Policy Owner: General Counsel (Privacy Officer; voluntary DPO)
Effective Date: June 13, 2026
Reviewed: Annually and on material change to processing or law
Frameworks: GDPR / UK GDPR; ISO/IEC 27001:2022 A.5.34

Purpose & scope

State Neuroscale’s commitments under the EU and UK GDPR and index the controls that implement them. It applies to all processing of personal data where Neuroscale is a controller (workforce, sourcing database, corporate) or a processor (customer candidate/workspace data), as recorded in the Records of Processing Activities (RoPA).

Principles (Art. 5)

Neuroscale processes personal data lawfully, fairly, and transparently; for specified purposes; minimized; accurate; retained no longer than necessary; and with integrity and confidentiality. Accountability for these principles sits with the General Counsel.

Roles

  • Controller / processor identity and contacts: RoPA → Controller identity.
  • Privacy contact / voluntary DPO: General Counsel. A mandatory Art. 37 DPO is not triggered; the public-facing title is “privacy contact,” not “DPO,” to avoid voluntarily designating one (see Roles & Responsibilities → Regulatory aliases).
  • EU/UK Art. 27 representative: not appointed (no establishment / Art. 3(2) trigger met); reassessed on material change.

Control framework

GDPR requirementImplemented by
Lawful basis & transparency (Arts. 6, 13–14)Privacy Notice; Art. 14 Notice
Records of processing (Art. 30)RoPA
Data subject rights (Arts. 15–22)Data Subject Rights Procedure
DPIA (Art. 35) & prior consultation (Art. 36)DPIA Procedure
Processor obligations (Art. 28)DPA Template
International transfers (Ch. V)Cross-Border Transfers Procedure; SCCs/IDTA; DPF (in progress)
Security of processing (Art. 32)Information Security Policy; Cryptography Policy
Breach notification (Arts. 33–34)Incident Response Policy; Customer Communications
Children’s dataPrivacy Notice → Children’s privacy

Governance

GDPR obligations are tracked in the Legal & Regulatory Register and reviewed at the ISMS Management Review. Nonconformities are handled via Corrective Action.

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial version.Cameron WolfeIshan Jadhwani