Contents
Our Role: Controller vs Processor
Under GDPR, BlueWave IT operates in two distinct roles depending on the context:
| Context | Our role | What this means |
|---|---|---|
| Managing our own website & marketing | Data Controller | We decide the purposes and means of processing. Our Privacy Policy applies. |
| Delivering managed IT services to clients | Data Processor | We process data strictly on your documented instructions. You remain the Controller. A DPA governs this relationship. |
| Managing our own staff and HR | Data Controller | We control employee data in compliance with Portuguese labour law and GDPR. |
| Sub-processor relationships | Sub-processor | Where we engage sub-processors on behalf of clients, we flow down equivalent obligations per Art. 28(4) GDPR. |
When acting as a data processor, BlueWave IT never uses client data for any purpose other than delivering the contracted services. We do not sell, mine, or monetise data we process on behalf of clients under any circumstances.
The Seven GDPR Principles
Article 5 GDPR establishes seven core principles that govern all personal data processing. BlueWave IT embeds these into every service and internal process:
Lawfulness, Fairness & Transparency
Art. 5(1)(a)We identify a valid legal basis for every processing activity and disclose our practices clearly in this page and our Privacy Policy.
Purpose Limitation
Art. 5(1)(b)Data is collected for specified, explicit purposes and is never processed in a manner incompatible with those purposes.
Data Minimisation
Art. 5(1)(c)We collect only the data that is adequate, relevant, and limited to what is necessary for each processing purpose.
Accuracy
Art. 5(1)(d)We take reasonable steps to ensure personal data is accurate and kept up to date, and we act promptly on correction requests.
Storage Limitation
Art. 5(1)(e)Data is kept for no longer than necessary. Our documented retention schedule defines specific periods for each data category.
Integrity & Confidentiality
Art. 5(1)(f)We implement technical and organisational security measures appropriate to the risk — including encryption, access controls, and regular security reviews.
Accountability
Art. 5(2)We are responsible for, and able to demonstrate, compliance with all six principles above. This includes maintaining processing records (Art. 30), conducting DPIAs where required (Art. 35), and implementing privacy by design and by default (Art. 25).
Data Processing Agreements
Article 28 GDPR requires that any organisation engaging a data processor does so under a written contract — a Data Processing Agreement (DPA). BlueWave IT provides a GDPR-compliant DPA to all managed service clients.
All BlueWave IT managed service contracts include a DPA as a standard schedule. No client data is processed without a valid DPA in place. If you are an existing client and require a copy of your DPA, contact privacy@bluewaveit.pt.
Our DPA satisfies all Article 28(3) GDPR requirements and specifies:
Subject matter, duration & nature
The specific IT services covered, contract duration, and the nature of processing activities (access, storage, transmission).
Processing on documented instructions only
BlueWave IT processes client data exclusively on written instructions from the client controller. We notify the client if we believe any instruction infringes GDPR (Art. 28(3)(h)).
Confidentiality obligations
All personnel with access to client personal data are bound by contractual or statutory duties of confidentiality.
Security measures (Art. 32)
Technical and organisational measures appropriate to the risk level of the data processed. See Section 6 for full details.
Sub-processor controls
Prior written consent is required before engaging any new sub-processor. Clients are notified of intended changes with a right to object (Art. 28(2)).
Deletion & return at contract end
Upon termination of services, all client personal data is securely deleted or returned, at the client's choice, within 30 days. Written confirmation is provided.
How We Help Your Business Comply
As your managed IT provider, BlueWave IT actively supports your own GDPR compliance obligations. Below are the concrete ways we assist:
Technical security measures (Art. 32)
We deploy and manage encryption, MFA, endpoint protection, patch management, and network security — reducing your technical risk exposure and supporting your ability to demonstrate appropriate security.
Backup & disaster recovery (Art. 32(1)(c))
Our managed backup services ensure you can restore personal data promptly in the event of an incident — a specific requirement of Article 32(1)(c) GDPR regarding resilience of processing systems.
Access control & least privilege
We implement role-based access controls ensuring only authorised personnel can access personal data. Azure AD / Entra ID and MFA enforcement support your data minimisation and integrity obligations.
Security monitoring & incident detection
Our 24/7 monitoring and endpoint detection helps identify potential data breaches at the earliest possible stage, supporting your 72-hour CNPD notification obligation (Art. 33 GDPR).
Microsoft 365 compliance features
We configure and manage M365 compliance centre features including retention policies, eDiscovery, data loss prevention (DLP), and audit logs — tools that directly support your GDPR record-keeping and accountability obligations.
Data subject request facilitation (Arts. 15–22)
When you receive a data subject access request, we can assist by searching managed systems, exporting relevant data, and providing technical documentation — all within your 30-day response window.
DPIA support (Art. 35)
For high-risk processing activities, we can provide technical input and documentation to support your Data Protection Impact Assessment — including system architecture details, security measures, and sub-processor information.
Audit & records support (Art. 30)
We maintain records of all processing activities conducted on your behalf and make them available for CNPD audits or your own compliance reviews on request.
Data Subject Rights
GDPR grants individuals eight fundamental rights over their personal data. As a data controller for your own clients and employees, you are responsible for facilitating these rights. BlueWave IT supports this technically. As a controller of our own data (website visitors, enquiries), we fulfil these rights directly.
Access
Art. 15Right to obtain confirmation of processing and a copy of personal data held, plus supplementary information on how it is used.
Rectification
Art. 16Right to have inaccurate or incomplete personal data corrected without undue delay.
Erasure
Art. 17Right to have personal data deleted where there is no legitimate reason to continue processing it ("right to be forgotten").
Restriction
Art. 18Right to restrict processing in certain circumstances — for example while accuracy is being contested or an objection is considered.
Portability
Art. 20Right to receive personal data in a structured, machine-readable format where processing is based on consent or contract.
Object
Art. 21Right to object to processing based on legitimate interests or for direct marketing. Objection to marketing must always be honoured.
Automated Decisions
Art. 22Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
Withdraw Consent
Art. 7(3)Right to withdraw consent at any time where processing relies on consent, without affecting the lawfulness of prior processing.
Response timeframe: We respond to all data subject requests within 30 calendar days (Art. 12(3) GDPR). Where requests are complex or numerous, this can be extended by a further 60 days with notice. There is no charge unless requests are manifestly unfounded or excessive. Submit requests to privacy@bluewaveit.pt.
Security Measures (Art. 32)
Article 32 GDPR requires that controllers and processors implement technical and organisational measures appropriate to the risk of processing. BlueWave IT applies the following measures across all operations:
| Measure | Implementation | Art. 32 risk area |
|---|---|---|
| Encryption at rest | AES-256 for stored data; BitLocker for managed endpoints | Confidentiality |
| Encryption in transit | TLS 1.3 mandatory; certificate management and monitoring | Confidentiality |
| Access control | Role-based access, least-privilege model, Azure AD / Entra ID, Conditional Access policies | Integrity |
| Multi-factor authentication | MFA enforced on all administrative accounts and client M365 tenants | Integrity |
| Endpoint protection | EDR (Endpoint Detection & Response), Microsoft Defender for Business, real-time threat monitoring | Confidentiality |
| Patch management | Automated OS and application patching via RMM; critical patches applied within 24 hours | Availability |
| Network security | Managed firewall, network segmentation, IDS/IPS, VPN for remote access | Confidentiality |
| Backup & recovery | Automated encrypted backups; offsite and cloud redundancy; regular restore testing | Availability |
| Security monitoring | 24/7 system monitoring, log aggregation, anomaly detection, alerting | Resilience |
| Staff training | Mandatory annual GDPR and security awareness training for all staff with data access | Organisational |
| Vendor due diligence | Security assessment of all sub-processors before engagement; annual review | Organisational |
| Secure development | Privacy by design in all system configurations; data minimisation embedded in tooling choices | Organisational |
We conduct a formal security review at least annually and following any significant change to our infrastructure or services. Clients may request a summary of our current security measures at any time for the purpose of their own GDPR compliance documentation.
Data Breach Response
Articles 33 and 34 GDPR impose strict obligations on both controllers and processors in the event of a personal data breach. BlueWave IT maintains a documented incident response procedure aligned to these obligations.
Detect & Contain
Identify the breach through monitoring systems, isolate affected systems to prevent further exposure, and convene the incident response team. Preserve forensic evidence.
Notify Supervisory Authority
If the breach is likely to result in a risk to individuals' rights and freedoms, notify the CNPD within 72 hours of becoming aware. The notification includes nature, categories of data, approximate numbers affected, and likely consequences.
Notify Data Subjects
Where the breach is likely to result in a high risk to individuals, notify affected data subjects directly — in clear, plain language — describing the breach, its likely consequences, and measures taken.
| Breach type | CNPD notification required? | Individual notification required? |
|---|---|---|
| Unlikely to result in risk | No — internal documentation only | No |
| Likely to result in risk | Yes — within 72 hours (Art. 33) | No — unless risk escalates to high |
| Likely to result in high risk | Yes — within 72 hours (Art. 33) | Yes — without undue delay (Art. 34) |
Processor obligation: As a data processor, BlueWave IT is required under Art. 33(2) GDPR and the terms of our DPA to notify client controllers of a breach without undue delay — in practice, within 24 hours of detection — to allow the controller to meet its own 72-hour CNPD notification deadline. All breach notifications are made in writing to the designated client contact.
Sub-processors
BlueWave IT engages the following categories of sub-processors when delivering managed services. All sub-processors are subject to DPAs with equivalent obligations to those in our client DPAs (Art. 28(4) GDPR). We will notify clients of any intended changes to sub-processors, providing an opportunity to object.
| Category | Purpose | Data location | Transfer basis |
|---|---|---|---|
| Microsoft (M365, Azure, Entra) | Cloud productivity, identity, email, collaboration | EU (Ireland, Netherlands) | EU adequacy |
| RMM platform provider | Remote monitoring & management of endpoints | EU / EEA | EEA |
| Cloud backup provider | Offsite encrypted data backup | EU data centres | EEA |
| Netlify (web forms) | Contact form submission handling | USA | EU-US DPF |
| IT security tooling (EDR, email) | Endpoint detection, email filtering | EU / EEA | EEA |
To receive a complete and current list of sub-processors, including specific vendor names, contact privacy@bluewaveit.pt. Updates to this list are communicated to clients via email at least 14 days before a new sub-processor is engaged.
International Data Transfers
Chapter V GDPR restricts transfers of personal data to countries outside the EEA unless an appropriate safeguard is in place. BlueWave IT ensures that all international transfers of client data are covered by one of the following mechanisms:
| Mechanism | Legal basis | When used |
|---|---|---|
| Adequacy decision | Art. 45 GDPR | Transfers to countries the EU Commission has deemed adequate (e.g. UK, Switzerland, Japan) |
| Standard Contractual Clauses (SCCs) | Art. 46(2)(c) GDPR — Commission Decision (EU) 2021/914 | Transfers to third countries where no adequacy decision exists; supplemented by Transfer Impact Assessments (TIAs) |
| EU-US Data Privacy Framework | Art. 45 GDPR — Commission Decision (EU) 2023/1795 | Transfers to certified US organisations (e.g. Netlify) |
Where SCCs are used, BlueWave IT conducts a Transfer Impact Assessment (TIA) to evaluate whether the legal framework of the destination country provides an essentially equivalent level of protection to that guaranteed within the EU. Where additional safeguards are needed, we implement supplementary measures such as additional encryption or data minimisation before transfer.
Your Obligations as a Client Controller
As the data controller for your business, you retain responsibility for your own GDPR compliance. BlueWave IT supports you technically and contractually, but the following obligations remain yours:
| Obligation | GDPR Article | How BlueWave IT can help |
|---|---|---|
| Maintain a Record of Processing Activities (ROPA) | Art. 30 | We provide documentation of all processing we perform on your behalf as a schedule to the DPA |
| Appoint a DPO (if required) | Art. 37 | Required for public bodies and organisations engaged in large-scale systematic monitoring or special-category processing. We can advise if this threshold applies to you. |
| Conduct Data Protection Impact Assessments | Art. 35 | We provide technical architecture details and security measure documentation to support your DPIA |
| Provide privacy notices to data subjects | Arts. 13–14 | We provide a list of sub-processors and transfer mechanisms for inclusion in your notices |
| Respond to data subject requests | Arts. 15–22 | We assist in searching and exporting relevant data from managed systems within your 30-day window |
| Report breaches to CNPD within 72 hours | Art. 33 | We notify you of any breach we detect within 24 hours to preserve your notification window |
| Ensure processing has a valid legal basis | Art. 6 | Outside scope — this is a business-level legal decision. We recommend engaging a data protection lawyer or the CNPD for guidance. |
Supervisory Authority — CNPD
The competent data protection supervisory authority in Portugal is the Comissão Nacional de Proteção de Dados (CNPD). Every individual has the right to lodge a complaint with the CNPD at any time, regardless of whether they have first raised the matter with BlueWave IT (Art. 77 GDPR).
CNPD Contact Details
When to Contact CNPD
- If you believe your personal data has been processed unlawfully
- If a data subject request has not been fulfilled within 30 days
- If you suspect a data breach has not been properly reported
- To report a GDPR violation by any organisation operating in Portugal
- To seek guidance on your own GDPR obligations as a controller
Contact & Data Protection Queries
For any GDPR-related queries, DPA requests, or data subject rights exercises, please contact us. We aim to acknowledge all privacy queries within 2 business days and resolve them within the statutory timeframes.
BlueWave IT — Data Protection
Email: privacy@bluewaveit.pt
Post: Av. 25 de Abril 6, 8500-511 Portimão, Algarve, Portugal
Please mark the subject line "GDPR Request" or "Data Subject Rights Request" to ensure prompt routing.
Data Protection Officer (DPO): BlueWave IT does not currently meet the threshold for mandatory DPO appointment under Art. 37 GDPR (we are not a public body, and do not carry out large-scale systematic monitoring or large-scale processing of special-category data). Data protection queries are handled by our designated privacy contact at the email address above. We keep this threshold under annual review.
Need a Data Processing Agreement?
All BlueWave IT managed service clients receive a GDPR-compliant DPA as standard. If you're not yet a client, contact us to discuss your IT and compliance needs.