1. Scope and Application

This policy applies to:

• All personal data processed by Data Monarque Ltd in connection with its business operations
• All staff, contractors, and third-party processors acting on our behalf
• Personal data relating to clients, prospects, website visitors, and supplier contacts
• Personal data processed on behalf of clients under Data Processing Agreements

2. Data Protection Principles

We are committed to processing personal data in accordance with the six data protection principles under Article 5 of the UK GDPR:

• Lawfulness, fairness, and transparency — we only process data where we have a valid lawful basis, and we are transparent about how we use it
• Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes
• Data minimisation — we collect only the data that is necessary for the stated purpose
• Accuracy — we take reasonable steps to ensure data is accurate and kept up to date
• Storage limitation — data is retained only for as long as necessary (see our Retention Schedule)
• Integrity and confidentiality — we implement appropriate technical and organisational measures to ensure security

3. Lawful Bases for Processing

We rely on the following lawful bases (Article 6, UK GDPR):

• Contract: Processing necessary for the performance of a contract with the data subject
• Legitimate interests: Where our interests or those of a third party override the data subject’s rights, having conducted a Legitimate Interests Assessment (LIA)
• Legal obligation: Where processing is required to comply with a legal or regulatory obligation
• Consent: For marketing communications and non-essential cookies, where explicit, freely given, specific, informed, and unambiguous consent is obtained

We document our lawful basis for each processing activity in our Record of Processing Activities (RoPA).

4. Record of Processing Activities (RoPA)

We maintain a RoPA in accordance with Article 30 UK GDPR, recording:

• The purposes of processing
• Categories of data subjects and personal data
• Recipients of personal data
• Retention periods
• Technical and organisational security measures
• Third-country transfers and safeguards

The RoPA is reviewed and updated at least annually and whenever a new processing activity is introduced.

5. Data Subject Rights

We have documented procedures to handle the following data subject rights within the required timeframes:

6. Data Processing Agreements

Where we engage third-party processors (e.g. cloud storage, CRM, email platforms), we ensure:

• A written Data Processing Agreement (DPA) is in place before any processing begins
• The processor provides sufficient guarantees of appropriate technical and organisational measures
• The processor processes data only on our documented instructions
• Sub-processors are notified and subject to equivalent contractual obligations

Where we act as a processor on behalf of clients, we sign the client’s DPA and process data only as directed under the relevant SOW.

7. Data Security Measures

Technical measures

• TLS encryption for all data in transit
• Encryption at rest for all client data stored in cloud environments
• Multi-factor authentication on all business systems
• Role-based access controls — minimum necessary access principle
• Regular security patching and software updates
• Automated backup with tested recovery procedures

Organisational measures

• Documented data protection policies and procedures
• Confidentiality obligations for all staff and contractors
• Regular data protection awareness and training
• Formal onboarding and offboarding procedures including access revocation
• Annual review of all data protection policies

8. Data Breach Management

We maintain a documented Data Breach Response Procedure, which includes:

• Immediate containment and assessment of the breach
• Notification to the ICO within 72 hours where the breach is likely to result in a risk to individuals’ rights and freedoms
• Notification to affected data subjects without undue delay where there is a high risk
• A written record of all breaches, regardless of whether they meet the notification threshold

All staff and contractors are required to report any suspected data breaches immediately to the designated Data Protection contact at Data Monarque Ltd.

9. Data Protection Impact Assessments (DPIAs)

We conduct DPIAs in accordance with Article 35 UK GDPR where proposed processing is likely to result in high risk, including:

• Large-scale processing of sensitive or special category data
• Systematic monitoring of publicly accessible areas
• Use of new technologies with an uncertain privacy impact

DPIAs are completed before processing commences and are reviewed when the nature of the processing changes materially.

10. International Transfers

We do not routinely transfer personal data outside the UK or EEA. Where any transfer is necessary, we ensure one of the following safeguards applies:

• The recipient country has been the subject of a UK Adequacy Regulation
• Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) are in place
• A specific derogation under Article 49 UK GDPR applies

11. Accountability and Governance

We demonstrate our commitment to accountability through:

• Designation of a responsible person for data protection within Data Monarque Ltd
• Maintenance of the RoPA, DPIAs, and LIAs
• Annual review of this policy and all associated procedures
• Registration with the Information Commissioner’s Office (ICO) where required
• Inclusion of data protection obligations in all supplier contracts

12. Policy Review

This policy is reviewed annually or following any significant change in processing activities, regulatory guidance, or organisational structure. It was last reviewed on 15 April 2026.

13. Contact