Data Protection Policy

1. Purpose and Scope

This Data Protection Policy applies to SYSTM and all individuals who process personal data on our behalf, including employees, contractors, consultants, and third-party processors.

The purpose of this policy is to:

• Establish a clear framework for the lawful, fair, and transparent processing of personal data
• Define the responsibilities of SYSTM and its staff in relation to data protection
• Ensure compliance with the UK GDPR, EU GDPR, and Data Protection Act 2018
• Protect the rights and freedoms of individuals whose data we process
• Minimise the risk of data breaches and non-compliance

This policy covers all personal data processed by SYSTM, regardless of the format in which it is held (digital, paper, or otherwise).

2. Key Definitions

The following definitions apply throughout this policy:

• Personal Data: Any information relating to an identified or identifiable living individual.
• Special Category Data: Sensitive personal data including data about racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, sexual orientation, biometric data, and genetic data.
• Data Subject: The individual to whom personal data relates.
• Data Controller: The entity that determines the purposes and means of processing personal data. SYSTM acts as data controller for the data it collects.
• Data Processor: An entity that processes personal data on behalf of a data controller.
• Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, and deletion.
• Data Breach: A security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
• UK GDPR: The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018.

3. Data Protection Principles

All personal data processed by SYSTM must comply with the six data protection principles set out in Article 5 UK/EU GDPR:

3.1 Lawfulness, Fairness and Transparency

Personal data shall be processed lawfully, fairly, and in a transparent manner. We will always have a valid lawful basis for processing and will inform data subjects about how we use their data through our Privacy Policy and other notices.

3.2 Purpose Limitation

Personal data shall be collected for specified, explicit, and legitimate purposes and shall not be processed in a manner incompatible with those purposes. Data collected for one purpose will not be repurposed without appropriate justification and, where required, fresh consent.

3.3 Data Minimisation

Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We collect only the minimum amount of data required.

3.4 Accuracy

Personal data shall be accurate and, where necessary, kept up to date. We take reasonable steps to ensure inaccurate data is corrected or deleted without delay.

3.5 Storage Limitation

Personal data shall not be kept in a form that permits identification of data subjects for longer than necessary. We maintain a data retention schedule that specifies retention periods for all categories of personal data.

3.6 Integrity and Confidentiality

Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

3.7 Accountability

SYSTM, as data controller, is responsible for and shall be able to demonstrate compliance with all the above principles. We maintain appropriate records of processing activities and implement data protection by design and by default.

4. Lawful Bases for Processing

SYSTM processes personal data only where a valid lawful basis exists under Article 6 of the UK/EU GDPR. We document our lawful bases in our Record of Processing Activities (ROPA). The lawful bases we rely on include:

• Consent (Article 6(1)(a)): The data subject has given clear, informed, and freely given consent. We maintain records of consent and make it easy to withdraw.
• Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract with the data subject, or to take steps prior to entering a contract.
• Legal Obligation (Article 6(1)(c)): Processing is necessary to comply with a legal obligation.
• Vital Interests (Article 6(1)(d)): Processing is necessary to protect someone's life.
• Public Task (Article 6(1)(e)): Processing is necessary for tasks carried out in the public interest.
• Legitimate Interests (Article 6(1)(f)): Processing is necessary for the legitimate interests of SYSTM or a third party, provided those interests are not overridden by the rights of the data subject.

For special category data, an additional condition under Article 9 must also be met. SYSTM does not routinely process special category data. Where it is necessary to do so, explicit consent or another Article 9 condition will be obtained and documented.

5. Individuals' Rights

SYSTM respects and facilitates the following rights of data subjects under the UK/EU GDPR:

• Right of access: Data subjects may request a copy of their personal data (Subject Access Request).
• Right to rectification: Data subjects may request correction of inaccurate or incomplete data.
• Right to erasure: Data subjects may request deletion of their data in certain circumstances.
• Right to restriction: Data subjects may request restriction of processing in certain circumstances.
• Right to data portability: Data subjects may receive their data in a structured, machine-readable format.
• Right to object: Data subjects may object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making: Data subjects may contest decisions made solely by automated means.

All requests relating to data subject rights should be directed to jasper@systm.xyz. Requests will be acknowledged within 5 working days and fulfilled within one calendar month (extendable by a further two months for complex or numerous requests, with notification to the data subject).

6. Data Security

SYSTM implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.

6.1 Technical Measures

• Encryption of personal data in transit using TLS and at rest
• Access controls ensuring the principle of least privilege
• Multi-factor authentication for systems holding personal data
• Regular patching and vulnerability management
• Network security controls and firewalls
• Automated monitoring and alerting for suspicious activity

6.2 Organisational Measures

• Data protection training for all staff who handle personal data
• Clear desk and clear screen policies
• Confidentiality obligations in employment contracts and contractor agreements
• Regular internal audits and security reviews
• Data Protection Impact Assessments (DPIAs) for high-risk processing activities
• A documented incident response and breach notification procedure

7. Personal Data Breach Management

A personal data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

7.1 Reporting Internally

All staff must report any actual or suspected data breach immediately to the data protection lead at hello@systm.xyz. Do not attempt to investigate or handle a breach alone.

7.2 Assessment

On receipt of a breach report, SYSTM will assess the nature, scope, and likely consequences of the breach. We will consider the likelihood of risk to individuals' rights and freedoms.

7.3 Reporting to the Supervisory Authority

Where a breach is likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. Where notification is delayed, we will document the reasons.

7.4 Notifying Data Subjects

Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected data subjects without undue delay.

7.5 Documentation

All breaches, regardless of whether notification is required, will be documented in our breach register, including the facts, effects, and remedial actions taken.

8. Third-Party Processors and Data Sharing

Where SYSTM engages third parties to process personal data on its behalf, we will:

• Conduct due diligence to ensure the processor provides sufficient guarantees of data protection compliance
• Enter into a written Data Processing Agreement (DPA) that complies with Article 28 UK/EU GDPR
• Ensure the processor processes data only on our documented instructions
• Maintain a register of all third-party processors

We do not permit processors to subcontract their obligations without prior written consent from SYSTM. Where data is shared with third parties as a separate data controller, we ensure there is a clear legal basis and, where required, inform the data subject.

9. International Data Transfers

Personal data may only be transferred outside the UK or EEA where:

• The destination country has been granted an adequacy decision by the UK Government or European Commission
• Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules
• A specific derogation under Article 49 UK/EU GDPR applies

All international transfers must be documented in the ROPA. Prior to any new transfer, an assessment of the transfer mechanism and risks must be completed.

10. Data Retention

SYSTM maintains a Data Retention Schedule that defines how long different categories of personal data are kept. The schedule is reviewed annually. Key principles are:

• Data is not retained longer than necessary for the purpose for which it was collected
• Retention periods are based on legal obligations, operational needs, and contractual requirements
• At the end of the retention period, data is securely deleted or anonymised
• Back-ups are subject to the same retention requirements as live data

11. Privacy by Design and by Default

SYSTM embeds data protection into the design of new systems, products, and processes from the outset. This means:

• Data protection is considered at the earliest stage of any new project, product, or service
• Data Protection Impact Assessments (DPIAs) are conducted for high-risk processing activities before processing begins
• By default, only personal data necessary for the specific purpose is processed
• Personal data is not made accessible to more individuals than necessary

DPIAs are mandatory where processing is likely to result in a high risk to individuals, including large-scale processing of special category data, systematic profiling, or use of new technologies.

12. Staff Responsibilities

All staff and contractors at SYSTM are responsible for:

• Completing data protection training as required
• Reading and complying with this policy and related procedures
• Handling personal data only for legitimate business purposes
• Protecting personal data from unauthorised access or disclosure
• Reporting data breaches and potential vulnerabilities promptly
• Raising concerns about data protection compliance

Failure to comply with this policy may result in disciplinary action, up to and including dismissal, and may also expose SYSTM and individuals to regulatory action and legal liability.

SYSTM will appoint a data protection lead responsible for overseeing compliance with this policy. The data protection lead can be contacted at hello@systm.xyz.

13. Training and Awareness

SYSTM will ensure all staff who handle personal data receive appropriate data protection training. Training will be:

• Provided at induction for all new staff
• Refreshed at least annually for all staff
• Role-specific where staff have particular data protection responsibilities
• Updated when there are significant changes to data protection law or SYSTM's processing activities

Training completion records will be maintained as evidence of compliance.

14. Policy Review

This policy will be reviewed:

• Annually by the data protection lead
• Following any significant change to SYSTM's data processing activities
• Following a significant data breach or regulatory investigation
• Following changes to applicable data protection legislation or regulatory guidance

This policy was approved and adopted on 17 March 2026. The next scheduled review is March 2027.

Questions or concerns? Contact the data protection lead at hello@systm.xyz.