We are fully committed to information security in accordance with the General Data Protection Regulation (GDPR). This document outlines our position, responsibilities and procedures in relation to privacy and security.

  • Ctrl-X Digital Ltd
  • Date: 14 May 2018
  • Version: 1.1


Clients – Anyone commissioning or receiving services from Ctrl-X Digital Ltd.

Client Data – Information supplied by clients containing customer information.

Customer Information – Identifiable personal data such as name, email, address, phone number etc.

Data Controller Identity – Ctrl-X Digital Ltd is the data processor and our clients are either data controller or data processor. We undertake to carry out client support and service fulfilment based on the client already having either explicit consent to mail or having agreed legitimate interest. As a business we expect and demand that the onus is on the client to have the necessary controls in place from the end client to send communications including email and SMS messages legitimately and we are in no way liable should this not be the case.

Types of Data and Purposes – We require only the relevant customer information to be able to carry out our duties. Any additional information supplied should be flagged to our client and removed before we proceed further.

Recipients – Unless required by applicable law or a court order, our underlying policy is never to disclose your customer information to any third parties without the clients specific permission.

Retention Period – We only hold on to customer information long enough to ensure the job is complete. Where customer information is held on a mailing platform such as MailChimp or Campaign Monitor it is the responsibility of the client (as data controller) to ensure it is held in accordance with the GDPR and any other relevant data protection laws

Legitimate Interest – We utilise the data provided by clients for the legitimate interest of providing services and do so on the understanding that we work within the GDPR guidelines and any other relevant data protection laws at all times.

Data Subject Rights – Your customers have a number of rights under GDPR. These rights (subject to conditions) include the right of data portability, the right to object to the processing of their personal data, the right to require you to update and correct their data, the right to erasure of their personal data, the right to obtain a restriction on processing of the data, the right to withdraw where applicable their consent to processing of that data.

Finally, the end client has a right to lodge a complaint with the data protection authority should they wish. Our role is to help facilitate the requests from your clients in a timely, efficient and professional method within the GDPR guidelines and any other relevant data protection laws.


This Agreement is to be used for the purpose of sharing information in relation to Ctrl-X Digital Ltd. It is a formal agreement on how client data will be handled.

It sets out the purpose of information exchange, the information to be exchanged and requires the exercise of professional judgement in the sharing of information in relation to Ctrl-X Digital Ltd.

It outlines the terms and conditions under which identifiable information can be shared, and the safeguards that must be implemented.

For the purposes of this agreement, clients include all people and organisations receiving professional services from Ctrl-X Digital Ltd.

This agreement adheres to relevant data protection legislation such as the General Data Protection Regulation (GDPR) the European Convention on Human Rights and the Common Law Duty of Confidentiality.

The information shared and processed may be held in both manual and electronic record format.

Defined Purposes

The following range of purposes are agreed as justifiable for the transfer of personal information between the client as defined within the remit of this protocol:

  • Deliver and support client services and support by Ctrl-X Digital Ltd.
  • Monitor, plan and improve future integrated services.

Disclosure of data may also be required under certain circumstances to meet legitimate statutory requirements.

Other purposes may emerge from time to time which cannot be foreseen at the time this agreement was written. Each new purpose must be:

  • To be legal (in line with Scots Law)
  • Consistent with UK and European Data Protection Law


All parties accept that the agreement laid down in this document will provide a secure framework for the sharing of information between client and Ctrl-X Digital Ltd. This will be done in a manner compliant with their statutory and professional responsibilities. As such, they undertake to implement and adhere to this agreement.

Any confidentiality or data breach will be notified to all other parties.