Skip to content

Legal

GDPR Compliance

This statement describes how Hookseek approaches compliance with the EU and UK General Data Protection Regulation (GDPR) for the personal data it processes, both as a controller for its own website and marketing, and as a processor when delivering services for clients.

Last updated July 2026

Data protection principles

We process personal data lawfully, fairly, and transparently; for specified, legitimate purposes; limited to what is necessary; kept accurate and up to date; retained no longer than needed; and secured with appropriate technical and organisational measures. We are accountable for demonstrating this compliance.

Controller and processor roles

For our website, enquiries, and marketing, Hookseek acts as a data controller. When delivering services inside a client's systems, Hookseek acts as a processor under a Data Processing Agreement, processing personal data only on the client's documented instructions and for the duration of the engagement.

Legal bases

We identify and record an appropriate legal basis for each processing activity: consent, contract, legitimate interests, legal obligation, or, where relevant, public task or vital interests.

Data subject rights

We support the rights of access, rectification, erasure, restriction, portability, and objection, and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Requests are handled within the statutory time limits, and we help clients respond to requests that concern data we process on their behalf.

International transfers

Where personal data is transferred outside the EEA or UK, we rely on adequacy decisions or Standard Contractual Clauses, with a transfer risk assessment and supplementary measures where required.

Sub-processors

We engage sub-processors only under written contracts that impose data protection obligations consistent with the GDPR. A current list of sub-processors is available on request to active clients, and we provide notice of intended changes so clients can object.

Security and breach notification

We maintain a security programme and incident response procedures. In the event of a personal data breach, we will, where required, notify the relevant supervisory authority without undue delay and inform affected individuals and clients in line with our legal and contractual obligations.

Records and data protection by design

We maintain records of processing activities as required, and we build privacy and security considerations into new systems and engagements by design and by default.

Contact and complaints

To exercise a right or raise a GDPR question, contact hello@hookseek.com. You also have the right to lodge a complaint with your local supervisory authority.