EU data protection commitments under GDPR.
Supplements the DPA with GDPR-specific commitments. Lawful basis matrix, data subject rights mapping, Standard Contractual Clauses, supervisory authority and DPIA approach. Applies automatically when GDPR is engaged.
GDPR Addendum key facts
Scope of this Addendum
This Addendum applies whenever Crawlux processes personal data subject to GDPR or UK GDPR. Where this Addendum and the base Privacy Policy or DPA conflict on GDPR matters, this Addendum prevails for the GDPR-regulated processing.
Why this Addendum exists
The DPA covers processor obligations generally. This Addendum spells out GDPR-specific commitments that supplement those obligations: lawful basis matrix, the seven data subject rights, SCCs incorporated by reference, supervisory authority and DPIA process.
Lawful basis matrix
Lawful basis for each Crawlux-side processing activity. Customer-side processing (the audited domain content) is the customer's responsibility as controller. The matrix below covers what Crawlux processes on its own initiative.
| Processing activity | Lawful basis | Type |
|---|---|---|
| Service delivery (audit execution) | Contract Art. 6(1)(b) | Mandatory |
| Account management and billing | Contract Art. 6(1)(b) | Mandatory |
| Methodology improvement (aggregated data) | Legitimate interest Art. 6(1)(f) | Mandatory |
| Security and fraud prevention | Legitimate interest Art. 6(1)(f) | Mandatory |
| Legal obligation (tax, accounting) | Legal obligation Art. 6(1)(c) | Mandatory |
| Service status notifications | Legitimate interest Art. 6(1)(f) | Mandatory |
| Marketing emails (newsletter, product) | Consent Art. 6(1)(a) | Optional |
| Analytics cookies | Consent Art. 6(1)(a) | Optional |
Customer-side lawful basis
When the customer submits audited content containing personal data, the customer determines and documents the lawful basis for that processing. Common bases for SEO audit context: legitimate interest in measuring website performance and consent for tracking-related elements.
Data subject rights matrix
The seven GDPR data subject rights and how they map to Crawlux processing. Account holders exercise these rights via [email protected]. Data subjects of customer content go through the customer (controller) directly.
| Right | Article | Crawlux response |
|---|---|---|
| Right of access | Art. 15 | Account data exported via dashboard or API. 30-day response for complex requests. |
| Right to rectification | Art. 16 | Account profile editable directly. Other data corrected on request within 30 days. |
| Right to erasure | Art. 17 | Account deletion via dashboard. Data deleted from production within 14 days, backups within 90 days. |
| Right to restrict processing | Art. 18 | Processing pause requested via [email protected]. Implemented within 5 business days. |
| Right to data portability | Art. 20 | Account and audit data exported in JSON via API. PDF reports also available. Self-service. |
| Right to object | Art. 21 | Marketing objection via one-click unsubscribe. Other processing objections via [email protected]. |
| Right against automated decisions | Art. 22 | Crawlux audits do not produce decisions with legal effect. Output is informational. Not in scope. |
International transfers
Personal data may flow to subprocessors outside the EEA and UK. The Standard Contractual Clauses adopted by EU Commission Decision 2021/914 govern these transfers. The UK Addendum applies for transfers from the UK.
Adequate destinations
Some subprocessor destinations have adequacy decisions in place under GDPR Chapter V. For these, SCCs are not strictly required but are still applied as belt-and-suspenders contractual protection. Current adequacy applies to: UK (under EU adequacy decision), Switzerland, Israel and Japan among others.
DPIAs and records of processing
GDPR requires data protection impact assessments for high-risk processing and records of processing activities for organizations meeting Article 30 thresholds. Crawlux maintains both.
Customers can request a summary of the standard processing DPIA for inclusion in their own DPIA workflow. Summary is provided under NDA via [email protected]. Full DPIA documentation is internal due to security-sensitive content.
Supervisory authority, DPO and EU representative
Identifying the regulators, the DPO contact and whether an Article 27 EU representative is required.
Supervisory authority contacts
UK ICO (lead): ico.org.uk · 0303 123 1113
Irish DPC: dataprotection.ie · for Ireland-based data subjects
Local EEA authorities: See edpb.europa.eu for the full list
Crawlux privacy: [email protected]
ePrivacy and electronic communications
The ePrivacy Directive and the UK Privacy and Electronic Communications Regulations apply alongside GDPR for cookies and direct marketing communications. Crawlux compliance is documented in dedicated policies.
Common GDPR questions
Six questions covering Addendum scope, lawful basis, exercising rights, EU representation, supervisory authority and DPIAs.
When does GDPR apply to my Crawlux usage?
GDPR applies whenever Crawlux processes personal data of individuals located in the EEA or UK. This is the case for nearly every Crawlux customer because audited domains often contain references to EEA residents (authors, contacts, team members). The Addendum applies automatically; no separate opt-in is needed.
What is Crawlux's lawful basis for processing?
Crawlux as the processor relies on the customer's lawful basis. The customer (controller) determines and documents the lawful basis. For Crawlux's own processing of customer account data, the lawful basis is contract performance for service delivery and legitimate interest for service improvement. Marketing requires consent.
How do I exercise my data subject rights?
If you are a data subject of customer data, contact the customer (controller) directly. If you are a Crawlux account holder requesting your own data, email [email protected]. We will respond within 30 days per GDPR Article 12. Available rights include access, rectification, erasure, restriction, portability and objection.
Do you have an EU representative?
Crawlux operates from London, an EEA-equivalent jurisdiction under the UK GDPR with adequacy in place. The London office handles EEA-related matters, which means an Article 27 EU representative is not currently required. If this changes, an EU representative will be appointed and disclosed in this addendum.
Who is your supervisory authority?
The lead supervisory authority for Crawlux is the UK Information Commissioner's Office (ICO) given the London primary office. EEA-based data subjects can also contact their local supervisory authority for matters concerning their personal data. Contact details for both are in section 6 of this addendum.
Do you conduct DPIAs?
Yes, where Article 35 thresholds are met. The standard Crawlux audit processing has been assessed as not high-risk under DPIA criteria. New features that introduce automated decision-making or large-scale special category processing trigger fresh DPIAs. Customers can request the DPIA summary for their own DPIA workflow under NDA.
GDPR contact
Data subject requests, GDPR-specific questions, lawful basis clarifications and any other GDPR matter goes to the privacy team.
GDPR privacy contact
Email: [email protected]
Subject line: "GDPR" plus topic
Response window: 30 days per Article 12
Lead supervisory authority: UK ICO (ico.org.uk)
For DPA contractual matters, see the Data Processing Agreement. For privacy-specific questions, see the privacy policy. For security questions, see the security policy.
Read the full DPA next
The DPA covers the broader processor obligations: subprocessors, security measures, breach notification, audit rights and termination procedures.
GDPR Addendum v1.0 · Effective April 13, 2026 · Lead: UK ICO · 30-day DSAR response