GDPR Compliance

Data Annotation Vendors is committed to compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and aligned international privacy standards. As an enterprise data annotation partner, we frequently act as a data processor on behalf of clients who are data controllers. This page summarizes our GDPR program, data subject rights, and how organizations can engage us with appropriate safeguards.

1. Our role as controller and processor

When you visit dataannotationvendors.com, subscribe to updates, or submit a business inquiry, Data Annotation Vendors typically acts as a data controller for the personal information you provide. When we annotate client-supplied datasets containing personal data, we generally act as a data processor executing documented instructions from the client controller. Roles are defined in our Data Processing Addendum (DPA) and project statements of work.

2. Lawful bases for processing

We process personal data only when a valid legal basis applies. Common bases include contract performance, legitimate interests balanced against data subject rights, compliance with legal obligations, and consent where required—for example optional marketing communications or non-essential cookies in consent jurisdictions.

• Responding to enterprise sales and support inquiries (contract / legitimate interests).
• Delivering contracted annotation and QA services (contract).
• Maintaining website security and fraud prevention (legitimate interests / legal obligation).
• Complying with tax, accounting, and regulatory requirements (legal obligation).
• Sending B2B marketing with appropriate opt-out mechanisms (consent or legitimate interests as permitted).

3. Data Processing Addendum

Enterprise clients receive a GDPR-aligned DPA describing subject matter, duration, nature and purpose of processing, categories of data subjects and personal data, controller instructions, confidentiality, security measures, subprocessors, international transfers, audit cooperation, and breach notification timelines. Our DPA incorporates Standard Contractual Clauses where required for transfers outside the EEA and UK.

4. Data subject rights

Individuals in the EEA and UK may exercise the following rights subject to conditions and exceptions in applicable law:

• Right of access — obtain confirmation and a copy of personal data we process as controller.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion when data is no longer necessary or consent is withdrawn, subject to legal retention needs.
• Right to restriction — limit processing in certain circumstances.
• Right to data portability — receive controller data in a structured, commonly used format where applicable.
• Right to object — object to processing based on legitimate interests or direct marketing.
• Rights related to automated decision-making — we do not make solely automated decisions with legal or similarly significant effects on website visitors without human review.

To exercise rights relating to data we control, email contact@dataannotationvendors.com with sufficient detail to verify identity. We respond within one month unless extension is permitted. If your data appears in a client annotation project, contact the client controller first; we will assist controllers with verified requests per our DPA.

5. Deletion and retention

We delete or anonymize personal data when retention is no longer necessary for the purposes collected, subject to contractual return-or-delete obligations at project end and statutory limitation periods. Client project data deletion schedules are documented in statements of work and may include certified destruction upon request. Backup systems may retain encrypted copies for limited rolling periods consistent with disaster recovery policies.

6. Security and organizational measures

We implement technical and organizational measures appropriate to annotation workloads, including access controls, encryption in transit, secure workspace isolation, employee training, background checks where required by contract, logging and monitoring, vendor risk review, and incident response playbooks. Detailed control descriptions are available under NDA during enterprise procurement.

7. Subprocessors

We engage vetted subprocessors for hosting, communications, CRM, analytics, and operational tooling. A current subprocessor list is available to clients upon request and updated when material changes occur in accordance with DPA notice periods. Clients may object to new subprocessors on reasonable grounds as specified in their agreement.

8. International transfers

Personal data may be processed in the United States and other countries where we or our subprocessors operate. For transfers from the EEA, UK, or Switzerland, we rely on adequacy decisions where available, Standard Contractual Clauses, and supplementary measures such as encryption and access restrictions. Clients may specify approved regions or data residency requirements in enterprise contracts.

9. Data protection impact assessments

Clients responsible for high-risk processing should conduct Data Protection Impact Assessments (DPIAs) where required. We provide information about our annotation workflows, security controls, and subprocessors to support client DPIAs and vendor risk reviews upon request.

10. Personal data breach notification

We maintain procedures to detect, investigate, and respond to suspected personal data breaches. Where we act as processor, we notify the client controller without undue delay after becoming aware of a breach affecting client personal data, providing information reasonably available to support the controller’s regulatory notifications.

11. Supervisory authorities

Data subjects may lodge complaints with their local supervisory authority. We encourage contacting us first at contact@dataannotationvendors.com so we can address concerns promptly. A list of EU supervisory authorities is published by the European Data Protection Board. UK complaints may be directed to the Information Commissioner’s Office (ICO).

12. Contact our privacy team

For GDPR questions, DPA requests, subprocessor lists, or data subject rights relating to information we control, contact contact@dataannotationvendors.com. Include “GDPR Request” in the subject line for faster routing.

13. Privacy by design in annotation workflows

We apply data minimization in client projects by restricting annotator access to fields required for the task, masking identifiers when guidelines permit, and supporting pseudonymization or redaction workflows upon instruction. Project environments are provisioned with least-privilege roles and segregated storage where contracts require.

14. Training and confidentiality

Personnel with access to personal data receive privacy and security training appropriate to their role. Confidentiality obligations apply to employees, contractors, and supervised annotators. Background screening may be applied for sensitive programs as specified in client agreements.

15. Joint controllership

In rare scenarios where we and a client jointly determine purposes and means of processing for specific activities, responsibilities will be documented in a joint controller arrangement or contract amendment as required by GDPR Article 26.