GDPR Compliance

Last Updated: January 2025

Creative IT (UK) Ltd, operating as Physical Data Recovery, is fully committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK Data Protection Act 2018. This page outlines our approach to data protection in our recovery services.

Our GDPR Principles

Lawfulness, Fairness and Transparency

We process personal data lawfully, fairly and in a transparent manner. All data collection has a defined purpose and legal basis, which we clearly communicate to data subjects through our Privacy Policy.

Purpose Limitation

Personal data is collected only for specified, explicit and legitimate purposes related to our data recovery services. We do not process data in ways incompatible with these purposes.

Data Minimization

We only collect and process personal data that is adequate, relevant and limited to what is necessary for our services. Our systems are designed to avoid unnecessary data collection.

Accuracy

We maintain accurate and up-to-date personal data, with processes to correct or delete inaccurate information without delay upon request.

Storage Limitation

Personal data is kept in identifiable form only as long as necessary for our services. We have defined retention periods for all categories of personal data we process.

Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure security of personal data, including protection against unauthorized processing, accidental loss, destruction or damage.

Our Data Protection Measures

Secure Data Handling Process

  1. Encrypted Transfer: All client data is transferred using AES-256 encryption
  2. Secure Storage: Recovered data is stored on encrypted drives in our secure facility
  3. Access Controls: Strict role-based access to client data with multi-factor authentication
  4. Cleanroom Protocols: Physical media handled in ISO Class 5 cleanroom environment
  5. Audit Trails: Comprehensive logging of all access to client data
  6. Secure Disposal: Certified data destruction after retention periods expire

Staff Training

All employees complete mandatory GDPR training annually, with additional role-specific training for technical staff handling recovery operations. We maintain records of all training completed.

Data Processing Agreements

We have GDPR-compliant contracts with all third-party processors that handle personal data on our behalf, including cloud service providers and IT support vendors.

Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

Right to Access

Request confirmation of whether and how we process your data

Right to Rectification

Correct inaccurate or incomplete personal data

Right to Erasure

Request deletion of your personal data under certain conditions

Right to Restriction

Limit processing of your personal data

Right to Data Portability

Receive your data in structured, commonly used format

Right to Object

Object to certain types of processing

Exercising Your Rights

To submit a GDPR request or for any data protection concerns:

Email: privacy@physicaldatarecovery.co.uk

Post: Data Protection Officer, Creative IT (UK) Ltd, 80 Willow Walk, Unit 1, London, SE1 5SY

We respond to all valid requests within 30 calendar days. You may also contact the Information Commissioner's Office if you have concerns about our data practices.

Contact Our DPO