GDPR Compliance

We process account-holder data on the basis of contract (we need it to provide the service you signed up for). We process your staff records on the basis of your legitimate interest as an employer in maintaining safeguarding records. You remain the controller of those records; we act as your processor.

• Right of access — request a copy of your personal data.
• Right to rectification — ask us to correct anything inaccurate.
• Right to erasure — ask us to delete your data.
• Right to portability — export your data in a machine-readable format.
• Right to object — to processing based on legitimate interests.
• Right to complain to the ICO at any time.

We only ask for what we need to track a renewal: name, role, certificate number, issue date, renewal date. We never ask for the contents of a DBS certificate, and we never store identity documents.

All primary data storage is in the UK or EEA. Where a sub-processor is located outside the UK, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production systems is restricted to named engineers using multi-factor authentication. We run regular backups and test restores quarterly.

In the unlikely event of a personal data breach, we will notify affected customers without undue delay and within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals, in line with Article 33 UK GDPR.

Our Data Protection lead can be reached at dpo@dbsdue.co.uk.