Data Protection Policy

Purpose and Scope

This Data Protection Policy outlines how EntityShift Ltd (“the Company”, “we”, “us”, or “our”) collects, processes, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

This policy applies to:

  • All employees, contractors, and temporary staff.
  • All business activities that involve processing personal data.
  • All personal data handled by EntityShift Ltd, whether in electronic or paper form.

Definitions

  • Personal Data: Any information relating to an identified or identifiable individual.
  • Data Subject: The person to whom the personal data relates.
  • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
  • Controller: The entity determining the purposes and means of processing personal data.
  • Processor: A party that processes personal data on behalf of the Controller.

Principles of Data Protection

EntityShift Ltd adheres to the following principles when processing personal data:

  1. Lawfulness, Fairness, and Transparency – Data is processed lawfully and transparently.
  2. Purpose Limitation – Data is collected for specific, legitimate purposes.
  3. Data Minimisation – Only necessary data is collected.
  4. Accuracy – Data is kept accurate and up-to-date.
  5. Storage Limitation – Data is retained only for as long as necessary.
  6. Integrity and Confidentiality – Appropriate security measures are in place.
  7. Accountability – The Company takes responsibility for compliance and can demonstrate it.

Lawful Basis for Processing

EntityShift Ltd processes personal data under one or more lawful bases, including:

  • Consent (explicitly given by the data subject);
  • Contractual necessity (to perform a contract);
  • Legal obligation (to comply with law);
  • Legitimate interests (to pursue legitimate business interests without overriding individual rights).

Data Collection and Use

EntityShift Ltd collects personal data for purposes including but not limited to:

  • Managing employees and contractors.
  • Maintaining client and supplier relationships.
  • Marketing and communications.
  • Legal and regulatory compliance.

All data collected will be limited to what is necessary for the stated purpose.

Data Subject Rights

Data subjects have the following rights:

  • Access to their personal data.
  • Correction of inaccuracies.
  • Erasure (“Right to be Forgotten”).
  • Restriction of processing.
  • Data portability.
  • Objection to processing.
  • Withdrawal of consent.

Requests may be made by contact the Company. The Company will respond within one month.

Data Security

EntityShift Ltd implements appropriate technical and organisational measures to protect data, including:

  • Encryption of sensitive information.
  • Access control and authentication.
  • Regular security audits.
  • Secure disposal of data.
  • Staff training on data protection.

Data Breach Management

In the event of a data breach:

  • The Data Protection Officer (DPO) will be notified immediately.
  • Breaches will be assessed and, where required, reported to the Information Commissioner’s Office (ICO) within 72 hours.
  • Affected individuals will be informed if their rights and freedoms are at high risk.

Data Retention

Personal data will be retained only as long as necessary for business, legal, or regulatory purposes.
A Data Retention Schedule defines retention periods for each category of data.

Data Transfers

EntityShift Ltd may transfer data outside the UK or EEA only when:

  • Adequate safeguards (e.g., Standard Contractual Clauses) are in place; and
  • The transfer complies with applicable laws.

Roles and Responsibilities

  • Board of Directors: Overall accountability for data protection compliance.
  • Data Protection Officer (DPO): Oversees implementation and monitors compliance.
  • Employees: Must handle data in accordance with this policy and report any breaches.

Training and Awareness

All employees receive data protection training. The Company actively promotes a culture of privacy awareness.

Policy Review

This policy is reviewed annually or upon significant legal or operational changes to ensure ongoing compliance.