. 6(1)(c)) + Legitimate interest (Art. 6(1)(f))
  • Data Categories: User ID, IP address, user agent, timestamps, actions
  • Recipients: Administrators only
  • Retention: 90 days
  • Security: Access control, encryption, admin-only access

Processing Activity 3: Email Communications

  • Purpose: Account verification, password reset, transactional emails
  • Legal Basis: Contract performance (Art. 6(1)(b))
  • Data Categories: Email, name, language preference
  • Recipients: SendGrid (email service provider)
  • Retention: Email logs 90 days
  • Security: TLS encryption, API authentication

Processing Activity 4: Business Information

  • Purpose: Service customization, compliance guidance
  • Legal Basis: Contract performance (Art. 6(1)(b))
  • Data Categories: Company name, VAT number, employee count, business type, province
  • Recipients: None (internal processing only)
  • Retention: Account lifetime
  • Security: Database encryption, access control

Data Processors

Third-Party Processors:

  1. Vercel (Hosting)
    • Service: Application hosting and deployment
    • Location: EU/US (Privacy Shield alternative)
    • Agreement: Standard Contractual Clauses
    • Security: SOC 2 Type II, ISO 27001
  2. Neon (Database)
    • Service: PostgreSQL database hosting
    • Location: EU region
    • Agreement: DPA in place
    • Security: Encryption at rest and in transit, SOC 2
  3. SendGrid (Emails)
    • Service: Transactional email delivery
    • Location: US (Privacy Shield alternative)
    • Agreement: Standard Contractual Clauses
    • Security: TLS, API authentication, bounce handling

International Data Transfers

EU to Third Countries:

  • ✅ Standard Contractual Clauses with US providers
  • ✅ Adequate security measures
  • ✅ Data transfer impact assessment
  • Document transfer mechanisms

User Rights

How Users Exercise Rights

Profile Management (/profile):

  • View all personal data
  • Update information
  • Change password
  • Enable/disable 2FA

Data Export (/profile/export):

  • Download all data in JSON
  • Machine-readable format
  • Complete data portability

Account Deletion (/profile/delete):

  • Permanent account removal
  • Data erasure (except legal retention)
  • Confirmation required

Consent Management (/profile/consent):

  • Marketing opt-in/opt-out
  • Cookie preferences
  • Granular consent control

Response Timeline

  • Access Request: 30 days
  • Rectification: 5 business days
  • Erasure: 30 days
  • Data Export: Immediate (self-service)
  • Objection: 5 business days

Strictly Necessary (No consent required):

  • Session cookies (authentication)
  • Security cookies (CSRF protection)
  • Load balancing cookies

Functional (Consent required):

  • Language preference
  • Remember me (optional login)
  • UI preferences

Analytics (Consent required):

  • Usage statistics
  • Error tracking
  • Performance monitoring

Marketing (Consent required):

  • Not currently used

Requirements:

  • Inform before setting non-essential cookies
  • Granular consent (accept all, reject all, customize)
  • Easy withdrawal of consent
  • Cookie policy link
  • No pre-ticked boxes

Cookie Banner Example:

<CookieBanner>
  <p>Utilizziamo cookie per migliorare la tua esperienza.</p>
  <button>Accetta tutti</button>
  <button>Rifiuta</button>
  <button>Personalizza</button>
  <a href="/cookie-policy">Informativa Cookie</a>
</CookieBanner>

Data Protection Officer

DPO Requirements (Article 37 GDPR)

Required When:

  1. Public authority or body
  2. Core activities require large-scale, regular, systematic monitoring
  3. Core activities involve large-scale processing of special categories

Conformo Assessment: DPO not required

  • Not a public authority
  • Small-scale processing
  • No special category data

Alternative: Privacy contact point designated

Privacy Contact

Email: privacy@conformo.ai (to be configured) Response Time: 5 business days Responsibilities:

  • Handle data subject requests
  • Privacy inquiries
  • Breach notifications
  • Regulator communication

Implementation Checklist

Essential (High Priority)

  • Privacy policy page
  • Terms of service acceptance
  • Email verification
  • Secure password storage (bcrypt)
  • Data encryption (TLS)
  • Access controls (RBAC)
  • Audit logging
  • Cookie consent banner
  • Data export functionality
  • Account deletion functionality
  • Privacy policy content
  • Terms of service content

Important (Medium Priority)

  • Cookie policy page
  • Consent management UI
  • Data processing agreements with vendors
  • Processing activities register
  • DPIA for high-risk processing
  • Breach notification procedure
  • User data dashboard
  • Retention policy automation

Nice to Have (Low Priority)

  • Privacy-friendly analytics
  • Anonymization for old logs
  • SPID/CIE integration (eIDAS)
  • Multi-language privacy notices
  • Privacy seal/certification
  • Third-party privacy audits

Compliance Maintenance

Regular Reviews

Quarterly:

  • Review privacy policy
  • Check data processing agreements
  • Audit user consent records
  • Review security incidents

Annually:

  • Complete privacy impact assessment
  • Update processing activities register
  • Review retention policies
  • Vendor compliance review
  • Security audit
  • Staff training

Documentation

Maintain Records Of:

  • Processing activities
  • Data breaches
  • User consent
  • Data subject requests
  • DPIAs
  • Security incidents
  • Training records

References

Last Updated: October 2025
Version: 1.0
Next Review: January 2026
Maintained by: Conformo Privacy Team