Skip to main content
Draft pending counsel review. This document is being finalised by counsel.
Last updated: 27 May 2026 This Statement describes Brand Atlas’s compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Data Protection Act 2018. It supplements the Privacy Policy and the Data Processing Addendum.

1. Scope

This Statement applies to:
  • Personal data of individuals in the EU/EEA processed by Brand Atlas.
  • Personal data of individuals in the UK processed by Brand Atlas.
  • Customers in those jurisdictions using Brand Atlas to process personal data of their own users.

2. Roles

  • For customer data we process to provide the Service: Brand Atlas is the Controller.
  • For Customer Content processed on behalf of customers: Brand Atlas is the Processor, with the customer as Controller.

3. Lawful bases

We rely on these lawful bases:
  • Contract (Art. 6(1)(b)). Processing necessary to provide the Service to subscribed customers.
  • Legitimate interest (Art. 6(1)(f)). Operating, securing, and improving the Service; analytics; defending against fraud and abuse.
  • Legal obligation (Art. 6(1)(c)). Tax records, regulatory reporting, responding to lawful requests.
  • Consent (Art. 6(1)(a)). Where required (specific cookies, marketing communications).
We do not process special-category data ordinarily; where customers upload such data as part of Customer Content, they are responsible for the lawful basis.

4. Data subject rights

Individuals in the EU/EEA and UK have the following rights, exercisable by writing to legal@brandatlas.pro:
  • Access (Art. 15). A copy of personal data we hold.
  • Rectification (Art. 16). Correction of inaccurate data.
  • Erasure (Art. 17). Deletion, subject to retention requirements.
  • Restriction (Art. 18). Restriction of processing.
  • Portability (Art. 20). Receipt of data in a portable format.
  • Object (Art. 21). Objection to processing based on legitimate interest.
  • Not to be subject to automated decision-making (Art. 22). Brand Atlas does not make automated decisions producing legal effects on individuals.
We respond to requests within 30 days, with the possibility of a 60-day extension for complex requests.

5. International transfers

Personal data may be transferred outside the EEA or UK in the course of providing the Service. Transfer mechanisms used:
  • EU Standard Contractual Clauses (Module 2: Controller to Processor) for transfers from the EEA.
  • UK International Data Transfer Addendum (IDTA) for transfers from the UK.
The applicable clauses are incorporated into the DPA. We assess transfer destinations for adequate protection and supplement with additional measures (encryption, access controls) where the destination’s local law warrants.

6. EU representative (Article 27)

If processing thresholds require it (large-scale processing of EU residents from outside the EU), Brand Atlas appoints an EU representative under Article 27 of the GDPR. The current representative contact is:
  • Name: (to be appointed)
  • Email: (to be appointed)
If you are an EU data subject, you may contact the representative directly with rights requests.

7. UK representative

A UK representative is appointed under the UK GDPR where required:
  • Name: (to be appointed)
  • Email: (to be appointed)

8. Data Protection Officer

Brand Atlas does not currently meet the GDPR threshold for a mandatory DPO appointment. We maintain a privacy contact for all enquiries:

9. Records of processing

We maintain Article 30 records of processing activities. Records are made available to supervisory authorities on request.

10. Data Protection Impact Assessments

We conduct DPIAs for processing activities likely to result in high risk to individuals’ rights. We support customers in conducting their own DPIAs where they are Controllers of data processed by the Service.

11. Breach notification

Personal data breaches affecting customer data are notified to the customer within 72 hours of becoming aware. Where the customer is the Controller, we provide the information needed for the customer to notify their supervisory authority and affected individuals. See Breach Notification.

12. Supervisory authority

EU/EEA individuals can lodge a complaint with their local data protection authority. UK individuals can complain to the Information Commissioner’s Office (ICO).

13. Changes

We update this Statement when material changes affect GDPR or UK GDPR compliance.

What changed

  • 27 May 2026: Initial draft published for counsel review.