Data Protection and the GDPR

Last updated on 14.07.2026

Organisations that manage contact details have a responsibility: the GDPR grants data subjects clear rights and imposes clear obligations on organisations. Komma is designed to enable you to fulfil these obligations in a practical way.

What Komma offers

  • Data separation: Thanks to the multi-tenant architecture, each organisation’s data is strictly isolated.
  • Access control: Permissions ensure that only authorised individuals can view data.
  • Logging: The audit log documents changes and exports – including the automatic redaction of sensitive fields.
  • Secure login: Passwordless logins eliminate the risk of stolen passwords.
  • Unsubscribe handling: Newsletter unsubscriptions are automatically and permanently honoured.

Implementing data subjects’ rights

If a person exercises their rights, Komma supports you:

  • Right of access (Art. 15 GDPR): All data stored about a person can be viewed and exported in a consolidated form within the contact profile.
  • Rectification (Art. 16): Data can be corrected in the profile at any time.
  • Erasure (Art. 17): Contacts can be completely deleted. Please note statutory retention obligations (e.g. for donation data).

Your responsibility as an organisation

Komma is the tool – the responsibility for lawful data processing lies with your organisation:

  • Only collect data that you really need.
  • Obtain consent for newsletters and keep a record of it.
  • Keep your privacy policy up to date.
  • Establish internal policies governing who has access to which data.

This article does not replace legal advice on specific legal issues – if in doubt, consult your organisation’s data protection officer.