GDPR policy.

1. Introduction This GDPR Policy outlines how Evolved Automation ("we," "us," or "our") collects, processes, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to safeguarding the privacy and security of personal data.

2. Purpose of This Policy This policy is designed to ensure that:

  • Personal data is handled lawfully, transparently, and fairly.

  • Data subjects’ rights are respected and upheld.

  • We comply with all applicable data protection legislation.

3. Scope This policy applies to all employees, contractors, and third parties who handle personal data on behalf of Evolved Automation. It covers all personal data processed by us, regardless of the format.

4. Definitions

  • Personal Data: Any information that identifies, or could identify, a living individual.

  • Processing: Any operation performed on personal data, such as collection, storage, or destruction.

  • Data Subject: The individual whose personal data is processed.

  • Data Controller: The organisation determining the purpose and means of processing personal data.

  • Data Processor: Any organisation processing personal data on behalf of a Data Controller.

5. Data Protection Principles We adhere to the following principles when processing personal data:

  1. Lawfulness, Fairness, and Transparency: Data must be processed lawfully and in a manner that is transparent to the data subject.

  2. Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes.

  3. Data Minimisation: Data collection must be adequate, relevant, and limited to what is necessary.

  4. Accuracy: Data must be accurate and kept up to date.

  5. Storage Limitation: Data must not be kept longer than necessary.

  6. Integrity and Confidentiality: Data must be processed securely to protect against unauthorised access or loss.

6. Lawful Bases for Processing We process personal data under the following lawful bases:

  • Consent: Where the data subject has given clear and informed consent.

  • Contract: Where processing is necessary to fulfil a contract.

  • Legal Obligation: Where processing is necessary to comply with the law.

  • Vital Interests: To protect someone’s life.

  • Public Task: Where processing is necessary for performing a task in the public interest.

  • Legitimate Interests: Where processing is necessary for legitimate business purposes.

7. Rights of Data Subjects Data subjects have the following rights:

  1. The Right to Be Informed: About how their data is collected and used.

  2. The Right of Access: To obtain a copy of their personal data.

  3. The Right to Rectification: To correct inaccurate or incomplete data.

  4. The Right to Erasure: To request deletion of their data in certain circumstances.

  5. The Right to Restrict Processing: To limit how their data is used.

  6. The Right to Data Portability: To transfer their data to another organisation.

  7. The Right to Object: To certain types of processing, such as direct marketing.

  8. Rights in Relation to Automated Decision-Making and Profiling: To not be subject to decisions based solely on automated processing.

8. Data Security We implement appropriate technical and organisational measures to ensure personal data is protected against unauthorised access, loss, or destruction. These include:

  • Encryption of data where appropriate.

  • Regular security audits and risk assessments.

  • Secure storage solutions.

  • Employee training on data protection practices.

9. Data Breach Management In the event of a data breach:

  • We will assess the severity and impact.

  • Notify the Information Commissioner’s Office (ICO) within 72 hours if required.

  • Inform affected data subjects where there is a high risk to their rights and freedoms.

  • Document all breaches, regardless of their impact.

10. Third-Party Data Processors We ensure that any third parties processing data on our behalf comply with GDPR requirements through Data Processing Agreements and regular compliance checks.

11. Data Retention Personal data will only be retained as long as necessary to fulfil the purpose for which it was collected. Retention periods are defined in our Data Retention Policy.

12. International Data Transfers Where personal data is transferred outside the UK, we ensure adequate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs).

  • Binding Corporate Rules (BCRs).

13. Accountability and Governance We maintain records of processing activities and regularly review our data protection practices to ensure compliance. The Data Protection Officer is responsible for overseeing GDPR compliance.

14. Contact and Complaints If you have questions about this policy or wish to exercise your rights, please contact:

Evolved Automation\ Steve Griffiths / Co-Founder \ Solent International Business Park George Curl Way, George Curl Way International House, Southampton SO18 2RZ\ email: steve.evolvedautomation@gmail.com\ 07734 957444

If you are not satisfied with our response, you can lodge a complaint with the Information Commissioner’s Office (ICO):\ Website: https://ico.org.uk\ Phone: 0303 123 1113

15. Policy Review This policy will be reviewed annually or as required to reflect changes in legislation or organisational practices.

Effective Date: 01/12/2024