Last updated: [[Insert date]]

1. Purpose

This GDPR Policy outlines how [[Your Organisation Name]] complies with the UK GDPR and EU GDPR regarding the collection, storage, and processing of personal data.

2. Data Controller

[[Your Organisation Name]]
[[Address – optional]]
Email: [[your-email@example.com]]

We are the Data Controller responsible for your personal data.

3. Lawful Basis for Processing

We process personal data under the following lawful grounds:

  • Consent
  • Performance of a contract
  • Legitimate interests
  • Legal obligation

We document all lawful bases for processing in accordance with GDPR.

4. Data Minimisation

We only collect the minimum amount of personal data necessary to deliver our services. We do not collect unnecessary or excessive data.

5. Data Storage and Security

We store personal data securely using:

  • Encrypted storage where applicable
  • Access controls
  • Secure hosting environments
  • Regular monitoring for vulnerabilities

All third-party processors are required to be GDPR-compliant.

6. Data Retention

Personal data is held only as long as necessary for the purpose collected. Retention periods are reviewed regularly. Data may be retained longer if required by law.

7. Data Subject Rights

We uphold all data-subject rights under GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to object
  • Right to data portability
  • Rights related to automated decision-making and profiling

Requests can be sent to: [[your-email@example.com]]. We will respond within 30 days.

8. Data Breaches

We maintain procedures to detect, report, and investigate data breaches. If a breach poses a risk to user rights or freedoms, affected individuals and the ICO will be notified within 72 hours where required by law.

9. Children’s Data

We do not knowingly collect data from children under 13 without parental consent.

10. International Transfers

If personal data is transferred outside the UK or EU, we ensure protection through:

  • Adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Equivalent safeguards

11. Review and Updates

This GDPR Policy is reviewed annually or when laws change. Updates will be published on the website.