Privacy policy

Effective Date: 21 June 2025

1. Introduction and Scope

This Privacy Policy sets out how Neogudilap (“we”, “us”, or “our”) collects, uses, and protects the personal data of individuals (“you” or “users”) who access or interact with our website, in full compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, hereafter “GDPR”).

This policy applies to all personal data processed via our website, including data collected through contact forms, account creation, transactions, cookies, or any other interactions with our online platform. It also applies to any processing carried out by third parties on our behalf.

We are committed to upholding the principles of data protection as defined by Article 5 of the GDPR — namely, that all personal data shall be:

  • processed lawfully, fairly, and transparently,
  • collected for specified, explicit, and legitimate purposes,
  • limited to what is necessary,
  • accurate and kept up to date,
  • stored for no longer than necessary,
  • and processed in a manner that ensures appropriate security.

By accessing or using our website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any aspect of it, you should refrain from using our services.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below, as defined under Article 4 of the General Data Protection Regulation (“GDPR”):

  • “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or to factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

  • “Processing” refers to any operation or set of operations performed upon Personal Data, whether by automated means. This includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.

  • “Data Subject” is any individual whose Personal Data is collected and processed by us.

  • “Data Controller” means the natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of Processing Personal Data. For the purpose of this policy, Dmitry Galkovsky Publishing is the Data Controller.

  • “Data Processor” is any natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.

  • “Consent” means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.

  • “Supervisory Authority” refers to the independent public authority established by a Member State pursuant to Article 51 of the GDPR, responsible for monitoring the application of the Regulation.

These definitions are intended to provide clarity and ensure that you understand your rights and our obligations with full transparency.

Certainly — here is a complete implementation of Item 3: Identity and Contact Information of the Data Controller. It’s crafted to meet the GDPR’s explicit requirements (especially Article 13), ensuring full transparency and accessibility:

3. Identity and Contact Information of the Data Controller

The Data Controller responsible for the collection and processing of your personal data via this website is:

  • LLC “Dmitry Galkovsky Publishing”
  • Company Registration Number: 1047796708090
  • Registered Address: Sadovo-Kudrinskaya street 23, 123001 Moscow, Russia
  • Contact Email: info@i-dg.ru

If you have any questions regarding the processing of your personal data, or if you wish to exercise any of your rights under the GDPR, you may contact us using the details above.

Data Protection Officer (DPO)
Where required by law, we have appointed a Data Protection Officer who is responsible for overseeing our compliance with the GDPR:

  • Name: Dmitry Galkovsky

You may also contact the DPO directly regarding any questions or concerns you may have about how your personal data is handled.

4. Personal Data We Collect and How We Collect It

We collect only the personal data that is necessary for specific, lawful purposes, as detailed below. We do not collect data without a clearly defined and legally justified basis.

4.1 Categories of Personal Data Collected

We collect the following categories of Personal Data:

a. Data You Provide Directly

  • Identification Data: Full name, date of birth, postal address, billing address, email address, telephone number.
  • Account Data: Username, encrypted password, and other credentials used to access your account.
  • Transaction Data: Payment information (e.g., cardholder name, masked card number, payment confirmation ID), purchase history.
  • Communications Data: Information provided when contacting customer service or support, including email content and attachments.
  • Preferences: Marketing and communication preferences you choose via your account settings or forms.

b. Data We Collect Automatically

  • Technical Data: IP address, device type, operating system, browser type, browser version, and language settings.
  • Usage Data: Dates and times of visits, pages viewed, interactions with site features, clicks, and scroll behavior.
  • Tracking Identifiers: Cookie IDs, session identifiers, and advertising IDs (if applicable).

c. Data We Receive from Third Parties

  • Authentication or Login Services: If you choose to log in via a third-party service (e.g., Google, Facebook), we receive identifiers and profile information according to the permissions you grant.
  • Payment Providers: Confirmation of transaction success/failure and reference IDs.
  • Analytics Providers: Aggregated insights into page views, site usage behavior, and audience demographics.

We do not collect or process any special categories of personal data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric or health data), unless explicitly required and lawfully justified under Article 9(2) of the GDPR, and only with your explicit prior consent.

4.2 Methods of Data Collection

We collect personal data through the following methods:

  • Direct submission by you: Via registration forms, contact forms, checkout processes, support requests, surveys, and account management tools.
  • Automated collection tools: Through cookies, server logs, pixels, and similar technologies that track user interaction with our website.
  • Third-party integrations: When you interact with embedded third-party services (e.g., analytics tools or embedded social media features).

We do not use any form of automated decision-making or profiling that produces legal or similarly significant effects on individuals, unless required by law or explicitly agreed to by the user.

5. Legal Basis for Data Processing

We process personal data only when and insofar as we have a valid legal basis under Article 6(1) of the General Data Protection Regulation (GDPR). Each category of personal data and corresponding processing activity is linked to one or more of the following lawful grounds:

5.1 Consent (Article 6(1) (a))

We process your personal data when you have given explicit, informed, and unambiguous consent for a specific purpose.
Examples include:

  • Subscribing to newsletters or marketing communications.
  • Participation in optional surveys or promotional campaigns.
  • Accepting non-essential cookies via our consent banner.

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Instructions for doing so are provided in Section 10.

5.2 Contractual Necessity (Article 6(1) (b))

Processing is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into such a contract.
Examples include:

  • Creating and maintaining a user account.
  • Fulfilling an order or service request.
  • Providing customer support related to a purchase or account.

5.3 Legal Obligation (Article 6(1)©)

Processing is required to comply with legal obligations to which we are subject.
Examples include:

  • Storing transaction records for tax and accounting compliance.
  • Responding to lawful requests from supervisory authorities or law enforcement agencies.
  • Maintaining data to fulfill statutory retention requirements.

5.4 Legitimate Interests (Article 6(1) (f))

Processing is necessary for the legitimate interests pursued by us or a third party, provided such interests are not overridden by your fundamental rights and freedoms.
Examples include:

  • Detecting and preventing fraudulent activities.
  • Improving website functionality, security, and performance.
  • Analyzing aggregated user behavior to optimize content and layout.
  • Sending transactional or service-related messages (e.g., password reset, account updates).

Where legitimate interest is the basis for processing, we perform a documented balancing test to ensure that our interests do not override your rights and expectations.

6. Purpose (s) of Data Processing

We process personal data solely for the specific, explicit, and legitimate purposes set out below. Each processing purpose is tied to one or more lawful grounds under Article 6 of the GDPR. We do not use your personal data for any additional or incompatible purposes.

6.1 User Registration and Account Management

  • Purpose: To create, authenticate, and manage your user account, including profile information, login credentials, and security settings.
  • Legal Basis: Contractual necessity (Art. 6(1) (b)).

6.2 Order Processing and Service Delivery

  • Purpose: To process transactions, deliver products or services, issue invoices, and manage your purchase history.
  • Legal Basis: Contractual necessity (Art. 6(1) (b)); Legal obligation (Art. 6(1)©) for tax and accounting compliance.

6.3 Customer Support and User Interaction

  • Purpose: To respond to your inquiries, support requests, or complaints submitted via contact forms, chat, or email.
  • Legal Basis: Contractual necessity (Art. 6(1) (b)); Legitimate interest (Art. 6(1) (f)) to ensure quality service.

6.4 Communication and Notifications

  • Purpose: To send essential administrative or transactional messages, such as service updates, security alerts, or password resets.
  • Legal Basis: Legitimate interest (Art. 6(1) (f)) to maintain service integrity and account security.

6.5 Marketing and Promotional Messaging

  • Purpose: To send newsletters, special offers, and product or service announcements, only where you have actively opted in.
  • Legal Basis: Consent (Art. 6(1) (a)).
  • Note: You may withdraw consent at any time using the unsubscribe link or by contacting us (see Section 10).

6.6 Analytics and Website Optimization

  • Purpose: To analyze website traffic, user behavior, and content interaction in order to improve functionality, navigation, and performance.
  • Legal Basis: Legitimate interest (Art. 6(1) (f)).
  • Note: For non-essential cookies and tools, we obtain your prior consent (Art. 6(1) (a)).

6.7 Fraud Prevention and Security Monitoring

  • Purpose: To detect and prevent fraudulent or unauthorized use of our services and to protect users from security threats.
  • Legal Basis: Legitimate interest (Art. 6(1) (f)); Legal obligation (Art. 6(1)©) where applicable under cybersecurity or financial regulations.

6.8 Legal Compliance and Enforcement

  • Purpose: To comply with applicable laws, enforce contractual obligations, and respond to lawful requests by public authorities.
  • Legal Basis: Legal obligation (Art. 6(1)©).

7. Data Sharing and Third Parties

We do not sell, rent, or otherwise disclose your personal data to third parties for their own commercial purposes. However, we do share personal data with carefully selected third parties only when necessary for the proper operation of our services or when legally required, as detailed below.

7.1 Data Recipients

We may share your personal data with the following categories of third parties:

a. Service Providers (Processors)

We engage third-party service providers who process personal data solely on our behalf and under strict contractual obligations, including:

  • Hosting and infrastructure providers (e.g., cloud hosting, CDN)
  • Payment processors and financial institutions
  • Customer support platforms
  • Email delivery and communications providers
  • Analytics and performance monitoring tools
  • IT security and fraud prevention services

Each of these entities acts as a Data Processor under Article 28 of the GDPR. We have signed Data Processing Agreements (DPAs) with all such processors to ensure:

  • Processing only for specified purposes and under our documented instructions
  • Implementation of appropriate technical and organizational security measures
  • Strict confidentiality and prohibition of onward data transfers

b. Legal and Regulatory Authorities

We may disclose your personal data to competent authorities when:

  • Required by a legal or regulatory obligation
  • Responding to lawful requests by public authorities (e.g., tax, customs, judiciary, law enforcement)

Such disclosures are made only in accordance with the law and following a careful review of the legitimacy and scope of each request.

c. Professional Advisors and Auditors

Personal data may be shared with legal counsel, accountants, or regulatory auditors for purposes such as legal compliance, dispute resolution, or financial review, provided such advisors are bound by confidentiality obligations.

7.2 Data Minimization and Control

All third-party recipients only receive the data strictly necessary for their assigned function. We do not allow them to use your personal data for any other purpose.

We regularly review our relationships with these partners to ensure ongoing compliance with our contractual and legal obligations under GDPR.

8. International Data Transfers

We process and store your personal data primarily within the European Economic Area (EEA). However, in limited circumstances, certain data may be transferred to countries outside the EEA. This typically occurs when we engage third-party service providers located in, or with servers in, jurisdictions that do not benefit from an adequacy decision by the European Commission.

8.1 Scope of International Transfers

Your personal data may be transferred to and processed in the following contexts:

  • Cloud hosting providers and infrastructure partners with data centers outside the EEA
  • Email delivery or customer communication tools operating globally
  • Payment service providers with headquarters or processing operations outside the EEA
  • Analytics, security, or support services operated from non-EEA jurisdictions

8.2 Safeguards and Legal Transfer Mechanisms

To ensure that your data receives an adequate level of protection comparable to EU standards, we implement one or more of the following transfer mechanisms for all non-EEA data flows:

  • Standard Contractual Clauses (SCCs) issued by the European Commission (2021/914), incorporated into our contracts with non-EEA processors
  • Supplementary technical and organizational safeguards, such as encryption at rest and in transit, strict access controls, and data minimization
  • **Transfers to countries covered by an adequacy decision under Article 45(1) of the GDPR
  • Binding Corporate Rules (BCRs) where applicable to large multinational service providers

We regularly evaluate our third-party vendors’ compliance with these requirements and ensure that all international transfers are properly documented and risk-assessed.

8.3 Your Rights Concerning International Transfers

You have the right to be informed about the nature and destination of international data transfers. You may request a copy of applicable Standard Contractual Clauses or further information regarding specific safeguards by contacting us (see Section 3).

9. Data Retention and Deletion Policies

We retain personal data only for as long as is strictly necessary to fulfill the specific purposes for which it was collected, or as required by legal, regulatory, or contractual obligations. We do not retain data indefinitely or without purpose.

9.1 Retention Periods by Data Category

Data Category Retention Period Legal Basis / Justification
Account Registration Data Until user account is deleted, or 3 years after last login Contract performance and legitimate interest
Order and Transaction Records 10 years from date of transaction Legal obligation (e.g., tax and accounting regulations)
Customer Support Communications 3 years from date of last correspondence Legitimate interest (for dispute handling and audit trail)
Marketing and Consent Data Until consent is withdrawn or 2 years after last engagement Consent; record-keeping for compliance
Website Analytics and Cookies 13 months (standard for analytics identifiers in the EU) Legitimate interest (with consent where applicable)
Security and Log Files 6 months from collection date Legitimate interest (fraud prevention and diagnostics)

Note: If statutory laws require longer retention (e.g. financial audits, court proceedings), applicable records may be retained until those obligations expire.

9.2 Deletion and Anonymization

When retention periods expire, or if a user requests erasure (and no overriding legal obligation exists), we take the following actions:

  • Erasure: Secure and irreversible deletion of data from all active systems and backups.
  • Anonymization: In cases where statistical or historical value exists, data is permanently anonymized to remove any direct or indirect identifiers.

Deletion processes are subject to regular audits and verification to ensure compliance with this policy.

10. Data Subject Rights

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights concerning your personal data. We are committed to enabling and honoring these rights in a transparent, accessible, and timely manner.

10.1 Right of Access (Article 15)

You have the right to obtain confirmation whether personal data concerning you is being processed. If so, you may request a copy of your personal data, together with detailed information about:

  • the categories of data processed
  • the purposes of processing
  • the recipients or categories of recipients
  • the envisaged data retention period
  • the source of the data (if not collected directly from you)
  • the existence of automated decision-making, including profiling

10.2 Right to Rectification (Article 16)

You have the right to request immediate correction of inaccurate personal data concerning you. Where incomplete, you may request its completion, including by providing a supplementary statement.

10.3 Right to Erasure (“Right to be Forgotten”) (Article 17)

You may request the deletion of your personal data if:

  • the data is no longer necessary for the purposes for which it was collected
  • you withdraw your consent (where applicable)
  • you object to processing based on legitimate interest or for direct marketing
  • your data has been unlawfully processed
  • deletion is required for compliance with a legal obligation

We will comply with such requests unless we are legally obligated to retain the data, or it is necessary for the establishment, exercise, or defense of legal claims.

10.4 Right to Restriction of Processing (Article 18)

You may request that we restrict processing of your personal data if:

  • you contest its accuracy (pending verification)
  • the processing is unlawful but you oppose erasure
  • we no longer need the data, but you require it for legal claims
  • you have objected to processing and a decision is pending

During the restriction period, your personal data will not be processed for any purpose except storage or with your explicit consent.

10.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format. You also have the right to have that data transmitted directly to another controller, where technically feasible.

10.6 Right to Object (Article 21)

You may object at any time to the processing of your personal data:

  • when the processing is based on our legitimate interests
  • when used for direct marketing (including profiling related to such marketing)

Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for legal claims.

10.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you may withdraw that consent at any time. This will not affect the lawfulness of prior processing, but we will cease all processing based on that consent from the point of withdrawal onward.

10.8 Right to Lodge a Complaint (Article 77)

If you believe that our processing of your personal data violates the GDPR or your data protection rights, you have the right to lodge a complaint with your local supervisory authority. Contact information can be found in Section 15 of this Privacy Policy.

10.9 How to Exercise Your Rights

To exercise any of the rights listed above, you may submit a request to us with:

  • Subject Line: “Data Subject Request — [Insert Your Right]”

We will confirm receipt of your request without undue delay and respond within one month, as required by Article 12(3) of the GDPR. If we require more time due to the complexity or volume of requests, we will notify you accordingly. We may require verification of your identity before fulfilling your request to protect your data.

11. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to ensure the website functions correctly, to analyze usage, and—where you have provided consent—to deliver personalized content and marketing. This section describes the types of technologies used, their purposes, and how you can manage your preferences.

11.1 What Are Cookies?

Cookies are small text files placed on your device when you access our website. They may be set by us (first-party cookies) or by third parties whose services we use (third-party cookies). Some are essential for website functionality, while others are used for analytics or advertising.

We may also use similar technologies such as:

  • Local storage (persistent browser-based storage)
  • Pixels or web beacons (invisible images used to monitor interactions)
  • JavaScript tags and fingerprinting scripts

11.2 Categories of Cookies We Use

Type of Cookie Purpose Legal Basis
Strictly Necessary Enable basic website functionality such as navigation and session management Legitimate interest (Art. 6(1) (f))
Functional Store user preferences (e.g. language or region) Consent (Art. 6(1) (a))
Analytics Collect anonymized usage statistics to improve the website Consent (Art. 6(1) (a))
Marketing Deliver targeted advertising and track effectiveness Consent (Art. 6(1) (a))

We do not place non-essential cookies without your prior consent.

11.3 Third-Party Cookies

Some features of our website rely on third-party providers that may set cookies for their own purposes. These include:

  • Google Analytics (for aggregated website analytics)
  • Meta Pixel or similar advertising tools (for marketing attribution)
  • Embedded media providers (e.g., YouTube, Vimeo)

We conduct due diligence to ensure that these providers adhere to the GDPR and that any transfer of data outside the EEA is protected by appropriate safeguards (see Section 8).

11.4 Cookie Management and Consent

When you first visit our website, you are presented with a cookie banner that allows you to:

  • Accept all cookies
  • Reject non-essential cookies
  • Customize your preferences by category

You may modify or withdraw your consent at any time via our [Cookie Preferences Center] or through your browser settings.

For instructions on managing cookies via your browser, refer to:

Please note that disabling certain cookies may impact your website experience or functionality.

12. Data Security Measures

We implement a comprehensive suite of technical and organizational security measures to ensure the confidentiality, integrity, and availability of personal data, and to protect it against unauthorized or unlawful processing, accidental loss, destruction, or damage.

12.1 Technical Measures

  • Encryption: All data in transit is protected using industry-standard TLS (Transport Layer Security). Sensitive data stored at rest (e.g. passwords, access tokens) is encrypted using AES-256 or equivalent.
  • Access Control: Access to personal data is restricted to authorized personnel on a strict need-to-know basis, enforced through role-based access control (RBAC) and multifactor authentication (MFA).
  • Intrusion Detection and Monitoring: Systems are monitored continuously for unusual activity, unauthorized access attempts, and potential vulnerabilities using intrusion detection systems (IDS) and security information and event management (SIEM) tools.
  • Secure Software Development: All development follows secure coding practices, including static analysis, input validation, dependency monitoring, and regular code audits.
  • Regular Patching and Updates: All systems, servers, and third-party dependencies are patched regularly to remediate known security vulnerabilities.

12.2 Organizational Measures

  • Employee Training: All staff with access to personal data receive regular training on data protection principles, secure handling procedures, and incident response protocols.
  • Data Minimization: Only the minimum necessary personal data is collected and retained for the intended purposes. Access logs are regularly reviewed and data usage is monitored.
  • Vendor Assessments: All third-party service providers undergo a documented security and data protection due diligence review before onboarding, including evaluation of their GDPR compliance and certifications (e.g. ISO 27001).
  • Data Protection by Design and Default: Privacy impact assessments (DPIAs) are conducted for systems or processes involving high-risk data processing activities, as required under Article 35 of the GDPR.
  • Business Continuity and Disaster Recovery: Backups are encrypted and stored redundantly in secure locations. Disaster recovery procedures are regularly tested to ensure rapid restoration of availability in the event of an incident.

12.3 Audit and Review

We conduct regular internal audits and third-party penetration testing to evaluate the effectiveness of our security controls. Security measures are reviewed and updated as necessary based on evolving threats, best practices, and regulatory requirements.

13. Data Breach Notification Policy

We have implemented a structured and proactive policy for identifying, assessing, managing, and reporting any personal data breach that poses a risk to your rights and freedoms, in accordance with Articles 33 and 34 of the GDPR.

13.1 Definition of a Data Breach

A “personal data breach” is defined as a breach of security leading to the accidental or unlawful:

  • destruction,
  • loss,
  • alteration,
  • unauthorized disclosure of, or
  • access to
    personal data transmitted, stored, or otherwise processed.

This includes both deliberate attacks (e.g., malware or hacking) and accidental incidents (e.g., misdelivery of data, loss of devices).

13.2 Detection and Assessment

  • All systems are continuously monitored for anomalies or unauthorized access attempts.
  • Breaches are promptly reported to our internal Security and Privacy Response Team.
  • Each incident undergoes a structured risk assessment to determine:
    • the nature and sensitivity of the affected data,
    • the number and identity of data subjects involved,
    • potential consequences of data subjects (e.g., identity theft, discrimination, reputational harm).

13.3 Notification to Supervisory Authority

  • If a breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and within 72 hours of becoming aware of the incident, as required by GDPR Article 33(1).
  • The notification will include:
    • a description of the breach,
    • categories and approximate number of affected individuals,
    • contact details of the Data Protection Officer or other point of contact,
    • likely consequences, and
    • measures taken or proposed to address the breach.

If notification is delayed beyond 72 hours, the reasons for the delay will be documented and disclosed.

13.4 Notification to Data Subjects

  • Where the breach is likely to result in a high risk to your rights and freedoms, you will be informed without undue delay, in clear and plain language, in accordance with Article 34.
  • The notification will describe:
    • the nature of the breach,
    • its likely consequences,
    • contact details for further information,
    • steps you can take to mitigate potential harm, and
    • measures we have taken to contain the breach.

Notification to individuals may be delayed or withheld only in accordance with Article 34(3), such as if it would obstruct an official investigation or if technical measures rendered the breached data unintelligible.

13.5 Record-Keeping and Accountability

  • All personal data breaches, regardless of impact or reporting obligation, are fully documented in a Breach Register maintained by our Data Protection Officer.
  • This includes the facts of the breach, its effects, remedial actions taken, and justification for any decisions regarding notification.
  • These records are available to supervisory authorities upon request.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time in order to reflect changes in legal, regulatory, or operational requirements; modifications to our services or data processing activities; or to improve clarity and transparency.

14.1 Notification of Changes

  • Substantive or Material Changes: If we make significant modifications—such as introducing new processing purposes, expanding the categories of personal data collected, or changing how user rights are exercised—we will notify you in advance via one or more of the following methods:
    • A banner or pop-up notification on the homepage
    • An email sent to the address associated with your account (if applicable)
    • A prominent notice on your account dashboard

These notifications will include a summary of the changes, the rationale, and the effective date.

  • Minor or Editorial Revisions: Non-material updates, such as grammatical clarifications or formatting improvements, may be made without prior notification but will be timestamped in the revision log.

14.2 Effective Date

The effective date of the current version of this Privacy Policy is listed at the top of the document. By continuing to use our website or services after the effective date, you acknowledge that you have read and understood the updated policy.

We encourage you to review this Privacy Policy periodically to stay informed of how we protect your personal data.

15. Complaint Handling

We take your data protection rights seriously. If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your rights as outlined in Section 10, please use the contact methods above.

15.1 Complaint to a Supervisory Authority

If you believe that your personal data has been processed in violation of the GDPR or your rights have not been respected, you have the right to lodge a complaint with a data protection supervisory authority in your country of residence, place of work, or location of the alleged infringement.

For a list of all EU supervisory authorities, please visit:
https://edpb.europa.eu/about-edpb/board/members_en