# GDPR ilert is subject to European data protection law as a German company and has implemented comprehensive measures to protect personal data. ## Data Processing Role ilert acts as a **Data Processor** under Art. 28 GDPR when processing customer data. ilert acts as a Data Controller only in limited circumstances (billing, account management, fraud prevention, compliance with legal obligations). ## Data Processing Agreement ilert provides a standard [Data Processing Agreement](https://docs.ilert.com/trust-center/legal/data-processing-agreement) compliant with Art. 28(3) and (4) GDPR, covering: * Categories of data subjects and personal data processed * Purpose and duration of processing * Technical and organizational measures (Annex III — see [Security Controls](https://docs.ilert.com/trust-center/security/security-controls)) * Sub-processor management and notification procedures * Data breach notification obligations * Audit rights ## Data Protection Officer ilert has appointed an external Data Protection Officer: * **secjur GmbH**, Steinhöft 9, 20459 Hamburg * Phone: +49 40 228 599 520 * Email: ## Data Subject Rights ilert supports customers in fulfilling data subject requests including access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). ## Data Location All customer data is stored and processed within the EU. See [Data Hosting & Residency](https://docs.ilert.com/trust-center/infrastructure/data-hosting-and-residency) for details. ## Data Breach Notification In the event of a personal data breach, ilert notifies affected customers without undue delay and assists in fulfilling obligations under Articles 33 and 34 GDPR. ## Data Deletion See [Security Controls — Deletion of Customer Data](https://docs.ilert.com/trust-center/security/security-controls#deletion-of-customer-data) for retention and deletion timelines. ## Sub-processor Management See [Sub-processor List](https://docs.ilert.com/trust-center/legal/subprocessors). Customers receive 30 days' prior written notice of any new or replacement sub-processor, with the right to object. ## Privacy Policies * [Privacy Policy — Website](https://docs.ilert.com/trust-center/legal/privacy-policy-website) * [Privacy Policy — ilert Platform](https://docs.ilert.com/trust-center/legal/privacy-policy-platform)