Legal
GDPR Compliance
This statement describes how Hookseek approaches compliance with the EU and UK General Data Protection Regulation (GDPR) for the personal data it processes, both as a controller for its own website and marketing, and as a processor when delivering services for clients.
Last updated July 2026
Data protection principles
We process personal data lawfully, fairly, and transparently; for specified, legitimate purposes; limited to what is necessary; kept accurate and up to date; retained no longer than needed; and secured with appropriate technical and organisational measures. We are accountable for demonstrating this compliance.
Controller and processor roles
For our website, enquiries, and marketing, Hookseek acts as a data controller. When delivering services inside a client's systems, Hookseek acts as a processor under a Data Processing Agreement, processing personal data only on the client's documented instructions and for the duration of the engagement.
Legal bases
We identify and record an appropriate legal basis for each processing activity: consent, contract, legitimate interests, legal obligation, or, where relevant, public task or vital interests.
Data subject rights
We support the rights of access, rectification, erasure, restriction, portability, and objection, and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Requests are handled within the statutory time limits, and we help clients respond to requests that concern data we process on their behalf.
International transfers
Where personal data is transferred outside the EEA or UK, we rely on adequacy decisions or Standard Contractual Clauses, with a transfer risk assessment and supplementary measures where required.
Sub-processors
We engage sub-processors only under written contracts that impose data protection obligations consistent with the GDPR. A current list of sub-processors is available on request to active clients, and we provide notice of intended changes so clients can object.
Security and breach notification
We maintain a security programme and incident response procedures. In the event of a personal data breach, we will, where required, notify the relevant supervisory authority without undue delay and inform affected individuals and clients in line with our legal and contractual obligations.
Records and data protection by design
We maintain records of processing activities as required, and we build privacy and security considerations into new systems and engagements by design and by default.
Contact and complaints
To exercise a right or raise a GDPR question, contact hello@hookseek.com. You also have the right to lodge a complaint with your local supervisory authority.