General Data Protection Regulation Policies

Astutium > Legal > Policies - GDPR

Find your perfect domain name | www.


- Updated: 25th May 2018

As of 14 April 2016 (enforceable beginning 25 May 2018) the European General Data Protection Regulation (GDPR) replaces the existing 1995 EU Data Protection Directive (EDPD).
Because the GDPR is a Regulation, not a Directive, it does not require national governments to pass any enabling legislation and is directly binding and applicable to all companies trading in Europe.

The GDPR clarifies and strengthen the rights that individuals have regarding personal data relating (data which directly to them) and seeks to unify data protection standards across Europe (and beyond) regardless of where that data is processed/controlled.

Data Controller

Data Controller is the person/organisation which determines what data to collect/store/process and dictates all policies/processes related to that data.

Data Processor

Data Processor is the person/organisation which handles through collection/processing/storage/analysis the data in accordance with the published policies/processes related to that data (as decided by the controller)

Data Subject

Data Subject is any individual (natural) living person.

Personal Information

Personal Information is information which is specifically about a Data Subject

Personally Identifiable Information

Personally Identifiable Information (PII) is information that can be used to identify a Data Subject

Data Breach

Data Breach is the intentional (or accidental) loss of, damage to, or unauthorised sharing of PI/PII.

Supervisory Authority

Supervisory Authority is the territory specific organisation responsible for enforcing the GDPR - For the UK this is currently the Information Commissioners Office (ICO).

The key principles of the GDPR are that PI/PII is:

  • processed lawfully, fairly and in a transparent manner in relation to individuals
  • collected and processed only for specific lawful purposes
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date
  • kept for no longer than necessary
  • kept secure

We respect your privacy and are commited to protecting your Personal Information and Personally Identifiable Information. We have made updates to our policies and procedures in order to remain compliant with our obligations under the GDPR.

Your Rights

The GDPR provides you with the following rights:
  • right to be informed
  • right of access
  • right to rectification
  • right to erasure
  • right to restrict processing
  • right to data portability
  • right to object
  • rights in relation to automated decision making and profiling

Astutium Ltd are GDPR Ready

Astutium Ltd has undertaken a comprehensive GDPR audit to ensure readiness and compliance - as a business which respected the privacy and security of our clients', Astutium Ltd was fully compliant with the GDPRs predecessor (the Data Protection Act), the vast majority of our systems and processes have always been GDPR ready but we have taken additional steps to deliver a gdpr compliant organisation/service.

We continue to monitor the legislation, the changes in local laws and how other organisations in this industry interpret and enact the GDPR and are committed to both legal compliance and corporate best practices.

Where Astutium Ltd acts as a Data Controller

For the purpose of the GDPR Astutium Ltd will act as the Data controller only for any data that is provided to us during the:
  • ordering process
  • support/helpdesk process
  • general account management process
  • cancellation process
This includes all data required for setup of the service, providing support, service security and general account management, including any additional data held for statutory reporting and marketing purposes.

Where Astutium Ltd acts as a Data Processor

For the purpose of the GDPR regulation Astutium Ltd will act as a Data Processor only for any data that has been provided, uploaded or transferred to our platforms/servers where:
  • we are also data-controller
  • we have entered into a specific contract to be data-processor
  • it is absolutely necessary to collect on behalf of a 3rd-party data-controller solely for provision of the service

For clarification :
Astutium Ltd DO NOT and WILL NOT act as a data-controller for any data that is required by or requested by 3rd parties.
Astutium Ltd DO NOT and WILL NOT act as a data-processor for any data that is required by or requested by or supplied to 3rd parties unless by specific contract or where it forms an integral and necessary part of the service being supplied.

Data Physical Storage Locations

Data provided to Astutium Ltd is stored safely and securely at specific locations depending on the data type and processing type. We do not publish the locations of our data storage sites for security purposes - they are not open to the general public. These include but are not limited to our:
  • Primary UK Data Centre
  • Secondary UK Data Centre
  • Primary NL Data Centre
  • Primary UK Office
  • Backup/DR UK Office

Type of Data Collected

The GDPR applies to any data that can be used to identity a living/natural person including (but not limited to) name, postal address, telephone number, email address, ip address etc. Additionally it includes meta-data where it can be used in conjunction with other data to identity a living/natural person.

Data Processing Agreements

Any general data processing commitments we undertake will be added to our Privacy Policy. These will get updated from time to time based on guidance from regulators. The GDPR related updates will be coming shortly.

Deletion of Data

We do not delete data (where we are the controller) from our servers/systems, as it is related to one-or-more-of:
  • required by regulators
  • required for the purposes of service provision
  • forms part of our statutory accounts
  • is subject to general company requirements/information management

We can close your account with us on request via the ticket system so that you are no longer contacted about the service(s) you have/had (except where required by the regulators for that service type) but we cannot delete you from our systems for legal reasons.
You can remove your details from any marketing activity/materials freely at any time using the same system(s) that you signed up with.

Action in the Event of Data Breaches

Under the GDPR it is the responsibility of the Data Controller to report any data breach to the UK Information Commission.
Under the unlikely circumstances of any data-breach of any system for which Astutium Ltd is data-controller, we will, starting within 24 hours of discovery:
  • fix the security breach
  • inform the Supervisory Authority
  • take appropriate steps to inform the data-subjects
  • follow appropriate and regulatory defined/agreed steps
In the event of any data-breach of any system for which Astutium Ltd is data-processor, we will, within 24 hours of discovery, inform the data-controller, who will be responsible for all further actions relating to the data/breach as necessary, however Astutium Ltd will assist where possible.

Request for Data Held

You may wish to request a copy of the data we hold for/about you, which you can request through the ticket system. We aim to receive, process and respond to your request with 7 (seven) calendar days. If there is any delay expected beyond 7 days, you will be informed within 7 days with details of the timescale.

Should you have any other queries or would like further information, you can Contact Us