GDPR Compliance Policy

Last Updated: June 24, 2025

Introduction

Stallions Technologies is committed to complying with the General Data Protection Regulation (GDPR) and protecting the personal data of all individuals in the European Union (EU) and European Economic Area (EEA). This policy outlines our approach to GDPR compliance and your rights under this regulation.

Our GDPR Commitment

As a global IT services company with operations in the UK and serving clients across the EU, we are fully committed to:

  • Transparency: Clear communication about how we process personal data
  • Accountability: Taking responsibility for our data protection practices
  • Privacy by Design: Building privacy protection into our services from the ground up
  • Data Minimization: Collecting only necessary personal data for specified purposes
  • Continuous Compliance: Regular review and improvement of our data protection practices

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that:

  • Came into effect on May 25, 2018
  • Applies to all organizations processing personal data of EU/EEA residents
  • Provides individuals with enhanced rights over their personal data
  • Requires organizations to implement strong data protection measures
  • Imposes significant penalties for non-compliance (up to 4% of global turnover)

Legal Basis for Data Processing

Under GDPR Article 6, we process personal data based on the following legal grounds:

  1. Consent (Article 6(1)(a))
  • Marketing Communications: Sending promotional emails and newsletters
  • Optional Website Features: Non-essential cookies and tracking
  • Research Participation: Customer surveys and feedback programs
  • Event Marketing: Webinars, conferences, and promotional events

Characteristics of Valid Consent:

  • Freely given, specific, informed, and unambiguous
  • Clear affirmative action (no pre-ticked boxes)
  • Withdrawable at any time
  • Documented with timestamp and method
  1. Contract Performance (Article 6(1)(b))
  • Service Delivery: Providing IT support, software development, consulting
  • Client Account Management: Managing user accounts and access
  • Payment Processing: Billing and financial transactions
  • Project Communication: Technical discussions and project updates
  1. Legitimate Interest (Article 6(1)(f))
  • Business Operations: Internal administration and management
  • Security Monitoring: Protecting against fraud and cyber threats
  • Service Improvement: Analyzing usage patterns to enhance services
  • Professional Networking: Building business relationships

Balancing Test Considerations:

  • Our legitimate business interests
  • Impact on individual privacy rights
  • Reasonable expectations of data subjects
  • Availability of less intrusive alternatives
  1. Legal Obligation (Article 6(1)(c))
  • Regulatory Compliance: Meeting industry-specific requirements
  • Tax and Accounting: Financial record keeping obligations
  • Employment Law: HR and payroll requirements
  • Data Retention: Legal document retention periods
  1. Vital Interest (Article 6(1)(d))
  • Emergency Situations: Health and safety emergencies
  • Critical Infrastructure: Protecting essential IT systems
  • Urgent Technical Support: Preventing system failures
  1. Public Task (Article 6(1)(e))
  • Government Contracts: Public sector IT services
  • Regulatory Reporting: Compliance with public authorities
  • Industry Standards: Contributing to technical standards development

Your Rights Under GDPR

As a data subject, you have the following rights:

Right of Access (Article 15)

What it means: You can request information about how we process your personal data

You can ask for:

  • Confirmation that we process your personal data
  • Categories of personal data we process
  • Purposes of processing and legal basis
  • Recipients or categories of recipients
  • Retention periods or criteria
  • Information about your other rights

How to exercise: Submit a Subject Access Request via email or our online form

Response time: Within one month (extendable by two months for complex requests)

Right to Rectification (Article 16)

What it means: You can request correction of inaccurate or incomplete personal data

Examples:

  • Updating contact information
  • Correcting professional details
  • Adding missing information

How to exercise: Contact us directly or use your account settings

Response time: Without undue delay, within one month

Right to Erasure (Article 17) – “Right to be Forgotten”

What it means: You can request deletion of your personal data in certain circumstances

When applicable:

  • Personal data no longer necessary for original purpose
  • You withdraw consent (where consent was the legal basis)
  • Personal data unlawfully processed
  • Erasure required for legal compliance
  • Data collected from children without valid consent

Limitations:

  • Legal obligations requiring retention
  • Legitimate interests that override erasure rights
  • Ongoing contractual relationships

Right to Restrict Processing (Article 18)

What it means: You can request limitation of how we process your data

When applicable:

  • Accuracy of data is contested
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you need it for legal claims
  • You’ve objected to processing pending verification

Effect: We may store but not further process the data

Right to Data Portability (Article 20)

What it means: You can receive your personal data in a structured, machine-readable format

Requirements:

  • Processing based on consent or contract
  • Processing carried out by automated means
  • Does not adversely affect rights of others

Formats provided: JSON, CSV, XML, or other structured formats

Right to Object (Article 21)

What it means: You can object to processing in certain circumstances

Processing you can object to:

  • Direct marketing (absolute right)
  • Processing based on legitimate interests
  • Profiling based on legitimate interests
  • Processing for research/statistical purposes

Direct Marketing: We must stop immediately upon objection

Rights Related to Automated Decision-Making (Article 22)

What it means: Protection against solely automated decision-making with significant effects

Your rights:

  • Information about automated decision-making
  • Human intervention in the decision process
  • Right to challenge automated decisions
  • Right to have decisions reviewed

Current practices: We do not engage in significant automated decision-making

Special Categories of Personal Data

GDPR provides enhanced protection for special categories of personal data:

Categories (Article 9):

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for identification
  • Health data
  • Sexual orientation

Our Practices:

  • Minimal Collection: We do not routinely collect special category data
  • Explicit Consent: Required for any processing of special category data
  • Enhanced Security: Additional protection measures when applicable
  • Limited Purposes: Only for specific, legitimate business needs

Data Protection Principles

We adhere to GDPR’s six key principles (Article 5):

  1. Lawfulness, Fairness, and Transparency
  • Lawful Basis: Clear legal justification for all processing
  • Fair Processing: Balanced approach considering individual rights
  • Transparency: Clear, understandable privacy information
  1. Purpose Limitation
  • Specified Purposes: Clear definition of why we collect data
  • Explicit Purposes: Openly communicated to data subjects
  • Legitimate Purposes: Valid business or legal reasons
  • Compatible Use: Further processing only for compatible purposes
  1. Data Minimization
  • Necessity Test: Only collect data necessary for specified purposes
  • Proportionality: Amount of data proportionate to the purpose
  • Regular Review: Periodic assessment of data collection practices
  • Purpose-Driven: Reject requests for excessive data
  1. Accuracy
  • Up-to-Date: Regular updates and corrections
  • Verification: Reasonable steps to verify accuracy
  • Correction Procedures: Easy methods for data subjects to correct data
  • Deletion of Inaccurate Data: Remove data that cannot be corrected
  1. Storage Limitation
  • Retention Schedules: Clear timelines for data retention
  • Purpose-Based Retention: Keep data only as long as necessary
  • Secure Deletion: Permanent removal when retention period expires
  • Legal Requirements: Balance between deletion and legal obligations
  1. Integrity and Confidentiality
  • Security Measures: Technical and organizational safeguards
  • Access Controls: Restricted access to authorized personnel
  • Encryption: Protection of data in transit and at rest
  • Incident Response: Procedures for data breaches

Data Protection by Design and Default

We implement privacy protection measures throughout our systems:

Technical Measures

  • Encryption: AES-256 encryption for data at rest and in transit
  • Access Controls: Role-based access with multi-factor authentication
  • Pseudonymization: Reducing identifiability where possible
  • Network Security: Firewalls, intrusion detection, secure protocols
  • Data Loss Prevention: Monitoring and preventing unauthorized data transfers

Organizational Measures

  • Privacy Policies: Comprehensive data protection policies
  • Staff Training: Regular GDPR and privacy training programs
  • Data Protection Impact Assessments: For high-risk processing activities
  • Vendor Management: GDPR compliance requirements for suppliers
  • Incident Response Procedures: Systematic approach to data breaches

Default Settings

  • Privacy-Friendly Defaults: Maximum privacy protection by default
  • Opt-In Mechanisms: Explicit consent for non-essential processing
  • Minimal Data Collection: Only necessary data collected initially
  • User Control: Easy privacy setting management

International Data Transfers

When transferring personal data outside the EU/EEA, we ensure adequate protection:

Transfer Mechanisms

  1. Adequacy Decisions: Countries approved by European Commission
  2. Standard Contractual Clauses (SCCs): EU-approved contract terms
  3. Binding Corporate Rules: Internal policies for multinational groups
  4. Certification Schemes: Approved certification mechanisms
  5. Explicit Consent: Specific consent for transfers

Current Transfer Practices

  • UK Operations: Adequate protection under UK GDPR
  • Cloud Services: SCCs with major cloud providers (AWS, Google, Azure)
  • Global Offices: Binding corporate rules for internal transfers
  • Third-Party Services: Due diligence on transfer safeguards

Data Breach Response

We have established procedures for handling personal data breaches:

Detection and Assessment

  • Monitoring Systems: Continuous monitoring for security incidents
  • Incident Classification: Categorizing breaches by severity and risk
  • Risk Assessment: Evaluating likelihood and impact on individuals
  • Containment Measures: Immediate steps to limit breach impact

Notification Requirements

  • Supervisory Authority: Within 72 hours of becoming aware (high risk)
  • Data Subjects: Without undue delay (high risk to rights and freedoms)
  • Documentation: Comprehensive record of breach and response
  • Follow-Up: Additional measures and corrective actions

Breach Response Team

  • Data Protection Officer: Lead coordinator for breach response
  • IT Security Team: Technical investigation and containment
  • Legal Team: Regulatory compliance and liability assessment
  • Communications Team: External communications and public relations

Data Protection Officer (DPO)

Contact our Data Protection Officer for GDPR-related matters:

Name: [To be appointed] Email: support@stallions.tech Phone: +44 20 7193 8222 Address: Stallions Technologies, 124 City Road, London EC1V 2NX, United Kingdom

DPO Responsibilities

  • Compliance Monitoring: Ensuring adherence to GDPR requirements
  • Training and Awareness: Educating staff on data protection obligations
  • Impact Assessments: Conducting Data Protection Impact Assessments
  • Regulatory Liaison: Serving as contact point with supervisory authorities
  • Advisory Services: Providing guidance on GDPR compliance matters

Exercising Your Rights

How to Submit Requests

  1. Email: support@stallions.tech with subject “GDPR Request – [Type of Request]”
  2. Postal Mail: Data Protection Officer, Stallions Technologies, 124 City Road, London EC1V 2NX
  3. Phone: +44 20 7193 8222 (follow up in writing required)

Required Information

  • Identity Verification: Valid identification to protect privacy
  • Specific Request: Clear description of the right you wish to exercise
  • Relevant Details: Information to help us locate your data
  • Preferred Format: How you would like to receive responses

Response Timeline

  • Standard: Within one month of receipt
  • Complex Requests: Up to three months (with explanation)
  • Incomplete Requests: Clarification required within one month
  • Free of Charge: Generally no cost for legitimate requests

Complaints and Supervisory Authorities

If you believe we have not handled your personal data in accordance with GDPR:

Internal Complaints

  • Contact: support@stallions.tech or our Data Protection Officer
  • Escalation: Senior management review for unresolved complaints
  • Resolution: We aim to resolve complaints within 30 days

Regulatory Complaints

You have the right to lodge a complaint with relevant supervisory authorities:

  • UK: Information Commissioner’s Office (ICO) – ico.org.uk
  • EU Member States: Your local data protection authority
  • Multi-jurisdictional: Lead supervisory authority mechanism

Regular Reviews and Updates

We regularly review and update our GDPR compliance:

Annual Review Process

  • Policy Updates: Review and update privacy policies
  • Risk Assessment: Evaluate new risks and processing activities
  • Training Programs: Update staff training materials
  • Technical Measures: Assess and improve security measures
  • Vendor Compliance: Review third-party agreements and practices

Continuous Improvement

  • Monitoring: Regular compliance monitoring and auditing
  • Incident Learning: Incorporating lessons from data breaches
  • Regulatory Changes: Adapting to new guidance and regulations
  • Industry Best Practices: Implementing emerging privacy standards

Contact Information

For GDPR-related inquiries:

Stallions Technologies

  • Email: support@stallions.tech
  • Phone: +44 20 7193 8222

Data Protection Officer

  • Email: support@stallions.tech

Additional Resources

This GDPR Compliance Policy demonstrates our commitment to protecting your personal data and respecting your privacy rights under European data protection law. We are dedicated to maintaining the highest standards of data protection and continuously improving our privacy practices.