GDPR Compliance

1. Our Commitment to GDPR

PICMS is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We handle personal data with the utmost care and respect for individual privacy rights.

2. Lawful Basis for Processing

We process personal data based on the following lawful bases under Article 6 of the UK GDPR:

3. Your Data Subject Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right	Description	Response Time
Right of Access	Request a copy of all personal data we hold about you	30 days
Right to Rectification	Request correction of inaccurate or incomplete data	30 days
Right to Erasure	Request deletion of your personal data ("right to be forgotten")	30 days
Right to Data Portability	Receive your data in a structured, machine-readable format	30 days
Right to Restriction	Request limitation of processing in certain circumstances	30 days
Right to Object	Object to processing based on legitimate interests	30 days
Right to Withdraw Consent	Withdraw consent at any time where processing is based on consent	Immediate

To exercise any of these rights, contact us at privacy@picms.com

4. Data Protection Measures

We implement comprehensive technical and organisational measures to protect your data:

4.1 Technical Measures

• Encryption: 256-bit SSL/TLS for data in transit, AES-256 for data at rest
• Access Controls: Role-based access control, multi-factor authentication
• Infrastructure: UK-based data centres with SOC 2 Type II certification
• Monitoring: 24/7 security monitoring and intrusion detection
• Backups: Encrypted backups with tested recovery procedures

4.2 Organisational Measures

• Policies: Comprehensive data protection and security policies
• Training: Regular staff training on data protection
• Audits: Regular security audits and penetration testing
• DPO: Designated Data Protection Officer
• DPIA: Data Protection Impact Assessments for high-risk processing

5. Data Processing Agreements

As a data processor, we enter into Data Processing Agreements (DPAs) with all customers, ensuring:

• Clear allocation of responsibilities
• Instructions on data processing
• Confidentiality obligations
• Sub-processor management
• Assistance with data subject rights
• Breach notification procedures

Download our standard Data Processing Agreement.

6. International Data Transfers

Your data is primarily stored within the UK (AWS EU-West-2, London). If international transfers are necessary:

• We use Standard Contractual Clauses (SCCs) approved by the ICO
• We verify adequacy decisions where applicable
• We conduct Transfer Impact Assessments
• We implement supplementary measures as needed

7. Data Retention

We retain personal data only as long as necessary:

• Active Accounts: Data retained while account is active
• After Termination: 30 days for data export, then deletion
• Compliance Records: Up to 7 years as required by regulations
• Backups: Purged within 90 days of deletion
• Audit Logs: 2 years for security purposes

8. Data Breach Procedures

In the event of a personal data breach, we will:

• Notify the ICO within 72 hours (where required)
• Notify affected individuals without undue delay (where required)
• Document all breaches in our breach register
• Implement measures to prevent recurrence

9. Sub-Processors

We use the following sub-processors to deliver our services:

• Amazon Web Services (AWS): Cloud infrastructure (EU-West-2, London)
• Auth0: Authentication services (EU region)
• Stripe: Payment processing (UK/EU)
• SendGrid: Email delivery (EU region)

All sub-processors are bound by data processing agreements and undergo regular security assessments.

10. Supervisory Authority

If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF