GDPR-compliant, from the ground up
The General Data Protection Regulation (GDPR) is the European privacy law that governs how organisations handle personal data. It gives people rights over their own data and places a duty of result on you as a lead generator: you must not only act carefully, you must also be able to prove it. For a lead operation that is not an optional promise, it is a verifiable practice.
Lead processing is especially sensitive in this respect. A request typically contains directly identifiable data (name, phone number, email, sometimes financial or legal context), and that data travels from a publisher to a buyer, under your brand. At every node in that chain it must be clear on what legal basis the data is processed, who has access and how long it is retained. OXIAE builds those answers into the platform, so you never have to reconstruct them after the fact.
Last updated: 1 June 2026
The core principles, in practice
The GDPR's core principles are not a checklist to tick off afterwards. Below you see, per principle, exactly how the platform supports it in practice.
Every request that runs through your platform carries a recorded, valid legal basis with it. Consent is captured the moment it comes in and stays verifiably linked to the lead.
Data is processed only for the purpose the consent was given for. Routing and matching to buyers happen within the boundaries you set as operator, not beyond them.
Forms and intake only ask for what the purpose requires. Fields that do not contribute to the processing are not collected and not stored, configurable per label or request type.
Requests are checked at intake for provenance and consistency, so your buyers work with data that is correct and traceable back to a publisher.
You set retention periods per processing activity within the platform, and they are applied automatically. Data expires according to your policy instead of lingering indefinitely.
Encrypted transport, secure storage and access by role and context ensure data within your platform is only visible to those who need it.
Every processing step is logged in an audit trail. What happened to a request is visible to you at any moment and exportable as evidence, for a supervisory authority or a buyer.
Legal bases for processing
No processing is lawful without a legal basis. The GDPR recognises six; three are relevant for lead processing. Which one applies determines what you as operator may do, and what you must be able to demonstrate.
Consent
The data subject has actively and knowingly said yes to sharing their data with buyers for a specific purpose.
For lead processing
The most common legal basis for lead processing. Your platform captures consent the moment it comes in, with timestamp, text and source, so you can later demonstrate the choice was informed and revocable.
Legitimate interest
A processing activity is necessary for a legitimate purpose and the interests of the data subject do not outweigh it, after a balancing test.
For lead processing
May apply to supporting processing such as fraud prevention or quality control. For sharing a lead with a buyer, consent is almost always the cleaner ground; legitimate interest requires a documented balancing test.
Contract
The processing is necessary to perform a contract with the data subject, or to take steps at their request before entering into one.
For lead processing
Comes into play when the data subject themselves asks for contact or a quote and delivery to the buyer is a direct consequence of that request. The line with consent is fine; your platform records per lead which ground was chosen.
In practice, consent for sharing a lead with a buyer is usually the cleanest choice: it is clear, revocable and easy to document. The platform records per request which legal basis applies, so a processing activity is never detached from its justification.
Data subject rights
Behind every lead is a person with rights over their own data. Those rights only matter if you can actually exercise them: quickly, completely and provably. Because the platform links all data around one person, a request becomes a matter of minutes for you, rather than a search across separate systems.
Right of access
The data subject may request which data you process and for what purpose. Your platform bundles every record around one person (form input, consent evidence, provenance and processing steps) into an exportable overview.
Right to rectification
Inaccurate or incomplete data can be corrected. The change is applied and recorded, so it stays traceable what was changed, when and by whom.
Right to erasure
On a valid right-to-be-forgotten request, you permanently remove the data from active processing. The audit trail keeps an anonymised trace of the request itself, not of the content.
Right to restriction
A lead can be frozen while a request or dispute is pending. The data is retained but no longer routed, matched or delivered until the situation is resolved.
Right to data portability
The data subject may receive their data in a common, machine-readable format. An export delivers the supplied data as structured JSON or CSV, ready to transfer.
Right to object
Processing based on legitimate interest can be objected to. The objection is recorded and processing stops as soon as there is no longer a compelling ground.
How a request is handled via the audit trail
Every data subject request follows the same verifiable route within your platform. The audit trail records every step, so you can demonstrate to both the data subject and the supervisory authority that you acted promptly and completely.
Request registered
The request comes in through a fixed channel and is recorded with timestamp, type of right and identity of the data subject. The statutory one-month deadline starts, measurably.
Data brought together
The platform bundles every record around the person: form input, consent evidence, provenance, routing and deliveries, across all your labels and buyers.
Right exercised
Depending on the request, an access export, rectification, restriction or permanent erasure follows. The action is applied irreversibly in active processing.
Handling logged
The outcome is recorded in the audit trail and exportable as evidence. On erasure, only an anonymised trace of the request remains, not the content.
Retention periods in practice
Storage limitation sounds abstract until you make it concrete per lead status. A rejected lead should not sit around for as long as a delivered lead with a running warranty period. You link a period to each status within the platform, and data expires automatically once it is reached: no manual clean-up, no forgotten records. The periods below are illustrative; you configure them to your own policy.
Automatic expiry is an active processing operation, not a passive marker: on the expiry date the personal data is actually removed from storage. The audit trail records that a record expired, and when, without retaining the deleted content.
Data breach procedure
A data breach is an incident in which personal data is unintentionally accessed, altered, leaked or destroyed. The GDPR requires the controller to report a notifiable breach to the supervisory authority within 72 hours of discovery. Speed and clarity decide everything at that point, which is why the route is laid out in advance at OXIAE, instead of something you have to improvise.
Detection
Monitoring, access logs and the audit trail flag anomalous behaviour. A suspected incident is recorded immediately with timestamp, scope and data involved.
Assessment
The incident is assessed for nature, scale and risk to data subjects, so it is clear whether it is a notifiable breach and which people are affected.
Notification to you as controller
As the platform vendor, OXIAE notifies you without undue delay, with the information you need to make the statutory notification as data controller.
Authority notification within 72 hours
You report the breach where required within 72 hours to the supervisory authority, and inform data subjects in case of high risk. Every step stays traceable through the platform.
OXIAE supports your GDPR compliance with technology, recording and clear role allocation. It is not a substitute for legal advice on your own processing and responsibilities as a lead generator.
Frequently asked questions about GDPR
The questions that come up most often about hosting, transfers, sub-processors and demonstrating compliance.
Where is the data hosted?
All personal data is processed and stored within the European Union. Data residency in the EU means your data stays under the GDPR regime and does not, by default, end up outside the European legal space.
What happens with international transfers?
OXIAE aims to keep processing within the EU/EEA. Should a transfer to a third country be necessary, it happens only with a valid transfer mechanism, such as an adequacy decision or standard contractual clauses (SCCs), with the accompanying safeguards.
Are sub-processors used?
For components such as hosting or email delivery, sub-processors may be engaged. A data processing agreement is in place with every sub-processor, they are bound by the same obligations, and you get visibility into which parties are involved.
How do I demonstrate my compliance?
Because legal basis, consent, provenance and retention period are recorded per lead, and every processing step sits in the audit trail, you can substantiate your processing with exportable evidence, for a supervisory authority or a buyer. You reconstruct nothing after the fact; accountability is built into the platform.
What is the difference between GDPR and AVG?
No difference in substance. GDPR is the English name (General Data Protection Regulation), AVG the Dutch one (Algemene verordening gegevensbescherming). It is exactly the same European regulation.
How quickly can I handle an access or erasure request?
A request is registered, the data around the person is automatically bundled, and the requested action is carried out and logged. That keeps you comfortably within the statutory one-month deadline, even as volume grows.
See what GDPR-compliant looks like in practice
Book a demo and discover how legal bases, data subject rights, retention periods and an audit trail make every request provable in your platform.