General Data Protection Regulation (GDPR) Policy

1. Introduction

Geologix Limited ("we," "our," or "us") is committed to ensuring the security and confidentiality of personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communication Regulation (PECR), as amended by the Data (Use and Access) Act 2025. We recognise our responsibility to handle personal data lawfully and transparently.

2. Scope

This policy applies to all employees, contractors, and third parties who process personal data on behalf of Geologix Limited. It covers data collected through our website, applications, customer interactions, employee records, and any third-party systems integrated with our business operations.

3. Data Protection Principles

We comply with the following seven data protection principles, ensuring all personal data is handled responsibly

  1. Lawfulness, Fairness, and Transparency – Personal data must be processed legally, fairly, and transparently.
  2. Purpose Limitation – Data is collected for specified, explicit, and legitimate purposes.
  3. Data Minimisation – Only the necessary amount of data is collected and processed.
  4. Accuracy – Personal data must be kept up to date and accurate.
  5. Storage Limitation – Data is retained only as long as necessary for its intended purpose.
  6. Integrity and Confidentiality (Security) – Appropriate security measures protect against unauthorised access, loss, or damage.
  7. Accountability – We actively demonstrate compliance with GDPR regulations.

4. Privacy by Design and Default

Under Article 25 of UK GDPR, businesses must integrate data protection into their systems and processes from the outset. This means

  • Privacy by Design – Data protection is considered at the earliest stages of system development, ensuring safeguards are built into business operations.
  • Privacy by Default – The highest level of privacy protection is applied automatically, ensuring only necessary data is processed and access is restricted.

Implementation Measures

To comply with Privacy by Design and Default, Geologix Limited implements

  • Data Minimisation – Only essential personal data is collected and processed.
  • Pseudonymisation and Encryption – Sensitive data is anonymised or encrypted to prevent unauthorised access.
  • Access Controls – Personal data is restricted to authorised personnel only.
  • Data Protection Impact Assessments (DPIAs) – Before any new or changed high-risk processing, Geologix Limited completes a Data Protection Impact Assessment.
  • User-Friendly Privacy Settings – Customers and employees can easily manage their privacy preferences.

5. Data Collection and Processing

We collect and process personal data lawfully, fairly, and transparently through various means, including

  • Online forms completed by customers (e.g., registration, contact, and payment details).
  • Customer interactions, including emails, phone calls, and website visits tracked through cookies (with consent). Non-essential cookies, pixels, tracking tags and similar technologies do not run before valid consent.
  • Employment records, including resumes, payroll data, and performance assessments for HR management.
  • Security measures such as CCTV footage for safety and compliance purposes.

All personal data is processed for specified, explicit, and legitimate purposes outlined in this policy.

6. Lawful Basis for Processing

We ensure data processing complies with GDPR principles by relying on the following lawful bases where appropriate

  • Consent – Individuals opt-in to receive communications, marketing materials, or share personal details via forms.
  • Contractual Necessity – Processing data necessary for employment agreements, service contracts, or product purchases.
  • Legal Obligations – Complying with tax laws, regulatory requirements, and workplace safety legislation.
  • Legitimate Interests – Conducting fraud prevention checks, securing online transactions, and improving customer services.
  • Public Task – Only where Geologix Limited is legally carrying out a task in the public interest or under official authority. This basis will not be used unless the Data Protection Lead has confirmed it applies.
  • Vital Interests – Only where processing is necessary to protect someone’s life.
  • Special Category Data Processing – If handling sensitive data (e.g., health, race, political opinions), we ensure additional safeguards are applied.

7. Data Subject Rights

Individuals can exercise their rights under GDPR by submitting a request. Customers may use the website and employees may use the intranet, but requests made verbally, by email, letter, social media, or to any member of staff must still be accepted and routed to the Data Protection Lead. Our procedures ensure

  • Identity verification before processing requests.
  • Secure delivery of requested data within the legal timeframe.
  • Immediate correction of inaccurate records.
  • Safe deletion of data unless legal requirements prevent erasure.
  • Restriction of processing upon request in specific scenarios.

Right to Erasure ("Right to be Forgotten")

Individuals can request the deletion of their personal data when

  • The data is no longer necessary for its original purpose.
  • Consent is withdrawn, and no other lawful basis applies.
  • The data was unlawfully processed.
  • The individual objects to processing, and no overriding legitimate interest exists.

Right to Restriction of Processing

Individuals can request restriction of processing when

  • They contest the accuracy of their data.
  • Processing is unlawful, but they prefer restriction over erasure.
  • The data is no longer needed, but they require it for legal claims.
  • They have objected to processing, pending verification of legitimate interests.

Right to Data Portability

Individuals can request their personal data in a structured, commonly used format to transfer it to another service provider when

  • Processing is based on consent or contract.
  • Processing is carried out by automated means.

Right to Object to Processing

Individuals can object to processing when

  • Data is processed under legitimate interests or public task.
  • Data is used for direct marketing purposes.
  • Data is processed for scientific or historical research.

Automated Decision-Making and Profiling

Individuals have the right to

  • Not be subject to decisions made solely by automated processing that significantly affect them.
  • Request human intervention in automated decisions.
  • Challenge automated decisions and request an explanation.

8. Enforcement of Rights

Individuals can enforce their rights by

  • Submitting a formal request to Geologix Limited.
  • Escalating concerns to the Information Commissioner’s Office (ICO) if dissatisfied with our response.
  • Seeking legal action if their rights are violated.

9. Data Security

We implement stringent security measures to protect personal data from unauthorised access, loss, or destruction, including

  • Encryption of sensitive data during transmission and storage.
  • Regular security audits and penetration testing.
  • Controlled access policies ensuring only authorised personnel handle sensitive information.
  • Employee training on secure handling of personal information.
  • Multi-factor authentication for accessing internal systems.

10. Data Retention

We retain personal data only for as long as necessary. Specific retention periods include

  • Customer transaction records Retained for six years (as required by tax laws).
  • Employee records Kept for as long as legally required, e.g., payroll details retained for statutory requirements.
  • Marketing contacts Retained until individual opts out or requests deletion.

11. Data Sharing and Transfers

We do not share personal data with third parties unless necessary for

  • Compliance with legal or regulatory obligations (e.g., government or tax authorities).
  • Third-party service providers (e.g., cloud storage, payment gateways) that comply with GDPR standards.
  • International data transfers which only occur when adequate safeguards (e.g., Standard Contractual Clauses) are in place.

12. Data Breach Response

All data breaches should be referred to the persons whose details are listed in the contact information.

In the event of a data breach, we follow a structured response plan

  1. Detection & Assessment Identify the breach, assess risks, and document the incident.
  2. Containment Prevent further unauthorised access, secure affected systems, and isolate compromised data.
  3. Notification Inform the Information Commissioner’s Office (ICO) and affected individuals where required.

    Where we have identified a personal data breach resulting in a high risk to the rights and freedoms of any individual, we shall tell all affected individuals without undue delay.

    We will not be required to tell individuals about the personal data breach where

    • We have implemented appropriate technical and organisational protection measures to the personal data affected by the breach, in particular to make the personal data unintelligible to any person who is not authorised to access it, such as encryption.
    • We have taken subsequent measures which ensure that the high risk to the rights and freedoms of the individual is no longer likely to materialise.
    • It would involve disproportionate effort to tell all affected individuals. Instead, we shall make a public communication or similar measure to tell all affected individuals.
  4. Mitigation & Review Implement corrective measures, conduct security audits, and review processes to prevent recurrence.

If you have a complaint or suggestion about Geologix Limited’s handling of personal data, then please contact the Geologix Data Protection Lead. Complaints will be acknowledged withing 30 days, investigated without undue delay and the outcome will be communicated to the complainant.

Alternatively, you can contact the ICO directly on 0303 123 1113 or at https://ico.org.uk/global/contact-us/email/

The Geologix Limited Data Protection Lead is responsible for

  • adding, amending or deleting personal data;
  • responding to subject access requests/requests for rectification, erasure, restriction data portability, objection, automated decision-making processes and profiling and withdrawal of consent;
  • reporting data breaches/dealing with complaints; and/or
  • carrying out any appropriate internal disciplinary action if necessary

13. Contact Information

For any GDPR-related concerns, individuals can contact

Geologix Limited

Data Protection Lead (DPL)

Email: enquiries@geologix.com


GDPR Information Request and Removal
Please use this form to request an exported file of the personal data we hold about you including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Please enter your email, so we can follow up with you.

contact