GDPR Compliance
Our commitment to protecting your personal data under UK and EU data protection laws
Last updated: 28 September 2025
Our GDPR Compliance Commitment
OKOfy is fully committed to complying with the General Data Protection Regulation (GDPR) as implemented in the UK (UK GDPR) and the European Union (EU GDPR). We have implemented comprehensive measures to ensure your personal data is protected and your privacy rights are respected.
1. Legal Framework We Follow
1.1 Applicable Regulations
- UK GDPR: As retained in UK law post-Brexit
- Data Protection Act 2018: UK implementation of GDPR
- EU GDPR: For EU customers and data processing
- Privacy and Electronic Communications Regulations (PECR): For cookies and electronic marketing
1.2 Regulatory Authorities
UK - Information Commissioner's Office (ICO)
Our primary regulatory authority for UK data protection compliance
Website: ico.org.uk
EU - Local Data Protection Authorities
We cooperate with relevant EU DPAs for EU customer data
Find your DPA: EDPB Members
2. GDPR Principles We Follow
We ensure all personal data processing adheres to the seven key GDPR principles:
Lawfulness, Fairness, and Transparency
We process data lawfully, fairly, and in a transparent manner. We clearly explain how and why we use your data.
Purpose Limitation
We collect data for specific, explicit, and legitimate purposes and do not process it for incompatible purposes.
Data Minimization
We only collect and process data that is adequate, relevant, and necessary for our stated purposes.
Accuracy
We keep personal data accurate and up to date, and take steps to rectify or delete inaccurate data promptly.
Storage Limitation
We retain personal data only for as long as necessary and have clear retention policies in place.
Integrity and Confidentiality
We implement appropriate security measures to protect data against unauthorized access, loss, or damage.
Accountability
We take responsibility for compliance and can demonstrate adherence to all GDPR principles.
3. Your Rights Under GDPR
Under GDPR, you have the following rights regarding your personal data:
π Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you.
Response time: 1 month (extendable to 3 months for complex requests)
What you'll receive: Copy of data, processing purposes, recipients, retention period
βοΈ Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data.
Response time: 1 month
What we'll do: Correct inaccurate data and notify third parties if necessary
ποΈ Right to Erasure (Article 17)
Also known as the βright to be forgottenβ - you can request deletion of your data.
When applicable: Data no longer necessary, consent withdrawn, unlawfully processed
Exceptions: Legal obligations, public interest, exercise of legal claims
βΈοΈ Right to Restrict Processing (Article 18)
You can request that we limit how we use your data in certain circumstances.
When applicable: Accuracy disputed, processing unlawful, data still needed for legal claims
Effect: We can store but not further process the data
π€ Right to Data Portability (Article 20)
You can request your data in a machine-readable format to transfer to another service.
Applies to: Data processed by consent or contract, in automated manner
Format: Structured, commonly used, machine-readable (e.g., CSV, JSON)
β Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing.
Direct marketing: Absolute right - we must stop immediately
Other processing: We must demonstrate compelling legitimate grounds to continue
π« Right to Withdraw Consent (Article 7)
Where processing is based on consent, you can withdraw it at any time.
How to withdraw: Contact us or use our cookie preferences center
Effect: We stop processing but past processing remains lawful
How to Exercise Your Rights
To exercise any of these rights, contact us at:
Email: privacy.legal@okofy.com
Subject: GDPR Rights Request
Phone: +44 (0) 20 1234 5678
We will verify your identity before processing any rights requests and respond within one month.
4. Technical and Organizational Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data.
4.1 Technical Measures
π Encryption
- β’ SSL/TLS encryption for data in transit
- β’ AES encryption for data at rest
- β’ End-to-end encryption for sensitive communications
π‘οΈ Access Controls
- β’ Multi-factor authentication (MFA)
- β’ Role-based access control (RBAC)
- β’ Regular access reviews and deprovisioning
π Monitoring
- β’ 24/7 security monitoring
- β’ Intrusion detection systems
- β’ Regular security log analysis
π Backup & Recovery
- β’ Regular encrypted backups
- β’ Disaster recovery procedures
- β’ Business continuity planning
4.2 Organizational Measures
- Staff Training: Regular GDPR and data protection training for all employees
- Privacy Policies: Clear internal policies and procedures for data handling
- Incident Response: Documented procedures for data breach response
- Vendor Management: Due diligence and contracts with data processors
- Regular Audits: Internal and external compliance assessments
5. Records of Processing Activities
In accordance with Article 30 of GDPR, we maintain detailed records of our processing activities:
| Processing Activity | Legal Basis | Data Categories | Retention Period |
|---|---|---|---|
| Website Analytics | Consent | Usage data, Device info | 26 months |
| Contact Forms | Legitimate Interest | Contact details, Inquiry details | 3 years |
| Newsletter | Consent | Email address | Until unsubscribed |
| Client Services | Contract | Business data, Project data | 7 years |
6. Data Breach Response Procedures
We have established comprehensive procedures for identifying, investigating, and responding to personal data breaches in compliance with GDPR requirements.
6.1 Breach Response Timeline
6.2 What We Will Do
- Immediately contain and assess the breach
- Document all details and potential impacts
- Report to relevant authorities within 72 hours if required
- Notify affected individuals without undue delay if high risk
- Implement measures to prevent future breaches
- Cooperate fully with regulatory investigations
7. International Data Transfers
When we transfer personal data outside the UK/EEA, we ensure adequate protection through appropriate safeguards:
β Adequacy Decisions
We prioritize transfers to countries with adequacy decisions from the European Commission or UK government.
π Standard Contractual Clauses (SCCs)
We use EU and UK SCCs to ensure appropriate safeguards for transfers to third countries.
π’ Binding Corporate Rules
For multinational service providers, we ensure they have approved binding corporate rules.
Current International Transfers
| Service Provider | Country | Safeguard | Purpose |
|---|---|---|---|
| Google Analytics | United States | SCCs + Additional Measures | Website Analytics |
| Formspree | United States | SCCs | Form Processing |
8. Contact Us and Lodge Complaints
8.1 Data Protection Contact
Email: privacy.legal@okofy.com
Phone: +44 (0) 20 1234 5678
Response Time: We aim to respond within 48 hours
8.2 Supervisory Authority Complaints
You have the right to lodge a complaint with the relevant supervisory authority if you believe we have not handled your data properly:
UK - Information Commissioner's Office
EU - Your Local Data Protection Authority
Directory: EDPB Members
Find your country's DPA to lodge a complaint
9. Regular Compliance Reviews
We regularly review and update our GDPR compliance measures to ensure ongoing protection of personal data:
- Monthly: Internal compliance checks and staff training updates
- Quarterly: Review of processing activities and risk assessments
- Annually: Comprehensive compliance audit and policy updates
- As needed: Updates following regulatory guidance or incidents
This page was last reviewed and updated on 28 September 2025.