GDPR Compliance

1. What is GDPR?

The General Data Protection Regulation (GDPR) is comprehensive data protection legislation that came into effect on 25 May 2018. The UK has adopted its own version (UK GDPR) following Brexit, maintaining the same high standards for data protection.

GDPR establishes strict rules for how organisations collect, use, store, and protect personal data, giving individuals greater control over their information.

2. Our Commitment to Data Protection

At WebPunch, we take data protection seriously. We are committed to:

Processing personal data lawfully, fairly, and transparently
Collecting data only for specified, legitimate purposes
Minimising data collection to what is necessary
Keeping personal data accurate and up to date
Storing data only as long as necessary
Protecting data with appropriate security measures
Being accountable for our data processing activities

3. Legal Basis for Processing

We only process your personal data when we have a lawful basis to do so. Our legal bases include:

Legal Basis	When We Use It
Consent	When you opt in to marketing communications or cookie usage
Contract	To fulfill our web design and development services agreement with you
Legitimate Interests	To improve our services, prevent fraud, and maintain website security
Legal Obligation	To comply with tax, accounting, and other legal requirements

4. Your Data Protection Rights

Under UK GDPR, you have the following rights:

4.1 Right of Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within one month of your request.

4.2 Right to Rectification

You can request that we correct any inaccurate or incomplete personal data we hold about you.

4.3 Right to Erasure ("Right to be Forgotten")

In certain circumstances, you can request that we delete your personal data, including when:

The data is no longer necessary for the purpose it was collected
You withdraw consent and there is no other legal basis for processing
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed

4.4 Right to Restriction of Processing

You can request that we limit how we use your data in certain situations, such as when:

You contest the accuracy of the data
Processing is unlawful but you don't want the data erased
We no longer need the data but you need it for legal claims

4.5 Right to Data Portability

You can request your personal data in a structured, commonly used, machine-readable format to transfer to another service provider.

4.6 Right to Object

You can object to:

Processing based on legitimate interests
Direct marketing (including profiling)
Processing for research or statistical purposes

4.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing. We do not currently use automated decision-making.

To exercise any of these rights: Contact us at hello@webpunch.co.uk with your request. We will respond within one month.

5. How We Protect Your Data

We implement comprehensive technical and organisational measures to protect your personal data:

5.1 Technical Measures

Encryption: All data transmitted to and from our website uses SSL/TLS encryption
Password Security: User passwords are encrypted using industry-standard hashing algorithms
Secure Hosting: Our website and databases are hosted on secure servers
Regular Backups: Data is regularly backed up and stored securely
Firewall Protection: Network security measures to prevent unauthorised access
Security Updates: Regular software updates and security patches

5.2 Organisational Measures

Access Controls: Limited access to personal data on a need-to-know basis
Data Minimisation: We only collect and retain necessary data
Staff Training: Regular data protection and security training
Policies and Procedures: Documented data protection policies
Third-Party Agreements: Data processing agreements with service providers

6. Data Breach Procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms:

We will notify the Information Commissioner's Office (ICO) within 72 hours
We will inform affected individuals without undue delay
We will provide information about the nature of the breach and recommended actions
We will take immediate steps to contain and remedy the breach

7. Third-Party Data Processors

We may use trusted third-party service providers who process data on our behalf. We ensure that:

All third parties are GDPR compliant
Data Processing Agreements are in place
Third parties can only process data according to our instructions
Appropriate security measures are maintained

Our Third-Party Processors May Include:

Website hosting providers
Email service providers
Cloud storage services
Analytics services
Payment processors (for billing)

8. International Data Transfers

We primarily store and process data within the United Kingdom. If we need to transfer data internationally, we ensure:

Adequacy decisions are in place recognising equivalent protection standards
Standard Contractual Clauses (SCCs) are implemented
Appropriate safeguards protect your data
Your explicit consent is obtained when required

9. Data Retention

We retain personal data only as long as necessary for the purposes stated in our Privacy Policy:

Data Type	Retention Period	Reason
Client project data	Duration of relationship + 7 years	Legal/accounting requirements
Contact form enquiries	Up to 2 years	Business development
Marketing consent	Until withdrawn	Ongoing consent
Website analytics	14-26 months	Service improvement

10. Consent and Withdrawal

When we process your data based on consent:

Consent must be freely given, specific, informed, and unambiguous
You can withdraw consent at any time
Withdrawal does not affect the lawfulness of processing before withdrawal
It is as easy to withdraw consent as it is to give it

To withdraw consent, contact us at hello@webpunch.co.uk or use the unsubscribe link in marketing emails.

11. Children's Privacy

Our services are not intended for children under 16. We do not knowingly collect data from children without parental consent. If you believe we have collected data from a child inappropriately, please contact us immediately.

12. Accountability and Records

We maintain records of our data processing activities, including:

Types of personal data we process
Purposes of processing
Categories of data subjects
Recipients of personal data
Data retention periods
Security measures in place

13. Regular Reviews and Updates

We regularly review our data protection practices to ensure ongoing compliance with UK GDPR. This includes:

Annual policy reviews and updates
Regular security assessments
Staff training updates
Monitoring changes in data protection legislation

14. Contact Our Data Protection Officer

For any questions about data protection, GDPR compliance, or to exercise your data rights:

Email: hello@webpunch.co.uk
Subject Line: "Data Protection Enquiry" or "GDPR Request"
Address: WebPunch, Aberdeen, Scotland, UK

We aim to respond to all data protection enquiries within one month.

15. Complaints and Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113
Website: www.ico.org.uk
Report a concern: ico.org.uk/make-a-complaint

16. Related Documents

For more detailed information, please review:

Privacy Policy - How we collect and use your data
Cookies Policy - How we use cookies
Terms of Service - Terms for using our services