Policy Owner: General Counsel (Privacy Officer; voluntary DPO)
Effective Date: June 13, 2026
Reviewed: Annually and on material change to processing or law
Frameworks: GDPR / UK GDPR; ISO/IEC 27001:2022 A.5.34
Effective Date: June 13, 2026
Reviewed: Annually and on material change to processing or law
Frameworks: GDPR / UK GDPR; ISO/IEC 27001:2022 A.5.34
Purpose & scope
State Neuroscale’s commitments under the EU and UK GDPR and index the controls that implement them. It applies to all processing of personal data where Neuroscale is a controller (workforce, sourcing database, corporate) or a processor (customer candidate/workspace data), as recorded in the Records of Processing Activities (RoPA).Principles (Art. 5)
Neuroscale processes personal data lawfully, fairly, and transparently; for specified purposes; minimized; accurate; retained no longer than necessary; and with integrity and confidentiality. Accountability for these principles sits with the General Counsel.Roles
- Controller / processor identity and contacts: RoPA → Controller identity.
- Privacy contact / voluntary DPO: General Counsel. A mandatory Art. 37 DPO is not triggered; the public-facing title is “privacy contact,” not “DPO,” to avoid voluntarily designating one (see Roles & Responsibilities → Regulatory aliases).
- EU/UK Art. 27 representative: not appointed (no establishment / Art. 3(2) trigger met); reassessed on material change.
Control framework
| GDPR requirement | Implemented by |
|---|---|
| Lawful basis & transparency (Arts. 6, 13–14) | Privacy Notice; Art. 14 Notice |
| Records of processing (Art. 30) | RoPA |
| Data subject rights (Arts. 15–22) | Data Subject Rights Procedure |
| DPIA (Art. 35) & prior consultation (Art. 36) | DPIA Procedure |
| Processor obligations (Art. 28) | DPA Template |
| International transfers (Ch. V) | Cross-Border Transfers Procedure; SCCs/IDTA; DPF (in progress) |
| Security of processing (Art. 32) | Information Security Policy; Cryptography Policy |
| Breach notification (Arts. 33–34) | Incident Response Policy; Customer Communications |
| Children’s data | Privacy Notice → Children’s privacy |
Governance
GDPR obligations are tracked in the Legal & Regulatory Register and reviewed at the ISMS Management Review. Nonconformities are handled via Corrective Action.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial version. | Cameron Wolfe | Ishan Jadhwani |