GDPR Compliance
How Exagon Global meets EU and UK General Data Protection Regulation requirements as controller and processor.
1. Overview
Exagon B.V. (trading as Exagon Global) is established in the Netherlands and processes personal data of individuals in the European Economic Area (EEA) and United Kingdom. We comply with the GDPR and UK GDPR as applicable. UK-facing activities may involve Exagon Global Ltd as part of our corporate group.
This page supplements our Privacy Policy with GDPR-specific information for data subjects and business clients.
2. Controller vs Processor
When we are the controller
We act as data controller for website visitors, prospects, Platform account holders (where Exagon is the contracting party), marketing subscribers, and individuals who contact us directly.
When we are the processor
When business clients use our CRM, automation, AI, and communication Services to process their customers' data, the client is typically the controller and Exagon Global acts as processor under a Data Processing Agreement (DPA).
Clients remain responsible for establishing a lawful basis, providing privacy notices to their end users, and honouring data subject requests for data they control.
3. Lawful Bases
We process personal data only where a lawful basis applies. See Section 6 of our Privacy Policy for details. Common bases include contract performance, legitimate interests (balanced against your rights), consent (marketing/SMS), and legal obligation.
4. Data Subject Rights
Under GDPR, you have the rights listed in our Privacy Policy (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).
To exercise rights, email privacy@exagonglobal.com. We respond within one month, extendable by two months for complex requests.
5. Data Processing Agreements
Enterprise and Platform clients may request our standard DPA, which includes:
- Subject matter, duration, nature, and purpose of processing
- Categories of data subjects and personal data
- Processor obligations under Article 28 GDPR
- Subprocessor authorisation and notification
- Security measures and breach notification
- Assistance with data subject requests and DPIAs
- Deletion or return of data on termination
- EU Standard Contractual Clauses for international transfers
- Request a DPA at legal@exagonglobal.com
6. International Transfers
Where personal data is transferred outside the EEA/UK, we implement appropriate safeguards — primarily EU SCCs (Module 2 controller-to-processor and Module 3 processor-to-processor) and the UK IDTA — supplemented by transfer impact assessments.
7. Subprocessors
We use subprocessors to deliver hosting, messaging, analytics, payment, and platform infrastructure services. A current list is available on request at privacy@exagonglobal.com. We notify clients of material subprocessor changes where required by DPA.
8. Data Breach Notification
We notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in risk to individuals, unless the breach is unlikely to result in such risk. Affected data subjects and client controllers are notified without undue delay where required.
9. Data Protection Contact
While Exagon Global has not appointed a mandatory Data Protection Officer under Article 37 GDPR, privacy matters are handled by our Privacy Office at privacy@exagonglobal.com.
10. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. Our lead authority in the Netherlands is:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
https://autoriteitpersoonsgegevens.nl
You may also contact your local EU/EEA or UK supervisory authority.
11. Records of Processing
Exagon Global maintains records of processing activities as required by Article 30 GDPR and conducts data protection impact assessments (DPIAs) for high-risk processing where appropriate.