GDPR Compliance Statement

eForm Seva's commitment to data protection in accordance with the General Data Protection Regulation (GDPR)

Last Updated: July 14, 2025

1. Introduction

One Shop Seva ("we", "us", or "our"), operating as eForm Seva, is committed to complying with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for our users in the European Union and European Economic Area.

While we are an India-based company, we recognize the global nature of data protection and have implemented comprehensive measures to ensure GDPR compliance for our EU/EEA users.

Important: This GDPR Compliance Statement supplements our Privacy Policy and Terms of Service. In case of conflict between this statement and Indian legal requirements, Indian law shall prevail for services provided within India.

2. GDPR Applicability and Scope

This GDPR compliance framework applies when we process personal data of:

  • Individuals located in the European Union (EU)
  • Individuals in the European Economic Area (EEA)
  • EU/EEA citizens regardless of their location

Jurisdictional Notice: For services provided to Indian residents and government form processing, Indian data protection laws including the Digital Personal Data Protection Act, 2023 take precedence over GDPR requirements.

3. Core GDPR Principles Implementation

We adhere to the core principles of GDPR in our data processing activities:

Lawfulness, Fairness & Transparency

Clear processing purposes, legal basis disclosure, and transparent data practices

Purpose Limitation

Data collected only for specified, explicit, and legitimate purposes

Data Minimization

Collection limited to what is necessary for intended purposes

Accuracy

Reasonable measures to ensure data accuracy and currency

Storage Limitation

Data retention only for necessary periods with defined timelines

Integrity & Confidentiality

Appropriate security measures against unauthorized processing

Accountability

Documentation and demonstration of compliance measures

4. Data Subject Rights Under GDPR

EU/EEA data subjects have the following rights regarding their personal data:

Right to Access

Obtain confirmation of processing and access to personal data

Response Time: 30 days from request verification

Right to Rectification

Request correction of inaccurate or incomplete personal data

Scope: Applies to all data except legally mandated information

Right to Erasure

Request deletion of personal data under specific conditions

Limitations: Subject to legal retention requirements

Right to Restriction

Limit processing of personal data in certain circumstances

Conditions: Accuracy contested, unlawful processing, or pending verification

Right to Data Portability

Receive personal data in structured, machine-readable format

Applicability: Automated processing based on consent or contract

Right to Object

Object to processing based on legitimate interests or direct marketing

Immediate Effect: Direct marketing objections processed immediately

Rights Related to Automated Decision-Making

Right to human intervention and explanation of automated decisions

Application: Profiling that produces legal effects

Right to Withdraw Consent

Withdraw previously given consent at any time

Effect: Does not affect lawfulness of pre-withdrawal processing

Rights Exercise Procedure: To exercise your GDPR rights, contact our Data Protection Officer. We may require identity verification and reserve the right to refuse manifestly unfounded or excessive requests.

5. Lawful Basis for Processing

We process personal data under the following GDPR Article 6 lawful bases:

5.1 Contractual Necessity (Article 6(1)(b))

Processing necessary for performance of our service agreement:

  • User account creation and management
  • Form processing and submission services
  • Payment processing and subscription management
  • Customer support and service communications

5.2 Legal Obligation (Article 6(1)(c))

Processing necessary for compliance with legal requirements:

  • Tax and financial record keeping (7 years)
  • KYC verification as per Indian regulations
  • Government form submission mandates
  • Legal dispute resolution requirements

5.3 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

  • Service security and fraud prevention
  • Service improvement and analytics
  • Network and information security
  • Direct marketing (with opt-out rights)

5.4 Consent (Article 6(1)(a))

Processing based on explicit, informed consent:

  • Non-essential cookies and tracking technologies
  • Marketing communications and newsletters
  • Participation in surveys and research
  • Special category data processing (where applicable)

6. International Data Transfers

As an India-based service provider, personal data of EU/EEA users is transferred outside the European Economic Area. We ensure compliance through:

6.1 Transfer Mechanisms

  • Adequacy Decision: Relying on EU-India adequacy discussions where applicable
  • Standard Contractual Clauses (SCCs): Implementing EU Commission-approved clauses
  • Binding Corporate Rules: For intra-organizational transfers
  • Derogations: Necessary for contract performance with data subjects

6.2 Supplementary Measures

  • Data encryption in transit and at rest
  • Strict access controls and authentication
  • Regular security assessments and audits
  • Data minimization and pseudonymization

Government Data Processing: Data transfers required for Indian government form submissions are based on legal necessity and may not be subject to standard GDPR transfer mechanisms.

7. Data Protection by Design and Default

We implement data protection principles throughout our service lifecycle:

Privacy by Design

Data protection integrated into system development from inception

Data Minimization

Default settings collect only necessary personal data

Purpose Limitation

Data collected for specific, explicit purposes only

Storage Limitation

Automatic data deletion after defined retention periods

8. Data Security Measures

We implement comprehensive technical and organizational security measures:

  • Encryption: End-to-end SSL/TLS encryption for data in transit
  • Access Controls: Role-based access and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Physical Security: Secure data center facilities with access controls
  • Incident Response: Documented procedures for data breach response
  • Staff Training: Regular data protection and security awareness training

9. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance:

DPO Responsibilities: Monitoring compliance, providing advice, cooperating with supervisory authorities, and serving as contact point for data subjects.

Data Protection Officer Contact:

10. Data Breach Notification

In the event of a personal data breach affecting EU/EEA data subjects:

  • Supervisory Authority Notification: Within 72 hours of awareness
  • Data Subject Notification: Without undue delay when high risk to rights
  • Documentation: Comprehensive breach records maintained
  • Remediation: Immediate measures to contain and address breaches

11. Records of Processing Activities

We maintain comprehensive records as required by GDPR Article 30:

  • Purposes of processing and data categories
  • Data recipient categories and international transfers
  • Data retention periods and deletion procedures
  • Technical and organizational security measures

12. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities:

  • Systematic description of processing operations
  • Assessment of necessity and proportionality
  • Risk assessment to rights and freedoms
  • Risk mitigation measures and safeguards

13. Cooperation with Supervisory Authorities

We cooperate fully with EU supervisory authorities including:

  • Providing access to processing records and documentation
  • Participating in investigations and compliance checks
  • Implementing authority recommendations and decisions
  • Designating EU representative if required by Article 27

14. Changes to This Compliance Statement

We may update this GDPR Compliance Statement to reflect:

  • Changes in GDPR interpretation or enforcement
  • Updates to our data processing activities
  • Legal and regulatory developments
  • User feedback and best practices

Notification: Material changes will be communicated through service notifications or direct communication. Continued use after changes constitutes acceptance of the updated statement.

15. Contact Information

For GDPR-related inquiries, rights requests, or complaints:

Data Protection Officer

Email: dpo@eformseva.in

Phone: +91 7790956989

Address: One Shop Seva, Jaipur, Rajasthan, India

EU Representative (if required): To be designated based on processing volume thresholds

Complaint Rights: You have the right to lodge a complaint with your national supervisory authority if you believe our processing violates GDPR.