Data Processing Policy (UK GDPR)

Updated: 12th Nov 2025
Organisation: Universal Computing Ltd (“we”, “us”, “our”) Applies to: All staff, contractors, and approved suppliers who process personal data on our behalf.

1. Purpose

We process personal data to deliver our services lawfully, securely, and transparently, including (where relevant) marketing services such as audience creation (customer match/custom audiences), campaign management, and performance reporting.

2. Scope

This policy applies to all personal data we process, regardless of format, including:

  • digital records (email, spreadsheets, CRM entries, advertising platforms)

  • paper records (where used)

  • device-held data (laptops, phones) used for business purposes

3. Roles and Responsibilities

Data Controller vs Data Processor

Depending on the service and relationship:

  • We act as a Data Controller where we determine the purpose and means of processing (e.g., our own marketing, HR).

  • We act as a Data Processor where we process personal data only on a client’s documented instructions.

Internal Responsibility

  • A named Data Protection Lead (or equivalent) is responsible for policy ownership, incident management, and compliance oversight.
    Data Protection Lead: [Name / Role / Contact]

All personnel must follow this policy and complete data protection training as required.

4. Lawful Basis and Data Protection Principles

We process personal data in line with UK GDPR principles:

  • Lawfulness, fairness, transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality (security)

  • Accountability

Lawful bases we may rely on include:

  • performance of a contract

  • legal obligation

  • legitimate interests

  • consent (where required)

  • vital interests (rare)

  • public task (rare)

5. What Personal Data We Process

Depending on the service, personal data may include:

  • full name

  • email address

  • phone number

  • address (optional)

  • business name/job title (optional)

  • online identifiers (e.g., cookie IDs, ad identifiers) where applicable and lawfully obtained

  • any other data a client provides for service delivery

Special Category Data

We do not request or intentionally process special category data (e.g., health, ethnicity, religion) unless:

  • it is strictly necessary,

  • documented and approved in advance, and

  • additional safeguards are implemented.

6. Data Collection and Source

We collect personal data from:

  • clients (as controller) where we act as a processor

  • individuals directly (e.g., enquiry forms) where we act as controller

  • systems used to deliver services (e.g., email, CRM, ad platforms), where lawfully configured

We only collect data that is necessary for a defined purpose.

7. How We Use Personal Data

We use personal data for:

  • delivering contracted services

  • communications and project administration

  • marketing campaign setup and management (where instructed)

  • reporting and analytics (using aggregated or pseudonymised data where possible)

  • legal, compliance, and security purposes

We do not sell personal data.

8. Sharing Personal Data and Subprocessors

We only share personal data:

  • where necessary to provide services

  • with approved subprocessors

  • under appropriate contractual safeguards

Approved Subprocessors (examples – tailor to your business)

  • Microsoft

  • Google Ireland Ltd (Google Ads / Customer Match where instructed)

  • Meta Platforms Ireland Ltd (Facebook/Instagram Custom Audiences where instructed)

Any additional subprocessors must be vetted for security and compliance and, where we act as a processor, approved by the client as required.

9. International Data Transfers

If personal data is transferred outside the UK (and/or EEA), we ensure appropriate safeguards are in place, such as:

  • UK International Data Transfer Agreement (IDTA) and/or

  • UK Addendum to EU Standard Contractual Clauses, plus any required supplementary measures.

Transfers are assessed and documented where required.

10. Security Measures

We implement technical and organisational measures appropriate to risk, which may include:

Access control

  • unique user accounts, strong passwords, MFA where available

  • role-based access / least privilege

Data handling

  • secure file sharing methods (no open/public links unless required and time-limited)

  • encryption in transit; encryption at rest where supported by systems used

  • controlled use of USB/removable media

Device and account security

  • device lock, updates, anti-malware, and secure configuration

  • account monitoring and logging where available

Operational controls

  • staff confidentiality obligations

  • regular training and awareness

  • supplier due diligence

  • secure disposal of data and equipment

11. Data Retention and Deletion

We keep personal data only as long as necessary for the purpose it was collected.

  • Where we act as a processor, we delete/return data on the client’s instruction or at contract end, unless required by law.

  • Where we act as a data controller, we retain personal data only for as long as necessary and in line with our retention schedule. Retention periods vary depending on the type of data and the purpose for which it is processed. For more information, please see our privacy policy

12. Data Subject Rights

Individuals may have rights including:

  • access, rectification, erasure

  • restriction, portability

  • objection (including to direct marketing)

  • rights related to automated decision-making (where applicable)

Requests should be sent to: info@universalcomputing.co.uk
We will verify identity and respond within statutory timeframes. If we are acting as a processor, we will promptly notify the relevant controller/client and assist as required.

13. Personal Data Breach Management

A personal data breach includes accidental/unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Internal reporting: Any suspected breach must be reported immediately to info@universalcomputing.co.uk or 01383 840808 opt 3

Client notification (processor scenarios): Where we process data for a client, we will notify the client without undue delay and in any event within 48 hours of becoming aware of a breach affecting their data, including:

  • what happened and when

  • what data may be affected

  • likely impacts

  • containment and mitigation steps

Where required, we will support notifications to the ICO and affected individuals.

14. Training, Monitoring, and Review

  • Staff receive appropriate data protection training.

  • We review this policy at least annually and after material changes (such as new systems, subprocessors, incidents, or legal updates).

15. Contact

For questions, concerns, or rights requests:

Email: info@universalcomputing.co.uk
Address: Universal Computing Ltd, 24 Guildhall St, Dunfermline, Fife, KY127NS