GDPR Compliance Statement
NewsWave — Sadashiv Gour, sole trader (Swedish enskild firma) Effective Date: 21 March 2026 Document Reference: NW-DPO-001 Version: 1.0 Classification: Public
1. Statement of Commitment
NewsWave — a sole trader business (Swedish enskild firma) operated by Sadashiv Gour ("NewsWave") — is fully committed to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, "GDPR") and all applicable national implementing legislation, including the Swedish Data Protection Act (Dataskyddslag 2018:218).
This statement sets out our commitment to the foundational principles of the GDPR and describes the organizational and technical measures we have implemented to ensure lawful, fair, and transparent processing of personal data.
Our DPO and legal counsel review this statement annually and following any material change to our processing activities.
2. Commitment to the GDPR Principles (Article 5 GDPR)
2.1 Lawfulness, Fairness, and Transparency
NewsWave processes personal data only on the basis of a valid legal ground as specified in Article 6 GDPR (and Article 9 for special category data). We are transparent with users about how and why their data is processed through our Privacy Policy, in-app disclosures, and consent flows. We do not use deceptive or misleading practices in our data collection.
Implementation measures:
- Layered privacy notices provided at point of data collection;
- Consent obtained via clear, affirmative action (not pre-ticked boxes or dark patterns);
- Full Privacy Policy publicly available in plain language;
- Dashboard allowing users to review all consents and data processing activities.
2.2 Purpose Limitation
Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes (Article 5(1)(b) GDPR). We do not repurpose personal data for secondary uses without providing notice and, where required, obtaining fresh consent.
Implementation measures:
- Each processing activity is documented in our Record of Processing Activities (RoPA) with a clearly stated, specific purpose;
- Technical controls prevent use of personal data outside defined processing pipelines;
- Any new use cases undergo a purpose compatibility assessment prior to implementation.
2.3 Data Minimisation
We collect only personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c) GDPR).
Implementation measures:
- Privacy-by-design reviews conducted for all new features involving personal data;
- Regular audits of data fields to identify and remove unnecessary data collection;
- Demographic data collected in broad categories (e.g., age ranges) rather than precise values;
- Analytics tools configured to avoid collection of personally identifiable information where aggregated data suffices.
2.4 Accuracy
We take reasonable steps to ensure that personal data we hold is accurate and, where necessary, kept up to date (Article 5(1)(d) GDPR).
Implementation measures:
- Users can update their account information at any time via in-app settings;
- Automated data quality checks where applicable;
- Prompt correction of inaccurate data upon user request;
- Behavioral data refreshed on a rolling basis; outdated preference data removed after 12 months of inactivity.
2.5 Storage Limitation
Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed (Article 5(1)(e) GDPR).
Implementation measures:
- A documented data retention schedule is maintained and reviewed annually (see Privacy Policy, Section 8);
- Automated deletion routines implemented for data categories with defined retention periods;
- Anonymization applied to analytics data after the applicable retention period, preventing re-identification;
- Periodic data lifecycle audits conducted by our DPO.
2.6 Integrity and Confidentiality
Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical and organizational measures (Article 5(1)(f) GDPR).
Implementation measures:
- AES-256 encryption at rest; TLS 1.2+ in transit;
- Strict access controls and role-based permissions;
- Staff trained on data security and confidentiality obligations;
- Regular security audits and penetration testing by qualified third parties;
- Incident response procedures tested annually.
2.7 Accountability
As Data Controller, NewsWave takes responsibility for, and is able to demonstrate compliance with, all GDPR principles (Article 5(2) GDPR).
Implementation measures:
- Maintenance of a Record of Processing Activities (Article 30);
- Voluntary designation of a Data Protection Officer contact point under Article 37(4) (a sole trader is not obliged to appoint one under Article 37(1));
- Documented policies and procedures for all major processing activities;
- Regular compliance reviews and internal audits;
- Data Processing Agreements (DPAs) in place with all data processors (Article 28).
3. Privacy by Design and by Default (Article 25 GDPR)
NewsWave implements privacy by design and by default as a core principle of our product development and engineering culture.
3.1 Privacy by Design
- Data protection requirements are incorporated into the product design process from inception, not added retrospectively;
- All new features, integrations, and data collection practices undergo a privacy review before development begins;
- Engineers are required to complete data protection training and follow documented secure coding standards;
- Personal data processing is architecturally isolated where possible to minimize blast radius in the event of a security incident;
- Pseudonymization and encryption are applied as default technical controls wherever feasible.
3.2 Privacy by Default
- The Service is configured to process the minimum amount of personal data necessary for the default user experience;
- Privacy-enhancing options (e.g., non-personalized mode, reduced data collection) are made accessible in user settings;
- Consent to non-essential data collection (e.g., profiling, analytics cookies) is not pre-selected and requires active user opt-in;
- Data sharing with third parties is restricted by default; any third-party integrations are subject to DPA and privacy review.
4. Data Protection Impact Assessments (DPIA) — Article 35 GDPR
A Data Protection Impact Assessment (DPIA) is carried out prior to implementing any processing that is likely to result in a high risk to the rights and freedoms of natural persons.
4.1 Mandatory DPIA Triggers
In accordance with the European Data Protection Board (EDPB) guidelines on DPIA and the guidance of the Swedish supervisory authority (IMY), we conduct a DPIA where processing involves:
- Systematic and extensive profiling based on personal data that produces significant effects on individuals;
- Processing at large scale of special category data or data relating to criminal convictions;
- Systematic monitoring of a publicly accessible area on a large scale;
- New technologies that present previously unidentified risks.
4.2 DPIAs Conducted or Required
| Processing Activity | DPIA Required? | Status |
|---|---|---|
| Content personalization profiling (Art. 22) | Yes | Completed |
| Collection of immigration/residency status | Yes | Completed |
| Behavioral analytics and reading pattern tracking | Yes | Completed |
| Cross-border data transfers to non-EEA processors | Yes | Completed |
| Push notification system | Assessed — low risk | Documented |
| Security monitoring and fraud detection | Assessed — legitimate interest | Documented |
4.3 DPIA Process
Each DPIA:
- Describes the processing and its purposes;
- Assesses the necessity and proportionality of the processing;
- Identifies and assesses the risks to the rights and freedoms of data subjects;
- Identifies measures to mitigate those risks;
- Is reviewed by the DPO;
- Is consulted with IMY where residual high risk cannot be mitigated.
DPIA reports are retained internally and provided to IMY upon request.
5. Data Breach Management (Articles 33 and 34 GDPR)
5.1 Internal Detection and Response
NewsWave maintains a Personal Data Breach Response Plan that defines:
- Detection and containment procedures;
- Internal escalation pathways (to DPO and senior management within 24 hours of discovery);
- Assessment of the nature, scope, and likely consequences of the breach;
- Remediation and recovery actions.
5.2 Notification to Supervisory Authority (Article 33)
Where a personal data breach poses a risk to the rights and freedoms of natural persons, we will notify the Integritetsskyddsmyndigheten (IMY) without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
The notification will include:
- Nature of the breach (categories and approximate number of records and data subjects affected);
- Name and contact details of the DPO;
- Likely consequences of the breach;
- Measures taken or proposed to address the breach.
Where full information is not available within 72 hours, we will provide an initial notification and supplement it as further information becomes available (phased notification approach).
5.3 Notification to Data Subjects (Article 34)
Where a breach is likely to result in a high risk to the rights and freedoms of affected data subjects, we will communicate the breach to those individuals without undue delay, in clear and plain language, including:
- The nature of the breach;
- The likely consequences;
- The measures taken or recommended to mitigate potential adverse effects;
- Contact information for the DPO.
Communication will be made via email and/or prominent in-app notification.
5.4 Breach Register
All personal data breaches, whether or not they require notification, are recorded in our internal Breach Register in accordance with Article 33(5) GDPR. The register includes:
- Date and time of discovery;
- Nature and category of the breach;
- Data affected;
- Actions taken;
- Notification decisions and rationale.
6. Record of Processing Activities (Article 30 GDPR)
As a Data Controller, NewsWave maintains a Record of Processing Activities (RoPA) that documents all processing activities carried out under our responsibility.
6.1 RoPA Contents
In accordance with Article 30(1) GDPR, our RoPA includes, for each processing activity:
- Name and contact details of the Data Controller and DPO;
- Purposes of the processing;
- Categories of data subjects and personal data;
- Categories of recipients of personal data;
- Transfers to third countries and the safeguards applied;
- Envisaged time limits for erasure;
- Description of technical and organizational security measures.
6.2 RoPA Maintenance and Access
- The RoPA is maintained in electronic form and reviewed at least annually, or following any material change in processing activities;
- The DPO is responsible for maintaining the RoPA;
- The RoPA is made available to IMY upon request, in accordance with Article 30(4) GDPR.
7. Data Subject Rights Management
We have implemented a Data Subject Rights Management Process to ensure timely and compliant responses to all data subject requests:
- A dedicated channel for receiving requests (dpo@thenewswave.app and in-app "Manage My Data" portal);
- Verification of identity before processing requests (to prevent unauthorized access);
- 30-day response deadline from receipt of request (extendable to 90 days for complex requests, with notice);
- No charge for exercising rights under normal circumstances;
- Logging of all requests and responses for accountability.
8. Third-Party Processors and Vendor Management
All third-party processors are subject to:
- A formal Data Processing Agreement (DPA) under Article 28 GDPR;
- Due diligence review covering security certifications, privacy practices, and sub-processor policies;
- Inclusion in our processor register;
- Contractual obligations to assist us in meeting our GDPR obligations.
Sub-processors are only engaged with our documented authorization. Users may request a list of current sub-processors from the DPO.
9. Staff Training and Awareness
All staff with access to personal data receive:
- Mandatory data protection training upon joining and annually thereafter;
- Role-specific training for staff in engineering, customer support, and marketing;
- Clear guidance on recognizing and reporting data breaches;
- Binding confidentiality obligations as part of their employment or contractor agreements.
10. Ongoing Review and Governance
NewsWave treats GDPR compliance as an ongoing obligation, not a one-time exercise:
- The DPO conducts quarterly internal compliance reviews;
- Privacy policies and processing activities are reviewed annually or following relevant legal or operational changes;
- We monitor guidance from the EDPB, IMY, and relevant national supervisory authorities for updates to interpretation and enforcement;
- We engage qualified external legal counsel periodically to conduct independent compliance assessments.
11. Contact and Accountability
For questions, concerns, or to exercise your data subject rights:
Data Protection Officer NewsWave — Sadashiv Gour (sole trader) Email: dpo@thenewswave.app Supervisory Authority: Integritetsskyddsmyndigheten (IMY), www.imy.se
This GDPR Compliance Statement is a public-facing summary of NewsWave's data protection governance framework. It is reviewed annually and updated as required to reflect changes in law, regulatory guidance, and our processing activities.