Welcome to SasinduSR Blog!
I am committed to protecting your privacy. This Privacy Policy explains how I, as the data controller, collect, use, and disclose information about you when you visit SasinduSR (the "Service"). It provides transparency on data handling and your rights.
This policy has been updated to comply with the European Union’s General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the ePrivacy Directive 2002/58/EC, as amended.
Why added: Introduced a clear statement of purpose to inform users about the scope of the policy and the operator’s responsibilities. Reference links provide official sources for GDPR and ePrivacy compliance.
1. Data Controller Information
Data Controller: SasinduSR (individual)
Contact: info@sasindusr.com
Purpose: To provide blog updates, newsletters, and enhance user experience.
Why added: GDPR Articles 13 and 14 require clear identification and contact details of the data controller. This informs users who is responsible for their personal data.
2. Information We Collect
I collect personal information only when you voluntarily provide it, such as subscribing to the newsletter. Non-personal data is collected automatically via cookies and similar technologies, including site interacting history, IP address, and device information.
Why added: Distinguishes between voluntarily provided personal data and automatically collected non-personal data, improving transparency and aligning with GDPR Recital 26.
3. Use of Information and Lawful Basis
I process personal data lawfully, fairly, and transparently. The lawful bases under GDPR Article 6 include:
A. Email Address (Newsletter Subscription)
- Purpose: Sending blog posts, updates, and newsletters.
- Lawful Basis: Consent (Article 6(1)(a) GDPR).
- Rights: You may withdraw consent at any time using the "unsubscribe" link.
- Reference: GDPR Article 7 – Conditions for consent
Why added: Confirms explicit consent as the lawful basis for newsletter processing and provides clear instructions for withdrawal, improving user understanding and compliance.
B. Non-Personal Data and Tracking
- Purpose: Analytics, performance monitoring, security, and service improvement.
- Lawful Basis:
- Consent for non-essential cookies (Article 6(1)(a) GDPR)
- Legitimate interests for strictly necessary technical operations (Article 6(1)(f) GDPR)
Why added: Distinguishes strictly necessary cookies from non-essential cookies requiring consent. Explains lawful basis to ensure clarity for users and align with EDPB Guidelines on Consent.
4. Cookies, Tracking Technologies, and Consent
A. Cookie Categories
- Strictly Necessary Cookies: Essential for core functions; no prior consent required.
- Non-Essential Cookies: Analytics, performance, functionality; require explicit, prior consent (ePrivacy Directive Art. 5(3)).
B. Consent Mechanism
- Platform: Consent Management Platform (CMP) / cookie banner
- Options: Accept All, Reject All, or manage granular preferences
- Withdrawal: Consent can be withdrawn anytime via the cookie settings link
C. Cookie Details
A comprehensive list of cookies, including provider, purpose, and duration, is maintained in the separate Cookie Policy.
Why added: Describes cookie practices and consent mechanism to meet ePrivacy Directive and GDPR transparency requirements, helping users understand and manage their preferences.
5. Your Data Subject Rights
You have the following rights under GDPR Chapter III:
| Right | Description |
|---|---|
| Right to be Informed | Know how your data is collected and used Article 13 |
| Right of Access | Request a copy of personal data Article 15 |
| Right to Rectification | Correct inaccurate personal data Article 16 |
| Right to Erasure | "Right to be forgotten" Article 17 |
| Right to Restrict Processing | Limit processing under certain conditions Article 18 |
| Right to Data Portability | Obtain data in a machine-readable format Article 20 |
| Right to Object | Object to processing based on legitimate interests or direct marketing Article 21 |
| Right to Withdraw Consent | Withdraw consent at any time where consent is the lawful basis Article 7 |
Right to Lodge a Complaint: You may contact the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).
Why added: Provides a clear, user-friendly summary of all data subject rights and supervisory authority contact, ensuring full GDPR transparency.
6. International Data Transfers
Your personal data may be transferred outside the European Economic Area (EEA). Such transfers are safeguarded by the following mechanisms:
-
Standard Contractual Clauses (SCCs): Legally approved data protection clauses adopted by the European Commission to ensure adequate protection when transferring data to countries without an adequacy decision.
More info on SCCs -
Binding Corporate Rules (BCRs): Internal rules approved by the relevant data protection authority that allow multinational organizations to transfer personal data within their group globally.
GDPR Article 47 – BCRs
Why added: Ensures clarity on legal safeguards under GDPR Chapter V (Articles 44–50) and EU guidance on Standard Contractual Clauses. This explains how international transfers remain compliant with EU data protection requirements.
7. Data Security and Retention
A. Security Measures
To protect personal data, I implement appropriate technical and organizational measures, including:
- Encryption: SSL/TLS encryption across the website to secure data in transit.
- Access Control: Limiting access strictly to personnel who need it for processing purposes.
- Hosting: Using reputable providers with robust security practices.
B. Retention Period
- Email addresses: Retained only while subscribed; deleted immediately upon unsubscribe.
- Other data: Retained only as necessary to fulfil the purposes for which it was collected.
C. Breach Notification
In the event of a personal data breach, I will:
- Notify the relevant supervisory authority without undue delay (GDPR Articles 33–34).
- Inform affected individuals when required.
- Follow EDPB Guidelines on Personal Data Breach.
Why added: Clarifies implemented security measures, retention periods, and breach notification procedures to ensure transparency and compliance with GDPR requirements. Provides explicit guidance for users on data protection and incident handling.
8. Children's Privacy
The Service is not directed at children under 16 years of age. I do not knowingly collect personal data from children under 16. If such data is discovered, it will be deleted immediately. Parents or legal guardians who become aware of such data are encouraged to contact: info@sasindusr.com. (GDPR Article 8)
Why added: Ensures compliance with GDPR Article 8, clarifying the age of consent for information society services and informing parents/guardians about their right to request deletion of children's data.
9. Changes to this Privacy Policy
I may update this Privacy Policy periodically by posting revisions on the Service. Users are encouraged to check this page regularly for any updates.
Why added: Ensures readers are informed about how policy updates are communicated and encourages proactive review to remain aware of their data rights.
10. Contact
For questions regarding this Privacy Policy or to exercise your GDPR rights, please contact: info@sasindusr.com.
Why added: Provides a clear, direct contact point for users to exercise their rights, in accordance with GDPR Articles 12–13.
11. Third-Party Services and Processors
I use third-party services to operate and improve the Service. Each processor acts under GDPR obligations (Article 28).
A. Analytics – PostHog (EU Instance)
- Purpose: Monitor website traffic, user behavior, and improve user experience.
- Data Collected: Page views, session duration, device type, IP address (anonymized where possible).
- Lawful Basis: Consent for non-essential cookies (Article 6(1)(a) GDPR)
- Reference: PostHog & GDPR compliance
Why added: Discloses analytics processor, types of data collected, and lawful basis, ensuring transparency and compliance with GDPR.
B. Hosting – Vercel
- Purpose: Hosting the Service and providing secure, reliable infrastructure.
- Data Collected: Technical data necessary for service delivery, logs, and error reports.
- Lawful Basis: Legitimate interests (Article 6(1)(f) GDPR)
- Reference: Vercel Privacy & GDPR
Why added: Clarifies hosting processor obligations and the legal basis, ensuring GDPR compliance and user awareness.
C. Mailing – AWS Simple Email Service (SES)
- Purpose: Sending newsletters, blog updates, and transactional emails.
- Data Collected: Subscriber email addresses.
- Lawful Basis: Consent (Article 6(1)(a) GDPR)
- Reference: AWS GDPR Center
Why added: Discloses mailing processor obligations and lawful basis to ensure full GDPR transparency for users.