GDPR Compliance

Last updated: 18 August 2025

1. Our Commitment to Data Protection

Pronto Lingo Ltd is fully committed to protecting personal data and ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a professional language services provider handling confidential client materials and linguist information, we maintain the highest standards of data protection.

This page provides detailed information about our GDPR compliance measures, your rights, and how we protect personal data throughout our service delivery.

2. GDPR Principles We Follow

We strictly adhere to all seven GDPR principles:

• Lawfulness, fairness, and transparency: Clear legal basis for all processing
• Purpose limitation: Data used only for stated purposes
• Data minimisation: Collecting only necessary information
• Accuracy: Keeping data current and correct
• Storage limitation: Retaining data only as long as needed
• Integrity and confidentiality: Protecting data security
• Accountability: Demonstrating compliance through documentation

3. Your Data Protection Rights

Under UK GDPR, you have comprehensive rights which we fully respect:

• Right to be informed: Clear information about data processing (this document)
• Right of access: Obtain copies of your data within 30 days
• Right to rectification: Correct errors promptly
• Right to erasure: Request deletion where appropriate
• Right to restrict processing: Limit use in certain circumstances
• Right to data portability: Receive data in common formats
• Right to object: Stop processing for direct marketing
• Rights regarding automated decisions: Human review of automated processes

To exercise any right, email dpo@prontolingo.com or call 020 7703 0947 with proof of identity.

4. How We Process Personal Data

4.1 Legal Basis for Processing

Every processing activity has a clear legal basis:

• Contract: Processing necessary to deliver language services
• Legal obligation: Tax records, anti-money laundering checks
• Legitimate interests: Service improvement, fraud prevention
• Consent: Marketing communications, cookies
• Vital interests: Emergency medical interpreting

4.2 Categories of Data We Process

5. Technical and Organisational Measures

We implement comprehensive security measures exceeding GDPR requirements:

5.1 Technical Measures

• AES-256 encryption for all data at rest
• TLS 1.3 for data in transit
• Multi-factor authentication (MFA) mandatory
• Regular penetration testing by CREST-certified testers
• 24/7 security monitoring and intrusion detection
• Automated vulnerability scanning

5.2 Organisational Measures

• Mandatory annual GDPR training for all staff
• Data Protection Officer oversight
• Privacy by Design in all new systems
• Regular data protection impact assessments
• Comprehensive access controls and audit logs
• Incident response team with 4-hour SLA

6. International Data Transfers

We primarily process data within the UK. When international transfers occur:

• EU/EEA: Covered by UK adequacy decisions
• USA: UK-approved Standard Contractual Clauses with additional safeguards
• Other countries: Case-by-case assessment with appropriate safeguards
• Cloud services: UK/EU data centres preferred, contractual guarantees required

All international transfers are logged and subject to regular review by our DPO.

7. Data Breach Response Plan

Our comprehensive breach response ensures GDPR compliance:

7.1 Immediate Response (0-4 hours)

• Incident containment and initial assessment
• Activation of response team
• Preservation of evidence
• Initial risk evaluation

7.2 Regulatory Compliance (4-72 hours)

• ICO notification within 72 hours if required
• Risk assessment documentation
• Affected individual identification
• Communication preparation

7.3 Follow-up Actions

• Individual notifications where high risk
• Remediation implementation
• Lessons learned review
• Policy and procedure updates

8. Privacy by Design Implementation

8.1 Data Protection Impact Assessments (DPIAs)

We conduct thorough DPIAs for:

• New service offerings or major changes
• Implementation of new technologies
• Large-scale data processing operations
• Processing of confidential or sensitive content
• Cross-border service provisions

8.2 Privacy Controls

• Data minimisation by default in all systems
• Pseudonymisation where possible
• Granular access controls
• Automatic data retention limits
• Privacy-preserving analytics

9. Third-Party Processors

We carefully select processors who demonstrate GDPR compliance:

• Stripe: Payment processing (PCI DSS Level 1)
• Vercel: Cloud infrastructure and hosting (SOC 2 Type II)
• Clerk: Authentication services (SOC 2)
• Neon: Database services (SOC 2)

All processors are bound by UK GDPR-compliant data processing agreements.

10. Your Right to Complain

We aim to resolve all privacy concerns directly. However, you have the right to:

1. Contact our Data Protection Officer for resolution
2. Escalate to the Information Commissioner's Office if unsatisfied
3. Seek judicial remedy through UK courts

11. GDPR Compliance Documentation

We maintain comprehensive GDPR documentation including:

• Records of Processing Activities (RoPA)
• Privacy Impact Assessments
• Legitimate Interest Assessments
• Third-party processor agreements
• Staff training records
• Incident logs and breach register

Documentation available for regulatory inspection upon request.

12. Contact Our Data Protection Team

For general privacy enquiries: privacy@prontolingo.com

13. Policy Updates

This GDPR compliance statement is reviewed quarterly and updated as needed to reflect:

• Changes in our data processing activities
• Updates to UK data protection law
• ICO guidance and best practices
• Feedback from data subjects and audits

Last review: 18 August 2025
Next scheduled review: 16 November 2025