GDPR & Data Privacy: Your Obligations as a Client
When Progressive Robot develops or manages systems that process personal data on your behalf, both parties have legal obligations under UK GDPR / the Data Protection Act 2018. This article provides an overview — it is not legal advice; consult your Data Protection Officer or legal counsel for specific guidance.
Data Controller vs. Data Processor
- You (the client) are the Data Controller: You determine the purposes and means of processing personal data. You are responsible to your users/customers/employees for how their data is used.
- Progressive Robot is the Data Processor: We process personal data only on your documented instructions, solely to deliver the agreed services to you.
Data Processing Agreement (DPA)
Where we process personal data on your behalf, a Data Processing Agreement must be in place. This is required by law (Article 28 UK GDPR). If you do not have a DPA with us, contact your Account Manager immediately — we will provide our standard DPA for review.
Your Responsibilities
- Ensure you have a lawful basis for collecting the personal data your system processes
- Maintain an up-to-date Privacy Policy accessible to your users
- Respond to Data Subject Access Requests (DSARs) within 30 days
- Notify the ICO within 72 hours of discovering a personal data breach
- Ensure data is not retained longer than necessary
How We Help
- We implement technical and organisational security measures appropriate to the risk
- We assist you in responding to DSARs (data export, deletion)
- We notify you without undue delay if we become aware of a data breach
- We delete or return personal data at the end of the engagement, per your instructions