GDPR
Compliance

1. INTRODUCTION AND REGULATORY FRAMEWORK

This General Data Protection Regulation (GDPR) Compliance Statement (“Statement”) outlines the data protection measures, policies, and procedures implemented by Queens Digital Agency Nepal Private Limited (“Controller,” “we,” “us,” or “our”) in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).

This Statement applies to all processing of personal data of individuals within the European Union (EU) and European Economic Area (EEA), regardless of whether the processing takes place within or outside the EU/EEA. Our commitment to GDPR compliance extends beyond legal requirements to reflect our fundamental respect for privacy rights and data protection principles.

As a digital marketing agency serving international clients, we process personal data on behalf of our clients (acting as a Data Processor) and for our own business purposes (acting as a Data Controller). This dual role requires comprehensive compliance measures addressing both scenarios.

2. REGULATORY DEFINITIONS AND SCOPE

Personal Data: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Subject: An identified or identifiable natural person whose personal data is processed by the controller or processor.

Supervisory Authority: An independent public authority which is established by a Member State and is responsible for monitoring the application of GDPR within its territory.

3. LAWFULNESS OF PROCESSING (ARTICLE 6 GDPR)

Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

3.1 Consent (Article 6(1)(a)):

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes
• Consent must be freely given, specific, informed and unambiguous indication of the data subject’s wishes
• Consent can be withdrawn at any time and withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal
• We maintain detailed records of consent including time, method, and scope of consent given

3.2 Contract Performance (Article 6(1)(b)):

• Processing is necessary for the performance of a contract to which the data subject is party
• Processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
• Includes service delivery, account management, billing, and customer support activities

3.3 Legal Obligation (Article 6(1)(c)):

• Processing is necessary for compliance with a legal obligation to which the controller is subject
• Includes tax obligations, regulatory reporting, anti-money laundering requirements, and responses to lawful requests from authorities

3.4 Legitimate Interests (Article 6(1)(f)):

• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
• Except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
• We conduct legitimate interests assessments balancing our business needs against data subject rights
• Includes fraud prevention, security monitoring, direct marketing, and analytics

4. SPECIAL CATEGORIES OF PERSONAL DATA (ARTICLE 9 GDPR)

We generally do not process special categories of personal data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation) in our digital marketing services.

If special category data is inadvertently collected or if clients specifically request processing of such data, we implement additional safeguards including:

• Explicit consent under Article 9(2)(a) GDPR where legally permissible
• Enhanced security measures and access controls
• Additional staff training on sensitive data handling
• Regular deletion of unnecessary special category data
• Data Protection Impact Assessments for all special category processing

5. DATA SUBJECT RIGHTS (CHAPTER III GDPR)

5.1 Right to Information (Articles 13-14):

• Transparent information about processing purposes, legal basis, retention periods, and data subject rights
• Clear and plain language accessible to the intended audience
• Information provided at the time of data collection or within one month for indirect collection

5.2 Right of Access (Article 15):

• Confirmation whether personal data is being processed and access to such personal data
• Information about processing purposes, categories of data, recipients, and retention periods
• Copy of personal data undergoing processing provided free of charge for the first copy
• Response provided within one month, extendable by two months for complex requests

5.3 Right to Rectification (Article 16):

• Right to obtain rectification of inaccurate personal data without undue delay
• Right to have incomplete personal data completed through supplementary statement
• Rectified data communicated to all recipients unless impossible or involves disproportionate effort

5.4 Right to Erasure (“Right to be Forgotten”) (Article 17):

• Personal data no longer necessary for original purposes
• Data subject withdraws consent and no other legal ground exists
• Personal data unlawfully processed or must be erased for legal compliance
• Balanced against freedom of expression, public interest, and legitimate interests

5.5 Right to Restrict Processing (Article 18):

• When accuracy of personal data is contested during verification period
• When processing is unlawful but data subject opposes erasure
• When data no longer needed but required for legal claims
• When objection to processing is pending legitimate interest assessment

5.6 Right to Data Portability (Article 20):

• Applies to automated processing based on consent or contract performance
• Data provided in structured, commonly used, and machine-readable format
• Right to transmit data directly to another controller where technically feasible

5.7 Right to Object (Article 21):

• Right to object to processing based on legitimate interests or public task
• Absolute right to object to direct marketing including profiling
• Processing must stop unless compelling legitimate grounds override data subject interests

6. DATA PROTECTION BY DESIGN AND BY DEFAULT (ARTICLE 25)

We implement data protection principles through:

• Data Minimisation: Processing limited to what is necessary for specified, explicit, and legitimate purposes
• Purpose Limitation: Personal data collected for specified, explicit, and legitimate purposes only
• Storage Limitation: Data retained only as long as necessary for processing purposes
• Accuracy: Reasonable steps taken to ensure personal data is accurate and up-to-date
• Integrity and Confidentiality: Appropriate security measures protecting against unauthorized processing, loss, or damage

Technical and Organizational Measures:

• Privacy-preserving system architecture with role-based access controls
• Automated data retention and deletion procedures
• Encryption of personal data at rest and in transit
• Pseudonymisation and anonymisation where technically feasible
• Regular security testing and vulnerability assessments

7. INTERNATIONAL DATA TRANSFERS (CHAPTER V GDPR)

When transferring personal data outside the EU/EEA, we ensure adequate protection through:

7.1 Adequacy Decisions (Article 45):

• Transfers to countries with European Commission adequacy decisions
• Regular monitoring of adequacy decision validity and any restrictions

7.2 Appropriate Safeguards (Articles 46–47):

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules for multinational organizations
• Certification schemes and codes of conduct with binding enforcement
• Transfer Impact Assessments evaluating third country legal frameworks

7.3 Supplementary Measures:

• End-to-end encryption preventing third country authority access
• Strong authentication and access controls
• Data anonymisation or pseudonymisation where possible
• Contractual commitments from processors regarding government access requests

8. SECURITY OF PROCESSING (ARTICLE 32 GDPR)

We implement appropriate technical and organizational security measures including:

8.1 Technical Measures:

• AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Multi-factor authentication for all administrative access
• Network segmentation and intrusion detection systems
• Regular automated backups with encryption and integrity checking
• Vulnerability scanning and penetration testing programs

8.2 Organizational Measures:

• Information security policies and procedures with regular updates
• Employee training on data protection and security awareness
• Background verification for personnel with access to personal data
• Incident response procedures with defined escalation paths
• Business continuity and disaster recovery planning

8.3 Ongoing Security:

• Regular testing, assessment, and evaluation of security effectiveness
• Continuous monitoring of processing activities and access logs
• Security reviews of third-party processors and service providers
• Annual security audits and compliance assessments

9. DATA BREACH NOTIFICATION (ARTICLES 33-34 GDPR)

9.1 Supervisory Authority Notification:

• Personal data breaches reported to supervisory authority within 72 hours of awareness
• Notification includes nature of breach, categories and approximate numbers affected
• Description of likely consequences and measures taken or proposed
• Contact details of Data Protection Officer or other contact point

9.2 Data Subject Notification:

• Direct notification when breach likely to result in high risk to rights and freedoms
• Clear and plain language describing nature of breach and likely consequences
• Recommendations for measures data subjects can take to mitigate potential adverse effects
• Contact details of Data Protection Officer or other contact point

9.3 Documentation:

• Comprehensive records of all personal data breaches maintained
• Documentation of facts, effects, and remedial action taken
• Evidence of supervisory authority and data subject notifications
• Post-incident reviews and lessons learned documentation

10. DATA PROTECTION IMPACT ASSESSMENT (ARTICLE 35 GDPR)

We conduct Data Protection Impact Assessments (DPIAs) when processing is likely to result in high risk, including:

• Systematic and extensive evaluation including profiling with legal or significant effects
• Large-scale processing of special categories of personal data
• Systematic monitoring of public areas on a large scale
• New technologies or processing methods with high privacy risks

DPIA Process:

• Systematic description of processing operations and purposes
• Assessment of necessity and proportionality of processing
• Assessment of risks to rights and freedoms of data subjects
• Measures to address risks including safeguards and security measures
• Consultation with Data Protection Officer throughout process

11. DATA PROTECTION OFFICER (ARTICLES 37-39 GDPR)

Designation and Qualifications:

• Designated Data Protection Officer: Kalapati Kumari Bhandari
• Professional qualifications and expertise in data protection law and practices
• Ability to fulfill tasks independently without receiving instructions
• Sufficient resources and organizational access to perform duties effectively

Tasks and Responsibilities:

• Informing and advising controller and employees of GDPR obligations
• Monitoring compliance with GDPR and other data protection laws
• Providing advice on Data Protection Impact Assessments
• Acting as contact point for supervisory authority and data subjects
• Cooperating with supervisory authority and serving as point of contact

12. PROCESSOR RELATIONSHIPS AND CONTRACTS (ARTICLE 28 GDPR)

When engaging processors, we ensure:

• Written contracts specifying subject matter, duration, nature, purpose, and type of personal data
• Processor obligations including confidentiality, security measures, and sub-processor restrictions
• Requirements for deletion or return of personal data at end of service provision
• Assistance with data subject rights, breach notification, and impact assessments
• Regular audits and compliance monitoring of processor activities

Sub-processor Management:

• Prior written authorization required for engaging sub-processors
• Same data protection obligations imposed on sub-processors
• Processor remains fully liable for sub-processor performance
• Data subject notification of sub-processor changes with objection rights

13. RECORDS OF PROCESSING ACTIVITIES (ARTICLE 30 GDPR)

We maintain comprehensive records including:

• Name and contact details of controller, processor, and Data Protection Officer
• Purposes of processing and description of categories of data subjects and personal data
• Categories of recipients including third country or international organization recipients
• Transfers of personal data to third countries with documentation of safeguards
• Time limits for erasure of different categories of data
• General description of technical and organizational security measures

14. SUPERVISORY AUTHORITY COOPERATION

Lead Supervisory Authority:

For cross-border processing activities, our lead supervisory authority is determined based on our main establishment within the EU. We cooperate fully with all supervisory authorities and maintain current contact information for relevant data protection authorities.

Compliance Monitoring:

• Regular compliance reviews and internal audits
• Proactive communication with supervisory authorities on significant processing changes
• Prompt response to supervisory authority inquiries and investigations
• Implementation of supervisory authority guidance and recommendations