EU / EEA GDPR — Regulation (EU) 2016/679

Privacy Notice

Effective date: 1 June 2025 · Last reviewed: June 2025 · Applies to: EU and EEA residents

This Privacy Notice is addressed to individuals residing in the European Union and European Economic Area and is provided in accordance with Article 13 and 14 of the General Data Protection Regulation (GDPR). It describes how EMPIRIA Advisory processes your personal data when you visit this website or contact us.

Not in the EU/EEA? View our Singapore / General Privacy Notice →

1. Data Controller

The data controller responsible for your personal data is:

EMPIRIA Advisory

Operating jurisdictions: Singapore · Dublin · Beijing

Contact: advisor@empiriadvisory.com

As we do not maintain a physical establishment within the EU/EEA, we rely on Article 3(2) GDPR (territorial scope based on offering services to EU residents and/or monitoring behaviour within the EU). We are assessing our obligation to appoint an EU representative under Article 27 GDPR and will update this notice accordingly.

2. Personal Data We Process

We process only the following limited categories of personal data:

Category Data Elements Purpose Legal Basis (GDPR Art. 6) Retention
Technical / Log Data IP address, browser type, referring URL, page visited, timestamp Website security, server-side error detection Art. 6(1)(f) — Legitimate interests (security) 30 days rolling, then deleted
Enquiry / Contact Data Name (if provided), email address, message content Responding to consultation requests or general enquiries Art. 6(1)(b) — Pre-contractual steps; or Art. 6(1)(a) — Consent 3 years from last contact, unless shorter retention requested

We do not use advertising trackers, behavioural profiling tools, cross-site tracking cookies, or third-party analytics platforms (e.g. Google Analytics, Meta Pixel). No special categories of personal data (Article 9 GDPR) are collected.

3. Cookies and Similar Technologies

This website uses no cookies except those strictly necessary for website security and functionality (session security tokens, if applicable). Strictly necessary cookies are exempt from consent requirements under Recital 25 and Article 5(3) of the ePrivacy Directive 2002/58/EC.

No consent banner is presented because no non-essential cookies are deployed. If this changes, we will implement a GDPR-compliant consent mechanism before deploying any non-essential cookies.

4. Legal Basis for Processing

Our processing of personal data is grounded in the following bases under Article 6 GDPR:

  • Article 6(1)(f) — Legitimate interests: Processing of server log data for security purposes. Our legitimate interest is the integrity and security of our website infrastructure. We have assessed that this interest is not overridden by your fundamental rights and freedoms, given the minimal nature of the data processed and the security purpose served.
  • Article 6(1)(b) — Pre-contractual steps: Processing of contact data where you initiate an enquiry with a view to engaging our services.
  • Article 6(1)(a) — Consent: Where you contact us in a purely informational capacity without any service intent, we rely on the implied consent given by your voluntary submission of contact data.

5. International Transfers

EMPIRIA Advisory operates from Singapore and may process enquiry data on infrastructure hosted outside the EU/EEA. Where such transfers occur, we ensure an adequate level of protection through one or more of the following mechanisms:

  • Adequacy decisions adopted by the European Commission under Article 45 GDPR (where the recipient country benefits from such a decision);
  • Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR, as updated by Commission Decision 2021/914/EU;
  • Supplementary technical and organisational measures where required following a Transfer Impact Assessment (TIA).

You may request a copy of the transfer safeguards applicable to your personal data by contacting us at advisor@empiriadvisory.com.

6. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights under Articles 15–22 GDPR:

Right of Access (Art. 15)

Obtain confirmation of whether we process your personal data and receive a copy of it, along with supplementary information about the processing.

Right to Rectification (Art. 16)

Require correction of inaccurate personal data or completion of incomplete data without undue delay.

Right to Erasure (Art. 17)

Request deletion of your personal data where the processing is no longer necessary, consent is withdrawn, or you object and no overriding legitimate grounds exist.

Right to Restriction (Art. 18)

Request that we restrict processing of your data in specified circumstances, such as while accuracy is contested.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.

Right to Object (Art. 21)

Object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Rights re Automated Decision-Making (Art. 22)

Not be subject to solely automated decisions, including profiling, that produce legal or similarly significant effects. We do not engage in such processing.

Right to Withdraw Consent (Art. 7(3))

Withdraw consent at any time where processing is consent-based, without affecting the lawfulness of processing before withdrawal.

How to exercise your rights:

Submit a request to advisor@empiriadvisory.com. We will respond within one calendar month of receipt (Article 12(3) GDPR). We do not charge a fee for requests unless they are manifestly unfounded or excessive.

7. Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority under Article 77 GDPR — in particular, the supervisory authority of the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.

For reference, the lead supervisory authority in Ireland (where our EU regulatory advisory hub is based) is:

Data Protection Commission (DPC)

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

Phone: +353 (0)761 104 800

You may also contact the supervisory authority of your own EU Member State. A full list of EU supervisory authorities is maintained by the European Data Protection Board (EDPB) at www.edpb.europa.eu.

8. Security Measures

We implement appropriate technical and organisational measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk, including:

  • HTTPS/TLS encryption for all data in transit;
  • Access controls restricting personal data to authorised personnel only;
  • Minimal data collection to reduce the attack surface;
  • No third-party advertising or analytics scripts that could introduce data security risks.

9. Children's Data

This website and our services are directed exclusively at professionals and business entities. We do not knowingly collect personal data from individuals under 16 years of age (or the applicable age of digital consent in your Member State under Article 8 GDPR). If we become aware that a child's data has been collected, we will delete it promptly.

10. Updates to This Notice

We may update this Privacy Notice from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. Material changes will be indicated by an updated effective date at the top of this page. We encourage you to review this notice periodically.

This notice was last reviewed in June 2025 following the EU Council's procedural reforms for cross-border GDPR enforcement (November 2025 framework, applicable to our advisory services analysis).

11. Contact Us

EMPIRIA Advisory — Data Privacy

Email: advisor@empiriadvisory.com

Subject line: GDPR Privacy Request — [Your Name]

Response time: within one calendar month (Art. 12(3) GDPR).
Extension possible for complex requests: up to two additional months with notification.