GDPR & DATA PROCESSING AGREEMENT (DPA)

Last Revised: 7 May 2026 Legal Jurisdiction: England and Wales

“Data Protection Legislation” means the UK GDPR, the Data Protection Act 2018, and any other applicable laws relating to the processing of personal data in the United Kingdom.
“Controller” refers to the Client who determines the purposes and means of processing.
“Processor” refers to Crownline Global LTD, which processes data only on behalf of the Controller.
“Transient Data” means personal data that is processed in real-time and purged immediately upon completion of the task.

This agreement applies to all personal data processed by Crownline Global LTD during the provision of BPO services.
The duration of processing shall coincide with the term of the Service Agreement, after which all transient data is permanently deleted.

Non-Retention Policy: Crownline Global LTD operates a “Zero-Persistence” model.
Automated Purging: All personal identifiers are automatically purged from our systems as soon as the specific business process (e.g., a customer support ticket or transaction) is concluded.
No Backups of Client Data: We do not maintain long-term archives, backups, or databases of Client personal data.

The Client, as the Data Controller, acknowledges and agrees to the following:

Legal Basis: The Client is solely responsible for ensuring a valid legal basis exists for the processing of data under UK GDPR.
Transparency: The Client is responsible for providing all necessary privacy notices to data subjects.
Accuracy: The Client ensures that all data transmitted to Crownline Global LTD is accurate and up-to-date.
Full Indemnification: The Client shall indemnify and hold Crownline Global LTD harmless against any and all claims, losses, damages, or fines (including those from the ICO) arising from the Client’s failure to comply with Data Protection Legislation.

Crownline Global LTD shall:

Instructions: Process personal data only on the documented instructions of the Client.
Anonymisation: Apply advanced technological layers to anonymise data wherever possible to minimise privacy risks.
Confidentiality: Ensure that all personnel authorised to process data are bound by strict confidentiality obligations.

We maintain industry-leading security measures to protect data in transit:

Encryption: Implementation of TLS 1.3 for data in transit and AES-256 for any data in temporary cache.
Access Control: Use of Multi-Factor Authentication (MFA) and “Least Privilege” access protocols.
Vault Infrastructure: Processing occurs within isolated “Data Vault” environments.

The Client provides general written authorisation for Crownline Global LTD to engage sub-processors (e.g., cloud infrastructure).
We ensure all sub-processors are bound by terms no less protective than those set out in this agreement.

Direction of Requests: As Crownline Global LTD does not store data, all Subject Access Requests (SARs) or “Right to be Forgotten” requests must be handled by the Client.
Assistance: Crownline Global LTD will assist the Client in responding to such requests only to the extent possible given our non-retention architecture.

Crownline Global LTD shall notify the Client without undue delay (and in any event within 24 hours) upon becoming aware of a personal data breach.
The Client shall be responsible for notifying the Information Commissioner’s Office (ICO) and the affected data subjects.

Crownline Global LTD shall provide the Client with necessary information to demonstrate compliance with these obligations.
Any physical audits shall be conducted at the Client’s expense, with reasonable notice, and during normal business hours.

This agreement and any dispute or claim arising out of it shall be governed by and construed in accordance with the laws of England and Wales.

Crownline Global LTD Legal Department

Inquiries: info@crownlineglobal.co.uk