Skip to content
GDPR

GDPR-compliant, from the ground up

The General Data Protection Regulation (GDPR) is the European privacy law that governs how organisations handle personal data. It gives people rights over their own data and places a duty of result on you as a lead generator: you must not only act carefully, you must also be able to prove it. For a lead operation that is not an optional promise, it is a verifiable practice.

Lead processing is especially sensitive in this respect. A request typically contains directly identifiable data (name, phone number, email, sometimes financial or legal context), and that data travels from a publisher to a buyer, under your brand. At every node in that chain it must be clear on what legal basis the data is processed, who has access and how long it is retained. OXIAE builds those answers into the platform, so you never have to reconstruct them after the fact.

GDPR-compliant EU data residency Full audit trail

Last updated: 1 June 2026

The core principles, in practice

The GDPR's core principles are not a checklist to tick off afterwards. Below you see, per principle, exactly how the platform supports it in practice.

01 Lawfulness & consent

Every request that runs through your platform carries a recorded, valid legal basis with it. Consent is captured the moment it comes in and stays verifiably linked to the lead.

02 Purpose limitation

Data is processed only for the purpose the consent was given for. Routing and matching to buyers happen within the boundaries you set as operator, not beyond them.

03 Data minimisation

Forms and intake only ask for what the purpose requires. Fields that do not contribute to the processing are not collected and not stored, configurable per label or request type.

04 Accuracy

Requests are checked at intake for provenance and consistency, so your buyers work with data that is correct and traceable back to a publisher.

05 Storage limitation

You set retention periods per processing activity within the platform, and they are applied automatically. Data expires according to your policy instead of lingering indefinitely.

06 Integrity & confidentiality

Encrypted transport, secure storage and access by role and context ensure data within your platform is only visible to those who need it.

07 Accountability

Every processing step is logged in an audit trail. What happened to a request is visible to you at any moment and exportable as evidence, for a supervisory authority or a buyer.

Legal bases for processing

No processing is lawful without a legal basis. The GDPR recognises six; three are relevant for lead processing. Which one applies determines what you as operator may do, and what you must be able to demonstrate.

Consent

The data subject has actively and knowingly said yes to sharing their data with buyers for a specific purpose.

For lead processing

The most common legal basis for lead processing. Your platform captures consent the moment it comes in, with timestamp, text and source, so you can later demonstrate the choice was informed and revocable.

Legitimate interest

A processing activity is necessary for a legitimate purpose and the interests of the data subject do not outweigh it, after a balancing test.

For lead processing

May apply to supporting processing such as fraud prevention or quality control. For sharing a lead with a buyer, consent is almost always the cleaner ground; legitimate interest requires a documented balancing test.

Contract

The processing is necessary to perform a contract with the data subject, or to take steps at their request before entering into one.

For lead processing

Comes into play when the data subject themselves asks for contact or a quote and delivery to the buyer is a direct consequence of that request. The line with consent is fine; your platform records per lead which ground was chosen.

In practice, consent for sharing a lead with a buyer is usually the cleanest choice: it is clear, revocable and easy to document. The platform records per request which legal basis applies, so a processing activity is never detached from its justification.

Data subject rights

Behind every lead is a person with rights over their own data. Those rights only matter if you can actually exercise them: quickly, completely and provably. Because the platform links all data around one person, a request becomes a matter of minutes for you, rather than a search across separate systems.

Right of access

The data subject may request which data you process and for what purpose. Your platform bundles every record around one person (form input, consent evidence, provenance and processing steps) into an exportable overview.

Right to rectification

Inaccurate or incomplete data can be corrected. The change is applied and recorded, so it stays traceable what was changed, when and by whom.

Right to erasure

On a valid right-to-be-forgotten request, you permanently remove the data from active processing. The audit trail keeps an anonymised trace of the request itself, not of the content.

Right to restriction

A lead can be frozen while a request or dispute is pending. The data is retained but no longer routed, matched or delivered until the situation is resolved.

Right to data portability

The data subject may receive their data in a common, machine-readable format. An export delivers the supplied data as structured JSON or CSV, ready to transfer.

Right to object

Processing based on legitimate interest can be objected to. The objection is recorded and processing stops as soon as there is no longer a compelling ground.

How a request is handled via the audit trail

Every data subject request follows the same verifiable route within your platform. The audit trail records every step, so you can demonstrate to both the data subject and the supervisory authority that you acted promptly and completely.

01

Request registered

The request comes in through a fixed channel and is recorded with timestamp, type of right and identity of the data subject. The statutory one-month deadline starts, measurably.

02

Data brought together

The platform bundles every record around the person: form input, consent evidence, provenance, routing and deliveries, across all your labels and buyers.

03

Right exercised

Depending on the request, an access export, rectification, restriction or permanent erasure follows. The action is applied irreversibly in active processing.

04

Handling logged

The outcome is recorded in the audit trail and exportable as evidence. On erasure, only an anonymised trace of the request remains, not the content.

Retention periods in practice

Storage limitation sounds abstract until you make it concrete per lead status. A rejected lead should not sit around for as long as a delivered lead with a running warranty period. You link a period to each status within the platform, and data expires automatically once it is reached: no manual clean-up, no forgotten records. The periods below are illustrative; you configure them to your own policy.

Lead status
Example period
Explanation
Rejected
30 days
A lead that fails the quality or validation check is kept briefly for review and analysis, then automatically deleted.
Delivered
24 months
A successfully delivered lead is retained for as long as needed for accountability, billing and any warranty, after which the record expires.
In dispute
Extended until resolved
While a dispute is open, the record stays frozen in storage. The expiry counter resumes once the dispute has been resolved.
Erasure request
Immediate
On a valid right-to-be-forgotten request, the content is removed immediately; only an anonymised trace of the request remains.

Automatic expiry is an active processing operation, not a passive marker: on the expiry date the personal data is actually removed from storage. The audit trail records that a record expired, and when, without retaining the deleted content.

Data breach procedure

A data breach is an incident in which personal data is unintentionally accessed, altered, leaked or destroyed. The GDPR requires the controller to report a notifiable breach to the supervisory authority within 72 hours of discovery. Speed and clarity decide everything at that point, which is why the route is laid out in advance at OXIAE, instead of something you have to improvise.

01

Detection

Monitoring, access logs and the audit trail flag anomalous behaviour. A suspected incident is recorded immediately with timestamp, scope and data involved.

02

Assessment

The incident is assessed for nature, scale and risk to data subjects, so it is clear whether it is a notifiable breach and which people are affected.

03

Notification to you as controller

As the platform vendor, OXIAE notifies you without undue delay, with the information you need to make the statutory notification as data controller.

04

Authority notification within 72 hours

You report the breach where required within 72 hours to the supervisory authority, and inform data subjects in case of high risk. Every step stays traceable through the platform.

OXIAE supports your GDPR compliance with technology, recording and clear role allocation. It is not a substitute for legal advice on your own processing and responsibilities as a lead generator.

Frequently asked questions about GDPR

The questions that come up most often about hosting, transfers, sub-processors and demonstrating compliance.

Where is the data hosted?

All personal data is processed and stored within the European Union. Data residency in the EU means your data stays under the GDPR regime and does not, by default, end up outside the European legal space.

What happens with international transfers?

OXIAE aims to keep processing within the EU/EEA. Should a transfer to a third country be necessary, it happens only with a valid transfer mechanism, such as an adequacy decision or standard contractual clauses (SCCs), with the accompanying safeguards.

Are sub-processors used?

For components such as hosting or email delivery, sub-processors may be engaged. A data processing agreement is in place with every sub-processor, they are bound by the same obligations, and you get visibility into which parties are involved.

How do I demonstrate my compliance?

Because legal basis, consent, provenance and retention period are recorded per lead, and every processing step sits in the audit trail, you can substantiate your processing with exportable evidence, for a supervisory authority or a buyer. You reconstruct nothing after the fact; accountability is built into the platform.

What is the difference between GDPR and AVG?

No difference in substance. GDPR is the English name (General Data Protection Regulation), AVG the Dutch one (Algemene verordening gegevensbescherming). It is exactly the same European regulation.

How quickly can I handle an access or erasure request?

A request is registered, the data around the person is automatically bundled, and the requested action is carried out and logged. That keeps you comfortably within the statutory one-month deadline, even as volume grows.

See what GDPR-compliant looks like in practice

Book a demo and discover how legal bases, data subject rights, retention periods and an audit trail make every request provable in your platform.