HighGround GDPR Statement
The purpose of this page is to explain, in broad terms, how the data protection laws of the EU and UK apply to our operations. In particular, the page explains how these laws affect our handling of the personal data of:
- our users; and
- the personnel of our customers and prospective customers.
The EU’s General Data Protection Regulations (“EU GDPR“) regulates the collection, storage, processing and transfer of personal data – that is, any data that relates to an identified or identifiable natural person. For example, personal names and addresses are personal data; email addresses may also be personal data.
As a result of Brexit, the UK now has a separate set of laws governing the handling of personal data (“UK GDPR“).
With respect to any particular processing activity, then depending upon the location of the individuals concerned and the location of our processing activities, we may be subject to the EU GDPR or the UK GDPR or both.
Are we a controller or processor?
Both the EU GDPR and the UK GDPR distinguish between controllers of personal data and processors of personal data. Controllers are the persons or entities responsible for determining the purposes and means of the processing of personal data; whereas processors act only on behalf of controllers in relation to their processing of personal data.
Controllers and processors have different obligations and responsibilities under the GDPRs.
We sometimes act as a controller for personal data, while in other cases we act as a processor. We have outlined the different cases in the table below.
|Acting as controller||Acting as processor|
Where we act as a controller of personal data, we have an obligation to provide to data subjects information about our activities. To help fulfil this obligation, we have published a detailed privacy and cookies policy, which you can see here:
On the other hand, where we act as a processor of personal data, our specific obligations under the GDPR are owed primarily to the relevant controller. In this case, the privacy and cookies policy does not apply. Instead, our processing is regulated by a set of contractual obligations contained in the contract between us and the controller.
Using your data
Where we act as a processor, however, then we follow the instructions of the relevant controller. Formally, then, you should consult the privacy notice or policy of that organisation in order to establish how we might use relevant personal data. In practice, we typically only use this type for personal data for the purpose of providing our services to the relevant controller.
Security of personal data
Whether we are acting as a controller or processor of personal data, we have obligations under the UK GDPR and/or EU GDPR to keep data securely.