GDPR Compliance Statement

Last Updated: November 6, 2024

IMPORTANT: This page explains how ERG Supplements complies with the General Data Protection Regulation (EU 2016/679) and similar data protection laws. This applies to all EU/EEA residents and UK residents whose personal data we process.

1. GDPR Overview

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to organizations that process personal data of EU/EEA residents, regardless of where the organization is located. ERG Supplements complies with GDPR requirements for all customers and data subjects in the EU, EEA, and United Kingdom.

2. Data Controller & Processor Roles

Data Controller

ERG Consultants LLC acts as the Data Controller for personal data collected through our website and business operations. We determine the purposes and means of data processing.

Data Processors

We engage third-party Data Processors for specific functions including:

  • Cloudflare (hosting and CDN services) - Privacy Policy
  • Payment processors and banking partners
  • Email and communication services
  • Analytics providers

All processors have been vetted for GDPR compliance and operate under Data Processing Agreements (DPAs) that include Standard Contractual Clauses.

3. Legal Basis for Processing

Under GDPR Article 6, we process personal data based on the following legal grounds:

Article 6(1)(b) - Contractual Performance

Processing necessary to perform contracts with business clients (wholesale orders, quotes, supply agreements).

Article 6(1)(c) - Legal Obligation

Compliance with:

  • U.S. Hemp Farming Act (2018 Farm Bill)
  • KYC/AML regulations
  • Tax and accounting requirements
  • Banking regulations (OFAC, CTF)
  • International trade compliance

Article 6(1)(f) - Legitimate Interests

Business operations including:

  • Fraud and security prevention
  • Website improvement and analytics
  • Business communications
  • Regulatory compliance monitoring

Article 6(1)(a) - Consent

For marketing communications and optional data collection, we obtain explicit, granular, freely given consent that can be withdrawn at any time.

4. Data Subject Rights Under GDPR

We fully respect the following GDPR rights for all data subjects:

Right of Access (Article 15)

You have the right to request and receive a copy of your personal data in a structured, commonly-used, machine-readable format. We will provide this within 30 days.

Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. We will correct records within 30 days where possible.

Right to Erasure (Article 17)

You may request deletion of your data, subject to legal retention requirements. We will delete data within 30 days where no legal basis for retention exists.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while we verify its accuracy or lawfulness of processing.

Right to Data Portability (Article 20)

You have the right to receive your data in a structured, commonly-used format and transmit it to another controller without hindrance.

Right to Object (Article 21)

You can object to processing based on legitimate interests or direct marketing. We will cease processing where no overriding legitimate interests exist.

Rights Related to Automated Decision-Making (Article 22)

You have rights regarding decisions made solely by automated processing. We do not make automated decisions that significantly affect your rights.

5. Exercise Your Rights

To exercise any GDPR rights, submit a request to:

  • Email: privacy@ergsupplements.com
  • Reference: "GDPR Data Subject Request"
  • Include: Your name, email, description of request, and any relevant details

We will respond within 30 days with no charge. If your request is manifestly unfounded or excessive, we may charge a reasonable fee or decline to respond, with justification.

6. International Data Transfers

Transfer Mechanisms

When we transfer personal data outside the EU/EEA (e.g., to the United States), we implement the following safeguards:

  • Standard Contractual Clauses (SCCs): Contractual terms that provide adequate data protection
  • Data Processing Agreements: Binding obligations for all data processors
  • Supplementary Measures: Encryption and additional technical safeguards

Adequacy Decisions

While the U.S. does not have a formal EU adequacy decision, we implement equivalent protections through contractual mechanisms and supplementary safeguards.

7. Special Categories of Data

We do not knowingly collect special categories of personal data (health, biometric, genetic, etc.) unless explicitly provided by you for business purposes. Processing such data requires explicit consent or other lawful basis.

8. Cookie Consent & ePrivacy

We comply with the ePrivacy Directive (2002/58/EC) and GDPR cookie requirements:

  • Explicit Consent: We obtain consent before placing non-essential cookies
  • Transparent Information: We disclose cookie purposes clearly
  • Easy Withdrawal: You can withdraw consent anytime via browser settings
  • Essential Cookies: May be set without consent for security and functionality

9. Data Protection Impact Assessment

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that pose high risks to personal data. High-risk processing includes automated decision-making, large-scale processing, or systematic monitoring.

10. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify affected individuals within 72 hours of discovery (where required)
  • Notify relevant data protection authorities
  • Provide information about the breach, risks, and mitigation measures
  • Maintain detailed breach records for regulatory review

11. Data Retention Schedules

We implement retention schedules consistent with GDPR principles:

  • Customer Business Data: During active relationship + 7 years (tax/regulatory)
  • Financial Records: Minimum 7 years
  • Compliance/KYC Documentation: 5-7 years
  • Website Analytics: 26 months maximum
  • Automated Logs: As long as necessary, typically 30-90 days

12. Privacy by Design & Default

We implement GDPR Article 25 principles by:

  • Minimizing data collection to what is necessary
  • Implementing strong access controls and encryption
  • Conducting privacy assessments before new projects
  • Training staff on data protection responsibilities
  • Using privacy-friendly default settings

13. Data Processing Agreements

When you contract with us, we provide Data Processing Agreements (DPAs) that outline:

  • Processor obligations under GDPR Article 28
  • Sub-processor lists and change notification procedures
  • Data subject rights and assistance mechanisms
  • Return or deletion of data upon contract termination
  • Audit and compliance verification procedures

14. Contact & Complaints

Our Data Protection Contact

Lodge a Complaint

If you believe we have violated your data protection rights, you may lodge a complaint with your national data protection authority (DPA). The authority in your country of residence, workplace, or place of alleged infringement has jurisdiction.

Notable DPAs:

  • Ireland Data Protection Commission (DPC)
  • German Federal Data Protection Commissioner (BfDI)
  • French National Commission for Data Protection (CNIL)
  • UK Information Commissioner's Office (ICO)

15. Updates to GDPR Compliance

We regularly review and update our GDPR compliance practices to align with regulatory guidance, court decisions, and industry standards. Changes will be communicated to affected parties.