GDPR Compliance Policy

A500 Tech Solutions
Effective Date: 17 February 2026
Version: 2.0

1. Introduction

A500 Tech Solutions ("we," "us," "our," or "the Company") is committed to protecting the privacy and security of personal data. This GDPR Compliance Policy outlines our approach to data protection and our compliance with:

• The UK General Data Protection Regulation (UK GDPR)

• The EU General Data Protection Regulation (EU GDPR)

• The Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025 (DUAA))

• The Data (Use and Access) Act 2025 (DUAA)

• The Privacy and Electronic Communications Regulations (PECR)

This policy applies to all personal data processed by A500 Tech Solutions in relation to UK and European residents, including data relating to our clients, suppliers, employees, and website visitors.

2. Scope and Application

This policy applies to:

• All employees, contractors, and third parties acting on behalf of A500 Tech Solutions

• All personal data processed by the Company, whether in digital or physical format

• All data processing activities conducted within the UK and the European Economic Area (EEA)

• Cross-border data transfers to jurisdictions outside the UK and EEA

3. Data Protection Principles

A500 Tech Solutions processes personal data in accordance with the following principles:

3.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about our data processing activities through our Privacy Policy and related documentation.

3.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

3.3 Data Minimisation

We ensure that personal data collected is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

3.4 Accuracy

We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate data is erased or rectified without delay.

3.5 Storage Limitation

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements.

3.6 Integrity and Confidentiality

We implement appropriate technical and organisational measures to ensure data security, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage.

3.7 Accountability

We demonstrate compliance with data protection principles through documentation, policies, and regular reviews of our data processing activities.

4. Legal Bases for Processing

A500 Tech Solutions processes personal data under one or more of the following legal bases:

4.1 Consent

Where individuals have given clear, affirmative consent for specific processing activities.

4.2 Contractual Necessity

Where processing is necessary for the performance of a contract with the data subject or to take steps prior to entering into a contract.

4.3 Legal Obligation

Where processing is necessary to comply with legal obligations to which we are subject.

4.4 Legitimate Interests

Where processing is necessary for legitimate interests pursued by A500 Tech Solutions or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject.

Under the Data (Use and Access) Act 2025, legitimate interests may include:

• Automated service delivery optimisation

• Fraud prevention and network security

• Statistical analysis for service improvement (where consent-exempt under DUAA provisions)

4.5 Vital Interests

Where processing is necessary to protect the vital interests of the data subject or another person.

4.6 Public Task

Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

5. Data Subject Rights

A500 Tech Solutions respects and facilitates the exercise of the following data subject rights:

5.1 Right to be Informed

Individuals have the right to clear and transparent information about how we use their personal data.

5.2 Right of Access

Individuals may request access to their personal data and information about how it is processed.

5.3 Right to Rectification

Individuals may request correction of inaccurate or incomplete personal data.

5.4 Right to Erasure ("Right to be Forgotten")

Individuals may request deletion of their personal data in certain circumstances, including:

• The data is no longer necessary for the purposes for which it was collected

• Consent is withdrawn and there is no other legal basis for processing

• The data has been unlawfully processed

5.5 Right to Restrict Processing

Individuals may request restriction of processing in specific circumstances, such as when accuracy is contested.

5.6 Right to Data Portability

Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

5.7 Right to Object

Individuals may object to processing based on legitimate interests, direct marketing, or processing for research and statistical purposes.

5.8 Rights Related to Automated Decision-Making and Profiling

As updated under the Data (Use and Access) Act 2025, a broader range of automated processing may be carried out on the basis of legitimate interests, provided it does not involve special category data (unless an appropriate Article 9 UK GDPR condition applies) and appropriate safeguards are in place. Individuals have the right to:

• Be informed of automated decision-making, including the logic involved

• Request human intervention in automated decisions where applicable

• Challenge decisions made solely by automated means that produce legal or similarly significant effects

Where A500 Tech Solutions employs automated processing and/or automated decision-making for service delivery, security filtering, fraud prevention, or resource allocation, we will:

• Provide clear notification of such processing

• Implement appropriate safeguards (including human oversight where required)

• Allow individuals to request manual review of decisions that produce legal or similarly significant effects

• Document our legitimate interest assessments where applicable, including consideration of whether special category data is involved

5.9 Response Timeframes

We will respond to data subject requests without undue delay and within one month of receipt. This may be extended by two additional months where necessary, taking into account the complexity and number of requests.

6. Data Protection Lead

A500 Tech Solutions has designated a Data Protection Lead responsible for:

• Overseeing data protection strategy and compliance

• Monitoring compliance with UK GDPR, EU GDPR, and related legislation

• Serving as the primary point of contact for data protection matters

• Conducting data protection impact assessments (DPIAs)

• Cooperating with the Information Commissioner's Office (ICO) and relevant supervisory authorities

• Providing training and guidance to staff on data protection matters

Contact Details:
Data Protection Lead
A500 Tech Solutions
Email: support@a500.co.uk
Address: 37 Barnfield Way, Alsager, ST7 2GZ

Data subjects and supervisory authorities may contact the Data Protection Lead regarding any data protection concerns or enquiries.

7. Data Processing Activities

7.1 Categories of Personal Data Processed

A500 Tech Solutions processes the following categories of personal data:

• Identity Data: Name, title, date of birth, national insurance number

• Contact Data: Postal address, email address, telephone numbers

• Financial Data: Bank account details, payment card information

• Transaction Data: Details of services purchased, payment history

• Technical Data: IP addresses, login data, browser type, device information, time zone settings

• Usage Data: Information about how our services and website are used

• Marketing and Communications Data: Preferences for receiving marketing and communication preferences

• Employment Data: CV, references, employment history, professional qualifications (for recruitment purposes)

7.2 Special Category Data

We do not routinely process special category data. Where processing of special category data is necessary (such as health information for reasonable adjustments), we will obtain explicit consent or rely on another appropriate legal basis under Article 9 UK GDPR.

7.3 Data Processing Operations

Our primary data processing operations include:

• Provision of IT support, infrastructure management, and security services

• Customer relationship management and account administration

• Financial transaction processing and invoicing

• Marketing communications (where consent has been provided)

• Website analytics and service improvement

• Recruitment and employment administration

• Compliance with legal and regulatory obligations

8. Third-Party Data Processors and Transfers

8.1 Third-Party Processors

A500 Tech Solutions engages third-party processors to perform specific functions on our behalf, including:

• Cloud hosting and storage providers

• Payment processing services

• CRM and email marketing platforms

• IT security and monitoring tools

• Professional advisors (legal, accounting, insurance)

All third-party processors are carefully vetted and bound by written contracts that require them to:

• Process personal data only on our documented instructions

• Implement appropriate technical and organisational security measures

• Maintain confidentiality

• Assist with data subject rights requests

• Delete or return data upon termination of services

8.2 International Data Transfers

Where personal data is transferred outside the UK or EEA, A500 Tech Solutions ensures appropriate safeguards are in place, including:

For transfers to the United States:

• UK Extension to the EU-US Data Privacy Framework: Where recipients are certified participants

• Standard Contractual Clauses (SCCs): UK International Data Transfer Addendum to EU SCCs

• Transfer Impact Assessments (TIAs): Conducted to assess adequacy of protections in the destination country

For transfers to Canada and other jurisdictions:

• Adequacy Decisions: Where the UK Government has recognised adequate data protection standards

• Standard Contractual Clauses: With supplementary measures where required

• Binding Corporate Rules: Where applicable for intra-group transfers

We document all international transfers in our Records of Processing Activities and conduct regular reviews to ensure ongoing compliance.

9. Data Security Measures

A500 Tech Solutions implements comprehensive technical and organisational measures to protect personal data:

9.1 Technical Measures

• Encryption: Data encryption in transit (TLS 1.3) and at rest (AES-256)

• Access Controls: Role-based access controls and multi-factor authentication

• Network Security: Firewalls, intrusion detection systems, and regular security patching

• Backup and Recovery: Regular encrypted backups with tested disaster recovery procedures

• Monitoring: Continuous security monitoring and incident detection systems

• Secure Development: Security-by-design principles in system development

9.2 Organisational Measures

• Data Protection Policies: Comprehensive policies governing data handling

• Staff Training: Regular data protection training for all employees

• Confidentiality Agreements: All staff bound by confidentiality obligations

• Vendor Management: Due diligence and ongoing monitoring of third-party processors

• Physical Security: Secure access to offices and server facilities

• Clear Desk Policy: Ensuring sensitive information is secured when not in use

9.3 Pseudonymisation and Anonymisation

Where appropriate, we employ pseudonymisation and anonymisation techniques to reduce privacy risks, particularly for analytics, testing, and development purposes.

10. Data Breach Management

10.1 Breach Detection and Response

A500 Tech Solutions maintains a data breach response plan that includes:

• Immediate containment and assessment procedures

• Investigation and documentation of the breach

• Risk assessment of potential impact on data subjects

• Notification to the ICO within 72 hours where required

• Communication to affected data subjects where there is a high risk to rights and freedoms

10.2 Breach Notification Criteria

We will notify the ICO of a personal data breach where it is likely to result in a risk to the rights and freedoms of individuals. We will notify affected data subjects without undue delay where the breach is likely to result in a high risk.

10.3 Breach Register

All data breaches, whether notifiable or not, are recorded in our breach register, including:

• The nature of the breach

• The categories and approximate number of data subjects affected

• Likely consequences of the breach

• Measures taken to address the breach and mitigate harm

11. Data Retention and Disposal

11.1 Retention Periods

A500 Tech Solutions retains personal data only for as long as necessary to fulfil the purposes for which it was collected. Retention periods vary depending on the category of data and legal requirements:

11.2 Secure Disposal

When personal data reaches the end of its retention period, we ensure secure disposal through:

• Secure deletion of electronic data using industry-standard wiping tools

• Physical destruction of paper records through cross-cut shredding or incineration

• Destruction certificates obtained from third-party disposal services

• Verification that data has been removed from backup systems

12. Cookies and Online Tracking

12.1 Cookie Policy Compliance

A500 Tech Solutions' website uses cookies and similar technologies. Our approach complies with the Data (Use and Access) Act 2025, which provides updated consent requirements.

12.2 Cookie Categories

Consent-Exempt Cookies (under DUAA 2025):

• Strictly Necessary Cookies: Essential for website operation and security

• Statistical/Analytics Cookies: Used for aggregated, non-identifying website usage analysis

• Appearance/Preference Cookies: Store user preferences for website display

Consent-Required Cookies:

• Marketing Cookies: Used for targeted advertising and tracking across websites

• Social Media Cookies: Enable sharing and integration with social platforms

• Third-Party Profiling Cookies: Used to create detailed user profiles

12.3 Cookie Management

Users can manage cookie preferences through our Cookie Consent Manager, accessible from our website footer. We provide:

• Clear information about each cookie's purpose and duration

• Granular control over cookie categories

• Easy withdrawal of consent at any time

• Regular cookie audits to maintain accuracy of cookie declarations

Full details are available in our separate Cookie Policy, accessible at: a500.co.uk/cookie-policy

13. Data Protection Impact Assessments (DPIAs)

13.1 When DPIAs are Required

A500 Tech Solutions conducts Data Protection Impact Assessments before implementing:

• New technologies or systems that process personal data

• Large-scale processing of special category data

• Systematic monitoring of publicly accessible areas

• Automated decision-making with significant effects

• Processing that poses high risks to data subjects' rights and freedoms

13.2 DPIA Process

Our DPIA process includes:

1. Systematic description of processing operations and purposes

2. Assessment of necessity and proportionality

3. Assessment of risks to data subjects

4. Identification of measures to address risks

5. Consultation with the Data Protection Lead

6. Consultation with the ICO where high risks cannot be mitigated

14. Records of Processing Activities

A500 Tech Solutions maintains comprehensive records of all processing activities, including:

• Name and contact details of the controller and Data Protection Lead

• Purposes of processing

• Categories of data subjects and personal data

• Categories of recipients of personal data

• Details of international transfers and safeguards

• Retention periods

• Technical and organisational security measures

These records are available for inspection by the ICO upon request.

15. Staff Training and Awareness

15.1 Mandatory Training

All employees, contractors, and temporary staff receive:

• Data protection induction training within the first week of employment

• Annual refresher training on UK GDPR and company policies

• Role-specific training for those with particular data protection responsibilities

15.2 Ongoing Awareness

We maintain data protection awareness through:

• Regular internal communications and updates

• Quick reference guides and resources on our intranet

• Incident response simulations and testing

• Updates following legislative changes or significant ICO guidance

16. Complaints and Supervisory Authority

16.1 Internal Complaints

Data subjects who wish to raise a concern or complaint about our data processing activities should contact our Data Protection Lead:

Email: dpo@a500.co.uk
Postal Address: [Company Registered Address]

We will investigate and respond to complaints within 30 days.

16.2 Supervisory Authority

Data subjects have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113
Website: ico.org.uk

For data subjects in the EU, complaints may also be lodged with the relevant national supervisory authority.

17. Children's Privacy

A500 Tech Solutions does not knowingly collect or process personal data from individuals under the age of 16 without appropriate parental or guardian consent. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

18. Policy Review and Updates

This GDPR Compliance Policy is reviewed annually and updated as necessary to reflect:

• Changes in legislation or regulatory guidance

• Changes in our business operations or data processing activities

• Results of internal audits or external assessments

• Data breaches or incidents requiring policy adjustments

Last Review Date: 17 February 2026
Next Scheduled Review: 17 February 2027

19. Contact Information

For questions, concerns, or requests related to this policy or our data protection practices, please contact:

Data Protection Lead
A500 Tech Solutions
Email: support@a500.co.uk
Website: a500.co.uk
Telephone: 01270-882525

20. Related Policies

This GDPR Compliance Policy should be read in conjunction with:

• Privacy Policy (a500.co.uk/privacy-policy)

• Cookie Policy (a500.co.uk/cookie-policy)

• Data Retention Schedule

• Information Security Policy

• Acceptable Use Policy

• Data Breach Response Plan

Document Control