Xoxoday fulfills all GDPR data subject rights—including access, deletion, rectification, restriction, portability, and objection to processing—through a structured, DPO-overseen process that responds within GDPR-mandated timelines.
How Xoxoday Processes GDPR Data Subject Requests
When an individual wants to exercise their rights under GDPR, Xoxoday provides a clear and accessible pathway to do so. Requests can be submitted through Xoxoday’s dedicated GDPR portal or sent directly to the Data Protection Officer (DPO). This dual-channel approach ensures EU citizens always have a reliable point of contact, regardless of how they prefer to reach out. Before any data is accessed or actioned, Xoxoday conducts identity verification to protect against unauthorized disclosures. This step is essential—processing a request without confirming the requester’s identity could itself constitute a data breach under GDPR. Once identity is confirmed, the request enters active processing under a defined internal workflow. Xoxoday responds within the timelines mandated by GDPR—typically within 30 calendar days, with provisions for complexity-based extensions where permitted by regulation. Depending on the nature of the request, Xoxoday’s compliance teams either produce a detailed access report containing the individual’s personal data, carry out deletion of that data across relevant systems, or action other recognized rights such as rectification, restriction of processing, data portability, or objection to processing. For organizations that use Xoxoday alongside HR platforms such as SAP SuccessFactors, Workday, or Darwinbox, employee reward and recognition data moves between connected systems. When an employee submits a GDPR access request in this context, Xoxoday’s process accounts for all personal data held within its own environment—including reward transactions, redemption histories, and communication preferences—ensuring no data is overlooked in the response. Every request and its resolution is documented in Xoxoday’s compliance logs. This documentation trail supports auditability and demonstrates clear accountability to data protection authorities. Xoxoday’s DPO oversees the entire lifecycle of each request—from initial submission and identity verification through to final response—ensuring the process remains consistent and in full alignment with GDPR obligations. Xoxoday holds ISO 27001 certification and SOC 2 Type II attestation, both of which reinforce the information security controls that underpin its GDPR compliance program. These certifications validate that personal data is handled responsibly at every stage of processing, giving enterprise customers a reliable basis for their own regulatory obligations. Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)GDPR Data Processing Agreement
Understand how Xoxoday establishes lawful grounds for processing personal data through formal Data Processing Agreements with customers and sub-processors.
ISO 27001 & SOC 2 Type II Certifications
Learn how Xoxoday’s ISO 27001 and SOC 2 Type II certifications validate its information security controls and support enterprise compliance requirements.