GDPR Compliance Statement

Last Updated: May 11, 2026

1. Overview

crisp-frost is committed to compliance with the General Data Protection Regulation (GDPR) and protecting the rights of individuals in the European Economic Area (EEA). This statement outlines how we comply with GDPR requirements.

2. Legal Basis for Processing

We process your personal data under the following legal bases:

• Consent: When you have given clear consent for us to process your personal data for a specific purpose
• Contract: When processing is necessary for the performance of a contract with you
• Legal Obligation: When we need to comply with legal or regulatory obligations
• Legitimate Interests: When processing is necessary for our legitimate business interests, provided your rights do not override these interests

3. Your Rights Under GDPR

As a data subject, you have the following rights:

Right to Access

You have the right to request copies of your personal data. We may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.

Right to Rectification

You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

Right to Erasure

You have the right to request that we erase your personal data under certain conditions, including when the data is no longer necessary for the purposes for which it was collected.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data under certain conditions.

Right to Object to Processing

You have the right to object to our processing of your personal data under certain conditions, particularly for direct marketing purposes.

Right to Data Portability

You have the right to request that we transfer the data we have collected to another organization, or directly to you, under certain conditions.

Right to Withdraw Consent

Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time.

4. How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]
Subject: GDPR Rights Request

We will respond to your request within one month. In complex cases, we may extend this period by two additional months and will inform you of any such extension.

5. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and implementation. You can contact our DPO at:

Email: [email protected]

6. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and audits
• Access controls and authentication mechanisms
• Staff training on data protection principles
• Incident response and breach notification procedures

7. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible
• Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
• Document all data breaches, including their effects and remedial actions taken

8. International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules
• Approved codes of conduct or certification mechanisms

9. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• To comply with legal, accounting, or reporting requirements
• To establish, exercise, or defend legal claims
• For archiving purposes in the public interest, scientific or historical research, or statistical purposes

10. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects individuals.

11. Third-Party Data Processors

When we engage third-party data processors, we:

• Ensure they provide sufficient guarantees regarding data protection
• Establish data processing agreements that comply with GDPR requirements
• Conduct regular reviews of their security and compliance measures

12. Children's Data

We do not knowingly process personal data of children under 16 years of age without parental consent. If we become aware that we have collected such data, we will take steps to delete it promptly.

13. Complaints

If you believe we have not complied with GDPR requirements, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

For Australia-based complaints, you may contact the Office of the Australian Information Commissioner (OAIC).

14. Updates to This Statement

We may update this GDPR Compliance Statement to reflect changes in our practices or legal requirements. We will notify you of any material changes.

15. Contact Information

For any questions about our GDPR compliance or to exercise your rights, please contact:

crisp-frost
Email: [email protected]
Address: Level 14, 347 Kent Street, Sydney, NSW 2000, Australia