GDPR & Data Protection

NextLogica operates in compliance with the following data protection legislation:

• UK General Data Protection Regulation (UK GDPR) — the UK's post-Brexit data protection framework, retained from the EU GDPR.
• Data Protection Act 2018 — the UK's primary data protection legislation, supplementing the UK GDPR.
• EU General Data Protection Regulation (GDPR) — applicable where we process data of EU residents, including through our operations in Bulgaria.
• Privacy and Electronic Communications Regulations (PECR) — governing electronic marketing and cookies.

We adhere to the six key principles of the UK GDPR in all our data processing activities:

• Lawfulness, fairness & transparency — we process personal data lawfully, fairly, and in a transparent manner. You always know what data we collect and why.
• Purpose limitation — we collect personal data only for specified, explicit, and legitimate purposes and do not process it further in ways incompatible with those purposes.
• Data minimisation — we ensure that the personal data we process is adequate, relevant, and limited to what is necessary for the intended purpose.
• Accuracy — we take reasonable steps to ensure that personal data is accurate and kept up to date. Inaccurate data is corrected or deleted without delay.
• Storage limitation — we retain personal data only for as long as necessary. When data is no longer needed, it is securely deleted or anonymised.
• Integrity & confidentiality — we implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Depending on the context, NextLogica may act as either a data controller or data processor:

• Data Controller — when we collect and process data for our own purposes (e.g., website visitors, prospective clients, marketing).
• Data Processor — when we process personal data on behalf of our clients as part of delivering our services (e.g., building software that handles client customer data).

When acting as a data processor, we enter into a Data Processing Agreement (DPA) with the client that clearly defines the scope, nature, and purpose of processing, as well as the rights and obligations of each party.

As a data subject, you have comprehensive rights regarding your personal data. To exercise any of these rights, contact us at dpo@nextlogica.co.uk:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data ("right to be forgotten").
• Right to restrict processing — request that we limit how we process your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or direct marketing.
• Right to withdraw consent — withdraw consent at any time where processing is based on consent.
• Right regarding automated decisions — not be subject to decisions based solely on automated processing, including profiling.

We will respond to all valid requests within 30 days. In complex cases, we may extend this by a further 60 days with notice.

We implement robust technical measures to safeguard personal data:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256).
• Regular security audits and vulnerability assessments.
• Secure coding practices following OWASP guidelines.
• Multi-factor authentication (MFA) for all internal systems.
• Automated monitoring and intrusion detection.
• Regular backups with encrypted off-site storage.

In addition to technical controls, we maintain organisational safeguards:

• Data protection training for all team members.
• Role-based access controls — staff only access data necessary for their role.
• Regular review of data processing activities and third-party processors.
• Incident response plan with defined escalation procedures.
• Privacy impact assessments (DPIAs) for new projects and technologies.
• Data processing agreements (DPAs) with all sub-processors.

As a company with operations in the United Kingdom and Bulgaria, personal data may be transferred between these jurisdictions.

Bulgaria, as an EU member state, operates under the EU GDPR. The UK has been granted an adequacy decision by the European Commission, meaning data can flow freely between the UK and EEA.

Where data is transferred to countries outside the UK or EEA that do not have adequacy decisions, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the ICO/European Commission.
• Supplementary measures where required (e.g., encryption, pseudonymisation).
• Assessment of the legal framework of the receiving country.

In the event of a personal data breach, we have robust procedures in place:

• Detection — automated monitoring systems and staff awareness training to identify breaches promptly.
• Assessment — immediate assessment of the nature, scope, and potential impact of the breach.
• Notification — where a breach is likely to result in a high risk to individuals, we will notify affected data subjects without undue delay.
• Regulatory reporting — where required, we will report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it.
• Remediation — implementation of corrective measures to prevent recurrence.
• Documentation — all breaches are recorded in our breach register, regardless of whether they are reportable.

We use a limited number of trusted sub-processors to deliver our services. All sub-processors are bound by Data Processing Agreements and are regularly reviewed for compliance.

We maintain a register of sub-processors which is available upon request. We will notify clients of any changes to sub-processors in advance, providing the opportunity to object.

While not legally required for our organisation, we have designated a data protection lead responsible for overseeing our compliance with data protection legislation.

For any data protection enquiries, requests, or concerns, please contact:

• Email: dpo@nextlogica.co.uk
• Address: NextLogica Ltd, United Kingdom

If you believe that your data protection rights have been violated, you have the right to lodge a complaint:

• Directly with us — contact dpo@nextlogica.co.uk and we will investigate your concern promptly.
• With the ICO (UK) — Information Commissioner's Office at ico.org.uk.
• With the CPDP (Bulgaria) — Commission for Personal Data Protection at cpdp.bg.

We review and update this page regularly to reflect changes in legislation, our practices, or our business operations. The latest version will always be available here with the effective date clearly stated.