GDPR Compliance Policy — StarUP Limited

1. Introduction & Scope

This GDPR Compliance Policy outlines how StarUP Limited, an Irish-registered company operating StarUP.best, complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other relevant Irish and EU data protection laws.

The purpose of this policy is to:

Demonstrate our commitment to the lawful, fair, and transparent processing of personal data;

Define roles and responsibilities regarding data protection within StarUP Limited;

Ensure that all personal data handled by or on behalf of the company is processed in compliance with GDPR principles.

This policy applies to:

All employees, contractors, and third parties who process personal data on behalf of StarUP Limited;

All personal data processed via our website, internal systems, and business operations;

All types of personal data, regardless of the medium (digital or physical).

2. Key Definitions

For clarity, the following terms are defined as per Article 4 of the GDPR:

Personal Data: Any information relating to an identified or identifiable natural person (“data subject”).

Processing: Any operation performed on personal data, such as collection, recording, storage, alteration, retrieval, use, disclosure, or deletion.

Controller: The entity that determines the purposes and means of processing personal data.

Processor: The entity that processes personal data on behalf of the controller.

Data Subject: Any individual whose personal data is being processed.

Supervisory Authority: The independent public authority responsible for monitoring GDPR compliance. In Ireland, this is the Data Protection Commission (DPC).

3. Data Protection Principles

StarUP Limited adheres to the seven core principles of data protection outlined in Article 5 of the GDPR. All personal data must be:

1. Lawfully, fairly, and transparently processed

2. Collected for specified, explicit, and legitimate purposes

3. Adequate, relevant, and limited to what is necessary

4. Accurate and kept up to date

5. Stored only as long as necessary for the intended purpose

6. Processed securely, protecting against unauthorized or unlawful processing, loss, or damage

7. Accountable — StarUP Limited is responsible for and must demonstrate compliance with these principles

4. Lawful Bases for Processing

Under Article 6 of the GDPR, StarUP Limited will process personal data only when one or more of the following lawful bases apply:

Consent: The data subject has given clear consent for the processing.

Contractual necessity: Processing is required to perform a contract with the data subject.

Legal obligation: Processing is necessary to comply with legal requirements.

Legitimate interests: Processing is necessary for our legitimate business interests, provided it does not override the rights and freedoms of the data subject.

Vital interests: Processing is required to protect someone’s life.

Public interest: Processing is necessary for tasks carried out in the public interest or official authority (rarely applicable to StarUP Limited).

5. Data Subject Rights

StarUP Limited ensures that all data subjects can exercise their GDPR rights, including:

1. Right of access – to obtain confirmation and a copy of their personal data.

2. Right to rectification – to correct inaccurate or incomplete data.

3. Right to erasure (“right to be forgotten”) – to request deletion of their data when no longer necessary.

4. Right to restriction of processing – to limit how their data is used.

5. Right to data portability – to receive data in a structured, machine-readable format.

6. Right to object – to processing based on legitimate interests or direct marketing.

7. Right not to be subject to automated decision-making or profiling.

All requests must be acknowledged and responded to within one month, in accordance with GDPR timelines.

6. Data Collection and Processing

StarUP Limited collects personal data for legitimate business purposes, including but not limited to:

Providing products and services via StarUP.best;

Managing customer relationships and support;

Conducting marketing activities (with consent);

Improving website functionality and user experience;

Complying with legal or regulatory obligations.

All data collection must be limited to the minimum necessary, and all processing activities are documented in a Record of Processing Activities (RoPA) maintained by the company.

7. Data Security

We implement appropriate technical and organizational measures (TOMs) to protect personal data, including:

Encryption and pseudonymization of data;

Secure servers and firewalls;

Access controls and authentication procedures;

Regular system audits and security reviews;

Staff training on data protection awareness;

Incident response and breach management procedures.

8. Data Retention

Personal data is retained only for as long as necessary to fulfill its purpose or comply with legal requirements.

When data is no longer needed, it is securely deleted or anonymized.

A Data Retention Schedule is maintained internally to define specific timeframes for different categories of data.

9. Data Breach Response

In the event of a personal data breach:

1. The Data Protection Officer (DPO) or responsible manager must be notified immediately.

2. The incident will be investigated and documented within 72 hours.

3. If the breach poses a risk to individuals, the Irish Data Protection Commission (DPC) and affected data subjects will be notified without undue delay.

4. A corrective action plan will be implemented to prevent recurrence.

10. Third-Party Processors

StarUP Limited may engage third-party service providers (data processors) for specific tasks such as hosting, analytics, or marketing automation.

All such partners must:

Sign a Data Processing Agreement (DPA) with StarUP Limited;

Implement GDPR-compliant security measures;

Process data only as instructed by the company.

StarUP Limited remains fully responsible for ensuring GDPR compliance of all processors.

11. International Data Transfers

Where data is transferred outside the European Economic Area (EEA), StarUP Limited ensures adequate protection through one of the following:

Transfers to countries recognized by the European Commission as providing adequate protection;

Standard Contractual Clauses (SCCs);

Binding Corporate Rules (BCRs);

Explicit consent from the data subject.

12. Roles and Responsibilities

Data Protection Officer (DPO): Oversees compliance, monitors GDPR adherence, and serves as contact for the DPC.

Management: Ensures implementation of this policy and provides necessary resources.

Employees and Contractors: Must follow this policy and report any data protection concerns or breaches immediately.

13. Training and Awareness

All employees receive data protection training upon onboarding and periodic refreshers thereafter.

Training covers GDPR principles, data handling procedures, and incident response obligations.

14. Auditing and Review

Regular internal audits are conducted to verify compliance with GDPR requirements.

This policy will be reviewed annually or whenever regulatory or organizational changes occur.