Privacy Policy
Last updated: 29 April 2026
This privacy policy explains how Done Outsourcing Sh.p.k. (“Done Outsourcing”, “we”, “us”, “our”) collects, uses, stores, and protects personal data, and the rights data subjects have under Regulation (EU) 2016/679 (the “GDPR”), the Albanian Law No. 9887 on the Protection of Personal Data (as amended), and any other applicable data-protection legislation.
1. Controller
The controller responsible for processing personal data via this website and our business activities is:
Done Outsourcing Sh.p.k.
[INSERT STREET AND NUMBER]
[INSERT POSTAL CODE] Tirana, Albania
Email: info@donegroup.al
2. Data Protection Officer
For privacy-related enquiries, requests under Articles 15–22 GDPR, or complaints, please contact our data-protection contact at info@donegroup.alwith the subject line “Data Protection”. A formal Data Protection Officer (DPO) will be appointed if and when our processing activities meet the threshold of Article 37 GDPR.
3. Categories of personal data we process
3.1 Visitors of this website
- Contact-form data: name, work email, company, phone (optional), message content.
- Server-log data: IP address, user-agent string, referrer, timestamp, requested URL — collected automatically by our hosting provider for security and debugging.
- Strictly necessary cookies: session and security cookies set by the application framework. No advertising or analytics cookies are used.
3.2 Prospective clients and business contacts
- Identification data: name, role, employer.
- Contact data: business email, business phone, postal address.
- Commercial data: enquiry content, call-volume estimates, languages required, contract negotiation history.
3.3 Call-centre operations on behalf of clients (Done Outsourcing acts as processor)
When we operate inbound or outbound campaigns for our business clients, we process personal data of their end customers (such as name, phone number, account or order number, and the content of the call). For these activities, our client is the controller and Done Outsourcing acts as a processor under Article 28 GDPR. Each engagement is governed by a written Data Processing Agreement (DPA) that defines the categories, duration, and purpose of processing.
4. Purposes of processing and legal bases
| Purpose | Legal basis |
|---|---|
| Responding to enquiries via the contact form, email, or WhatsApp | Pre-contractual measures — Art. 6(1)(b) GDPR |
| Sending commercial offers, quotes, and contract drafts | Pre-contractual measures — Art. 6(1)(b) GDPR |
| Operating call-centre campaigns for client controllers | Processor on instruction of controller — Art. 28 GDPR |
| Recording calls for quality assurance and training | Legitimate interest — Art. 6(1)(f), with prior in-call notice and right to object |
| Sending SMS or voice notifications to opted-in recipients | Consent — Art. 6(1)(a); ePrivacy Directive Art. 13; TCPA where US recipients are involved |
| Maintaining server logs for IT security | Legitimate interest — Art. 6(1)(f) |
| Compliance with tax, accounting, and other legal obligations | Legal obligation — Art. 6(1)(c) |
5. Recipients and sub-processors
We share personal data only with carefully selected service providers that act on our behalf as processors under Article 28 GDPR. Categories of recipients include:
- Hosting and infrastructure (the cloud provider serving this website and our internal applications).
- Email and communication tools (transactional email delivery, calendar booking).
- Telephony and call-recording providers for our call-centre operations.
- CRM, ticketing, and quality-assurance tools.
- Tax advisors, auditors, and legal counsel bound by professional confidentiality.
A current list of sub-processors used for any specific client engagement is maintained in the corresponding Data Processing Agreement and made available on request.
6. International transfers
Albania is recognised by the European Commission as a country offering an adequate level of data protection (Adequacy Decision of December 2021). Where personal data is transferred outside the EU/EEA or Albania to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (Implementing Decision (EU) 2021/914) and, where appropriate, supplementary technical and organisational measures.
7. Retention periods
- Contact-form enquiries: up to 24 months from the last interaction, unless a contract is concluded.
- Commercial correspondence under a contract: for the duration of the contract plus the statutory retention period (up to 10 years for tax / accounting purposes under Albanian and EU law).
- Call recordings: retention is set per engagement (typically 30–90 days for QA, longer where required by client or law); details are documented in the DPA.
- Server logs: 30 days, unless an incident investigation extends the period.
8. Call recording notice
Calls handled by Done Outsourcing on behalf of clients may be recorded for quality-assurance, training, and compliance purposes. Callers are informed at the start of the call that the conversation is being recorded and given the opportunity to object. Recordings are accessible only to authorised personnel, encrypted at rest, and deleted on the timeline set in the relevant Data Processing Agreement.
9. SMS, voice, and outbound communications (incl. US recipients)
By providing your phone number — through the contact form, email, WhatsApp, or any campaign opt-in — you consent to receive SMS or voice communications from Done Outsourcing or its contracted client related to the purpose for which you provided the number.
- Reply STOP to any SMS to unsubscribe.
- Reply HELP to receive support information.
- Message and data rates may apply. Frequency varies.
- We do not sell, rent, or share opt-in or opt-out data with third parties for their independent marketing purposes.
Where calls or messages are directed at recipients located in the United States, Done Outsourcing operates in accordance with the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rule (TSR), and applicable state law, including (where required) prior express written consent and respect of national / state Do Not Call registries.
10. Cookies and tracking
This website uses only strictly necessary technical cookies set by the application framework. We do not deploy advertising, cross-site-tracking, or third-party analytics cookies. Server-side IP addresses appear only in aggregated security logs and are not used to build user profiles.
11. Security
We implement appropriate technical and organisational measures to protect personal data, including transport encryption (TLS 1.2+), encryption at rest for sensitive datasets, role-based access controls, mandatory NDAs and confidentiality clauses for staff and sub-contractors, and continuous monitoring of our infrastructure. Specific measures applicable to a given engagement are listed in Annex II of the relevant Data Processing Agreement.
12. Your rights
You have the following rights under the GDPR and Albanian law:
- Right of access (Art. 15) — to obtain a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — to request deletion of your data, subject to legal retention obligations.
- Right to restriction (Art. 18) — to limit processing under specific conditions.
- Right to data portability (Art. 20) — to receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — particularly to processing based on legitimate interest or for direct marketing.
- Right to withdraw consent (Art. 7) — at any time and without affecting the lawfulness of processing prior to withdrawal.
- Right to lodge a complaint — with the Albanian Commissioner for the Right to Information and Protection of Personal Data (www.idp.al) or any competent supervisory authority in the EU member state of your habitual residence.
To exercise any of these rights, contact us at info@donegroup.al. We will respond within 30 days; we may extend this by two further months for complex requests, in which case we will inform you of the reasons for the delay.
13. Children
Our services are directed at businesses. We do not knowingly collect personal data from individuals under the age of 16 in the EU or under 13 in the United States. If we learn that we have collected such data, we will delete it without undue delay.
14. Changes to this policy
We may update this policy to reflect changes in law, our services, or our processing operations. The revised version is effective on the date stated at the top of the page. Material changes will be announced on this site and, where applicable, communicated to active contacts.
15. Contact
For any data-protection question or to exercise your rights, write to info@donegroup.al or by post to the registered address listed in section 1.