GDPR Policy

Pipeline Architects (“we”, “us”, “our”) is committed to protecting the privacy and security of all personal data we process. This policy outlines how we comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It applies to all personal data handled by Pipeline Architects, whether relating to clients, suppliers, employees, or website visitors.

1. Purpose of this policy

This policy sets out how we:

  • Ensure compliance with the UK GDPR and related data protection laws.
  • Protect the rights of individuals whose data we process.
  • Maintain transparency and accountability in our operations.
  • Support staff and partners in handling data responsibly.

2. Scope

This policy applies to:

  • All employees, contractors, consultants, and partners of Pipeline Architects.
  • All personal data processed by Pipeline Architects, whether in electronic or paper form.
  • All systems and services controlled by Pipeline Architects that involve the collection, storage, transmission, or deletion of personal data.

3. Key principles of data protection

We adhere to the seven principles of data protection as set out in Article 5 of the UK GDPR:

  1. Lawfulness, fairness, and transparency
    Data must be processed lawfully, fairly, and in a transparent manner.
  2. Purpose limitation
    Data is collected for specific, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes.
  3. Data minimisation
    We collect only the data that is necessary for the intended purpose.
  4. Accuracy
    Personal data must be accurate and kept up to date.
  5. Storage limitation
    Data must not be kept longer than necessary.
  6. Integrity and confidentiality (security)
    Data must be handled securely using appropriate technical and organisational measures.
  7. Accountability
    We take responsibility for demonstrating compliance with these principles.

4. Lawful bases for processing

Pipeline Architects processes personal data only where a lawful basis exists under Article 6 of the UK GDPR. These include:

  • Consent: where individuals have given clear permission for us to process their data.
  • Contract: where processing is necessary to deliver our services or fulfil a contract.
  • Legal obligation: where processing is required by law.
  • Legitimate interests: where processing is necessary for our legitimate business purposes, provided it does not override individual rights.

Special category data (e.g. health information) will only be processed under Article 9 of the UK GDPR, with explicit consent or where legally required.

5. Data subject rights

We uphold the following rights for all individuals:

  • Right to be informed about how we use their data.
  • Right of access to personal data we hold about them.
  • Right to rectification of inaccurate data.
  • Right to erasure (“right to be forgotten”).
  • Right to restrict processing under certain circumstances.
  • Right to data portability to another controller.
  • Right to object to certain types of processing, such as direct marketing.
  • Rights related to automated decision-making (we do not use automated decision-making or profiling).

Requests to exercise these rights can be made by emailing [Insert contact email].
We will respond to all valid requests within 30 days.

6. Data collection and usage

We process personal data to:

  • Respond to enquiries and deliver consulting services.
  • Manage client relationships, projects, and billing.
  • Improve our products, website, and communications.
  • Meet legal and regulatory obligations.
  • Send marketing updates (with consent or legitimate interest).

All processing activities are documented in our Record of Processing Activities (ROPA), maintained in accordance with Article 30 of the UK GDPR.

7. Data retention and disposal

We retain personal data only as long as necessary for the purposes collected:

  • Client data: up to 6 years after project completion.
  • Enquiry and marketing data: up to 12 months after last contact.
  • Employee and contractor data: for statutory periods required by employment law.

Data is securely deleted or anonymised once retention periods expire.

8. Data security

We implement technical and organisational measures to ensure confidentiality, integrity, and availability of data, including:

  • Encrypted data storage and transmission (TLS/SSL).
  • Access controls and password protection.
  • Regular backups and disaster recovery procedures.
  • Security reviews and staff training on data protection.

In the event of a personal data breach, we will:

  • Assess the impact within 72 hours.
  • Notify the Information Commissioner’s Office (ICO) if required.
  • Inform affected individuals when there is a high risk to their rights or freedoms.

9. Data sharing and third parties

We only share data with trusted partners who comply with the UK GDPR.
These may include:

  • Cloud storage and hosting providers.
  • Email and CRM systems.
  • Accountancy and legal service providers.
  • Subcontractors or associates working under confidentiality agreements.

All third-party processors are bound by Data Processing Agreements (DPAs) that ensure GDPR compliance and appropriate safeguards.

10. International data transfers

If personal data is transferred outside the UK or EEA, we ensure adequate protection through:

  • UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs).
  • Confirming the destination country has an adequacy decision by the UK government.

11. Accountability and governance

We maintain an internal compliance framework that includes:

  • Appointing a Data Protection Lead responsible for overseeing compliance.
  • Regular staff training and awareness sessions.
  • Data Protection Impact Assessments (DPIAs) for high-risk processing.
  • Annual policy reviews and audits.

12. Reporting and complaints

Individuals can raise data protection concerns or complaints by contacting:
Data Protection Lead
Pipeline Architects
Email: [Insert contact email]

If you’re not satisfied with our response, you have the right to complain to the:
Information Commissioner’s Office (ICO)
https://ico.org.uk/
Telephone: 0303 123 1113

13. Policy review

This GDPR Policy is reviewed annually or whenever significant changes occur in our data practices, legal obligations, or organisational structure.

Table of contents