Data Protection Policy

Data Protection & GDPR Compliance Policy

Effective Date: 2 January 2025
Review Date: 2 January 2026

1. Purpose

This policy sets out Ultimate Cell UK Ltd’s commitment to protecting the privacy and personal data of employees,
clients, suppliers, and partners. The company fully complies with the UK General Data Protection Regulation (GDPR),
the Data Protection Act 2018, and recognised industry best practice standards.

2. Policy Statement

Ultimate Cell UK Ltd recognises that personal data is a valuable asset requiring the highest levels of confidentiality,
integrity, and availability. We process personal data lawfully, fairly, and transparently, ensuring it is adequate,
relevant, and limited to what is necessary for legitimate business purposes.

3. Scope and Accountability

This policy applies to all employees, contractors, and third-party partners who handle or access company-held
personal data. Overall accountability rests with the Managing Director, with day-to-day responsibility delegated to
Pawel Dolny, IT & Information Officer / Data Protection Officer (DPO).

4. Lawful Basis for Processing

Personal data shall only be collected and processed where one or more lawful bases apply, including:
• Consent of the data subject.
• Performance of a contract.
• Compliance with legal obligations.
• Legitimate interests pursued by the company or its clients.
Data subjects are informed of the processing purpose and their rights at the point of data collection.

5. Data Categories

We may process the following categories of personal data:
• Identity and contact details (name, address, email, phone).
• Employment and training records.
• Financial details for payments or invoicing.
• Client and supplier communications and preferences.

6. Data Security

We maintain robust technical and organisational controls, including:
• Secure cloud storage via Microsoft 365 / OneDrive with MFA and access controls.
• Regular data backups and version control.
• Antivirus, encryption, and firewall protection across all company devices.
• Periodic review of security measures to ensure compliance with ISO 27001 principles.

7. Data Retention

Personal data is retained only as long as necessary for the original purpose or as required by law. Retention
schedules are reviewed annually and data securely deleted when no longer required.

8. Data Sharing and Third Parties

Where data is shared with third-party service providers (e.g. accountants, IT support, or clients), such partners are
bound by written agreements ensuring GDPR-compliant handling, confidentiality, and security of personal data.

9. Data Subject Rights

Individuals may:
• Request access to their personal data.
• Request rectification or erasure.
• Object to processing.
• Request data portability.
Requests will be acknowledged and fulfilled within one month in accordance with GDPR.

10. Data Breach Management

Any personal data breach must be reported immediately to the DPO. Serious breaches will be notified to the
Information Commissioner’s Office (ICO) within 72 hours and, where applicable, to affected individuals. Incident
records are maintained for audit purposes.

11. Training and Awareness

All staff receive mandatory induction and refresher training on GDPR and data security. The company promotes a
culture of awareness and accountability, ensuring employees understand their responsibilities in handling personal
data.

12. Review and Continuous Improvement

This policy is reviewed annually or upon legislative or operational change. Improvements are documented and
communicated to all employees.

Signed by:
Gareth Eeson
Managing Director, Ultimate Cell UK Ltd

 

CONTACT

Facebook Instagram

Legal

Privacy Settings

© 2025 Ultimate Cell UK Ltd

Website by Bulldogs Digital