Skip to main content

GDPR Compliance Information

This article explains how GDPR applies to your business when using Kyrios, outlines key data protection principles, and clarifies roles and responsibilities related to personal data.

Updated over 3 months ago

Who This Is For / When to Use

  • Account owners handling personal data of EU citizens or residents

  • Teams running marketing, automation, or data collection activities

  • Businesses reviewing privacy, consent, or data protection obligations

  • Anyone needing a high-level GDPR reference related to Kyrios usage

What Is GDPR and Why It Applies

The General Data Protection Regulation (GDPR) is an EU data protection law that governs how personal data is collected, processed, stored, and protected.

GDPR applies even if your business is not based in the EU if you:

  • Process personal data of EU citizens or residents, or

  • Offer goods or services to people in the EU

Compliance is required regardless of business size.

Privacy Rights of Individuals (Data Subjects)

Under GDPR, individuals (“data subjects”) have the following rights:

  1. Right to be informed

  2. Right of access

  3. Right to rectification

  4. Right to erasure (right to be forgotten)

  5. Right to restrict processing

  6. Right to data portability

  7. Right to object

  8. Rights related to automated decision-making and profiling

These rights apply to how you collect and use data in Kyrios.

Key GDPR Definitions

Personal Data
Any information that can directly or indirectly identify an individual.


Examples include names, email addresses, phone numbers, location data, cookies, biometric data, beliefs, or opinions.

Data Processing
Any action performed on data, automated or manual.
Examples include collecting, storing, using, modifying, or deleting data.

Data Subject
The individual whose personal data is being processed (for example, a contact or website visitor).

Data Controller
The person or organization that determines why and how personal data is processed.
In most cases, this is you or your business.

Data Processor
A third party that processes data on behalf of the data controller, such as hosting providers or email services.

Definitions sourced from gdpr.eu.

Data Protection Principles You Must Follow

If your business processes personal data, GDPR requires compliance with the following principles:

  1. Lawfulness, Fairness, and Transparency
    Data must be processed legally and clearly explained to the data subject.

  2. Purpose Limitation
    Data must only be used for the specific purpose communicated at collection.

  3. Data Minimization
    Collect only the data that is necessary.

  4. Accuracy
    Personal data must be kept accurate and up to date.

  5. Storage Limitation
    Data should not be stored longer than required for its purpose.

  6. Integrity and Confidentiality
    Data must be protected with appropriate security measures, such as encryption and access controls.

  7. Accountability
    The data controller must be able to demonstrate compliance with all principles.

How This Relates to Kyrios Usage

  • Campaigns: Require lawful consent before sending marketing messages

  • Workflows: Must respect opt-outs, deletions, and consent changes

  • Contacts: Must be updated, deleted, or restricted upon request

  • Security: Account permissions, encryption, and backups support compliance

Kyrios provides tools to help manage data, but compliance responsibility remains with the account owner.

Common Issues and Considerations

Marketing without consent

Ensure contacts have provided explicit, informed consent before marketing outreach.

Data deletion requests

You must delete or restrict data when a valid request is received.

Automated decisions

If automation significantly affects individuals, they have the right to object or request human review.

FAQs

What are the penalties for GDPR non-compliance?
Fines can reach up to €20 million or 4% of global annual revenue, whichever is higher.

How does GDPR affect email campaigns?
You must have explicit, documented consent before sending marketing emails.

Does GDPR apply to small businesses?
Yes. Business size does not exempt you from compliance.

What steps should my business take to comply?
Conduct a data audit, establish a lawful basis for processing, update privacy policies, obtain consent, and secure stored data.

Can individuals withdraw consent?
Yes. Consent can be withdrawn at any time and must be honored immediately.

What is data portability?
It allows individuals to request their data in a structured, commonly used format.

Right to be forgotten vs. restrict processing—what’s the difference?

  • Right to be forgotten: Data must be deleted

  • Restrict processing: Data use is limited without deletion

How should data breaches be handled?
Breaches must be reported to authorities within 72 hours and affected individuals notified if risk is high.

Is encryption alone enough for integrity and confidentiality?
No. You also need access controls, backups, and safeguards against accidental data loss or alteration.

Important Disclaimer

This article provides general information only and is not legal advice. GDPR is a comprehensive regulation, and requirements may vary by business. Consult your legal or compliance professionals to ensure full compliance.

For full GDPR details, visit gdpr.eu.

Related Articles
Kyrios Email Unsubscribe Links
Security and Compliance Overview
GDPR Compliance with Custom Checkbox Consent in Forms
Phone Messaging Policy (SMS Compliance & Sending Limits)
Phone Messaging Policy and Compliance
Did this answer your question?