Data Protection Policy

1.0 Purpose
The purpose of this policy is to establish guidelines for ensuring the protection of personal data in compliance with industry standards. This policy outlines the principles, roles, and responsibilities required to safeguard the confidentiality, integrity, and availability of personal data.

2.0 Scope
This policy applies to all individuals with access to Trellint a division of Modaxo Traffic Management UK Ltd (referred to as "Trellint UK", "The Company", or "Company") services. It also applies to all personal data within The Company.

3.0 Definitions & Terminologies

User: Means a person or entity with authorised access.

Personal Data/Personally Identifiable Information (PII): Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and destruction.

Data Subject: The individual whose personal data is being processed.

Controller: The entity that determines the purposes and means of processing personal data.

Processor: The entity that processes personal data on behalf of the controller.

Data Protection Officer (DPO): A designated individual responsible for overseeing data protection strategy and compliance.

Third-Party Vendor: Is a separate individual or organization that provides a product or service (not supplied by the company) to the company or its end user(s) with whom PII or other sensitive data is being shared.

UK General Data Protection Regulations (UK GDPR): The UK law that sets out how personal data must be handled.  It replaced the EU GDPR after Brexit and outlines the key principles, rights and obligations for organisations processing personal data within the UK.

The UK Data Protection Act 2018 (DPA): Complements the provisions in the UK GDPR by providing specific details and exemptions, particularly regarding special categories of personal data, law enforcement and national security.

The UK Data (Use and Access) Act 2025 (DUAA): Provides greater clarity for organisations in the use of personal data, relaxes some restrictions on automated decision making, allows for specific cookies without user consent, enables some direct marketing without consent and introduced a new lawful basis of legitimate interest for processing PII.

4.0 Standards & Regulations
4.1    Principles of Data Processing


4.1.1 The Company commits to processing personal data in accordance with the following principles:

i.      Lawfulness, Fairness, and Transparency – data will be processed lawfully, fairly, and in a transparent manner.
ii.      Purpose Limitation – data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
iii.      Data Minimization – only data that is adequate, relevant, and necessary will be collected.
iv.      Accuracy - personal data will be accurate and kept up to date.
v.      Storage Limitation – data will not be kept longer than necessary.
vi.      Integrity and Confidentiality – data will be processed securely to prevent unauthorized access, loss, or damage.
vii.      Accountability – The Company is responsible for and must be able to demonstrate compliance with these principles

4.1.2    PII must be limited to the minimum amount required to achieve the purpose for which it is collected or processed. The Company will not collect or process any PII that could be considered irrelevant or unnecessary. 

4.2    Legal Basis for Processing
4.2.1    Personal data will only be processed when a lawful basis applies, such as:
i.      Consent  
ii.      Contractual necessity
iii.      Legal obligation
iv.      Vital interests
v.      Public task
vi.      Legitimate interests

4.2.2    Special category data will only be processed in accordance with GDPR/UK DPA and UK DUAA standards for data subjects in applicable locations.

4.3    Data Subject Rights
4.3.1    The Company ensures that data subjects (where GDPR is applicable) can exercise their rights:
i.      Right to access   
ii.      Right to rectification
iii.      Right to erasure (“right to be forgotten”)
iv.      Right to restriction of processing
v.      Right to data portability
vi.      Right to object
vii.      Rights related to automated decision making and profiling

4.3.2    Requests must be handled within one month of receipt, with extensions applied only under legal conditions.

4.4    Data Security & Integrity
4.4.1    The Company implements appropriate technical and organizational measures, including but not limited to:
i.      Access controls and user authentication
ii.      Encryption of personal data at rest and in transit
iii.      Regular risk assessments
iv.      Data backup and disaster recovery plans
v.      Endpoint and network security monitoring
vi.      Secure disposal of records and equipment

4.5    Data Breach Management
4.5.1    All personal data breaches must be reported to the DPO and Director of IT & Security immediately. The Company follows an incident response procedure that includes:
i.      Immediate containment and investigation
ii.      Risk assessment
iii.      Notification to supervisory authority within 72 hours (if applicable)
iv.      Communication with affected data subjects (if required)

4.6    Data Protection by Design & by Default
4.6.1    New projects, systems, and processes involving personal data (that involves data subjects in applicable locations) must undergo a Data Protection Impact Assessment (DPIA). Privacy must be embedded into system design and default settings must limit data exposure  .

4.7    Third-Party Processors & Data Transfers
4.7.1    All third parties processing data (that involves data subjects in applicable locations) on behalf of The Company must sign a Data Processing Agreement (DPA). Transfers of personal data outside the EU/EEA are only permitted when:
i.      An adequacy decision is in place, or
ii.      Appropriate safeguards (e.g. Standard Contractual Clauses) are implemented.

4.8    Roles & Responsibilities
4.8.1    Executive Management – ensures resources and oversight for data protection compliance.

4.8.2    Data Protection Officer (DPO) – provides guidance, monitors compliance, and serves as point of contact for data subjects and authorities.

4.8.3    All Staff – must comply with this policy and complete mandatory data protection training. 

4.9    Applicability of Other Policies
4.9.1    This document is part of The Company’s cohesive set of security policies.  Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

5.0    Non-Compliance
This policy will be enforced by the Director, IT & Security and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of Company property (physical or intellectual) are suspected, The Company may report such activities to the applicable authorities.

6.0    Policy Review
This policy will be reviewed annually (or sooner if needed). Policy changes will be communicated to all employees and potential users.