Your rights under EU data protection law.

Who is the data controller

Michael Morakis · Athens, Greece · email hello@michaelmorakis.com. For this scale of operation (single-person business, fewer than 250 employees, no large-scale special-category data processing), no separate Data Protection Officer is appointed. I act as the contact for all data protection matters.

What lawful basis I rely on

• Consent (Art. 6(1)(a)) — for anonymous analytics. You can withdraw at any time without affecting prior lawful processing.
• Contract (Art. 6(1)(b)) — for processing necessary to deliver a service you have requested (audits, project work).
• Legal obligation (Art. 6(1)(c)) — for retaining invoicing and tax records as required by Greek law (5 years).
• Legitimate interest (Art. 6(1)(f)) — for security logs and project documentation that cannot easily be obtained another way.

Your rights

1. Right to be informed

You have the right to know what data I hold about you, why, and how it is used. The Data Retention Policy documents every category of data I hold.

2. Right of access (Article 15)

You can request a copy of all personal data I hold about you. I respond with the data, in a portable format (JSON or PDF), within 30 days at no cost.

3. Right to rectification (Article 16)

If any data I hold about you is inaccurate or incomplete, you can ask me to correct it. Same response window: 30 days.

4. Right to erasure / "right to be forgotten" (Article 17)

You can ask me to delete your personal data. I do, within 30 days, except where retention is required by Greek law (e.g. invoices for tax purposes). Where I cannot delete due to legal obligation, I tell you why.

5. Right to restrict processing (Article 18)

You can ask me to suspend processing of your data while we resolve a dispute, or while I verify accuracy of data you've challenged.

6. Right to data portability (Article 20)

You can ask for your data in a portable, machine-readable format (JSON, CSV). I provide it within 30 days at no cost.

7. Right to object (Article 21)

You can object to processing based on legitimate interest. If your objection has merit, I stop the processing (subject to compelling grounds I can demonstrate).

8. Rights related to automated decision-making (Article 22)

Not applicable — I do not use automated decision-making or profiling on this site.

How to exercise your rights

Email hello@michaelmorakis.com with subject line "GDPR request" and the specific right you want to exercise. I confirm receipt within 7 days and resolve within 30 days as required. No charge for any single request.

Right to lodge a complaint

If you believe I am not handling your data properly, you can lodge a complaint with the Greek Data Protection Authority:

Hellenic Data Protection Authority (HDPA · Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα)
1-3 Kifissias Avenue, 115 23 Athens
www.dpa.gr/en

If you are based in another EU country, you can complain to your local supervisory authority instead. I cooperate with all EU DPAs.

Cross-border transfers

Most of my infrastructure (Cloudflare, GitHub) involves data crossing borders outside the EU/EEA. Each provider operates under either an adequacy decision or Standard Contractual Clauses (SCCs) per Article 46. See the Security Policy for the full vendor list.