UK-GDPR and EU GDPR Regulation

As of the 25th of May 2018, the EU General Data Protection Regulation (GDPR) strengthens the rights of individuals regarding their personal data and seeks to unify local data protection laws across Europe. GDPR requires new or additional obligations on organizations in the EU processing personal data and organizations outside of the EU processing personal data of EU residents.

On 31 December 2020, the National Commission for Data Protection (CNPD) published a statement on the applicability of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR), following the UK’s departure from the European Union (EU).

On June 28, 2021, the European Commission adopted an adequacy decision for the UK, ensuring the continued free flow of personal data between the two blocs for the next four years.

The UK already has in place a new domestic data privacy law called UK-GDPR that is the same as the EU version and is supported by the UK’s Data Protection Act of 2018.

Compliance with the UK-GDPR and EU’s GDPR remains an obligation for any website, company or organization who process personal data form either inside the UK or EU: the explicit consent of users must be obtained before any processing or transfer is allowed to take place.

Celaton is committed to meeting the obligations set out in the UK-GDPR and EU GDPR ensuring the security and protection of the personal information we process, and to provide a compliant and consistent approach to data protection. We have created this UK-GDPR Compliance Statement to explain our approach to implementing our UK-GDPR compliance program. It describes the implementation of our data protection roles, policies, procedures, controls, and measures to ensure ongoing compliance with UK-GDPR and EU GDPR.

We place high priority on protecting and managing data in accordance with accepted standards. Celaton are certified to ISO 27001:2013 (Information Security). The requirements of this standard are closely aligned to the requirements of UK-GDPR and demonstrate our offices, infrastructure, systems, policies, and procedures are adequately robust to protect all personal data we process.

Celaton have taken steps to ensure we are compliant with UK-GDPR, which includes but is not limited to the following:

• We have established procedures and policies to restrict processing of personal information. Revision 17 Page 2 of 2.
  
  
• We have updated our procedures for data breaches and incident responses.
  
  
• We have updated our company’s Data Protection Policy, Data Retention Policy, information Security Policy, Cookies Policy and Privacy Policy.
  
  
• We have conducted data mapping and analysis on all our data processing activities and maintain a data process register including extended privacy impact assessments where personal information is required to be collected as part of the agreed process.
  
  
• We have appointed a data protection officer (DPO).
  
  
• We are providing training to our employees and raising the awareness and importance of UK-GDPR to our business and their individual responsibilities arising from this.
  
  
• We process personal data contained in business data transmitted to us, only on behalf of our customers, to the extent necessary for our services and in accordance with our customers’ instructions.