GDPR Compliance

1. Overview

At NextIn Limited, we are committed to ensuring that all personal data processing activities carried out by our organization comply with the General Data Protection Regulation (GDPR) and the UK GDPR. This document outlines our approach to GDPR compliance and how we uphold the data protection rights of our users.

As a UK-registered company with users in both the UK and US, we recognize our obligation to comply with applicable data protection laws and regulations. This document focuses specifically on our GDPR compliance measures and should be read alongside our Privacy Policy.

2. Data Protection Principles

NextIn adheres to the six key principles outlined in Article 5 of the GDPR when processing personal data:

2.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. We provide clear information about our data collection and processing activities in our Privacy Policy and other communications.

2.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes. We clearly communicate the purposes for which we collect data at the time of collection.

2.3 Data Minimization

We ensure that personal data we collect is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. We regularly review the data we hold to ensure we're not collecting unnecessary information.

2.4 Accuracy

We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. We have processes in place to correct or erase inaccurate data without delay when notified by users.

2.5 Storage Limitation

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. We have established data retention periods and regularly review and delete data that is no longer needed.

2.6 Integrity and Confidentiality

We process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. We use technical and organizational measures to ensure data security.

3. Lawful Basis for Processing

Under the GDPR, we must have a valid lawful basis for processing personal data. Depending on the specific processing activity, we rely on one or more of the following lawful bases:

3.1 Consent

Where required by law, we obtain specific, informed, and unambiguous consent from individuals for certain processing activities. This includes:

• Processing of certain types of sensitive personal data
• Sending marketing communications (where not covered by legitimate interests)
• Sharing candidate profiles with potential employers
• Using cookies and similar tracking technologies (except for strictly necessary cookies)

We ensure that consent is:

• Freely given, specific, informed, and unambiguous
• Provided through a clear affirmative action
• As easy to withdraw as it is to give
• Documented and verifiable

3.2 Contract

We process personal data where necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract. This includes:

• Creating and managing user accounts
• Providing our recruitment platform services to candidates
• Providing services to employers as per contractual terms
• Processing payments and subscriptions

3.3 Legal Obligation

We process personal data where necessary to comply with our legal obligations, including:

• Tax and financial reporting requirements
• Compliance with employment and anti-discrimination laws
• Responding to valid legal requests from law enforcement or regulatory authorities
• Maintaining business records as required by law

3.4 Legitimate Interests

We process personal data where necessary for our legitimate interests or those of a third party, provided those interests are not overridden by the data subject's interests, rights, or freedoms. Examples include:

• Improving and personalizing our services
• Ensuring the security of our platform and detecting fraud
• Marketing our services to existing customers or business contacts
• Analyzing usage of our platform to enhance user experience

For each processing activity based on legitimate interests, we conduct a legitimate interests assessment (LIA) to ensure that the individual's rights do not override our interests.

4. Individual Rights

NextIn respects and upholds the rights of individuals under the GDPR. We have implemented procedures to ensure that these rights can be exercised effectively and within the required timeframes.

4.1 Right to Be Informed

We provide clear, transparent information about our data collection and processing activities through our Privacy Policy and other communications. We ensure that privacy information is:

• Concise, transparent, intelligible, and easily accessible
• Written in clear and plain language
• Provided free of charge
• Updated regularly to reflect any changes in our processing activities

4.2 Right of Access

Individuals have the right to access their personal data and obtain confirmation that we are processing it. Upon request, we provide:

• Confirmation that we are processing their personal data
• A copy of their personal data
• Information about the processing, including the purposes, categories of data, recipients, retention periods, and information about their rights

4.3 Right to Rectification

Individuals have the right to have inaccurate personal data rectified or completed if it is incomplete. We respond to rectification requests within one month (which can be extended by two months where necessary).

4.4 Right to Erasure (Right to Be Forgotten)

Individuals have the right to request the deletion of their personal data in certain circumstances, including when:

• The data is no longer necessary for the purpose it was collected
• They withdraw consent (and there is no other legal basis for processing)
• They object to the processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

4.5 Right to Restriction of Processing

Individuals have the right to request that we restrict the processing of their personal data in certain circumstances, including:

• When they contest the accuracy of the data
• When the processing is unlawful and they oppose erasure
• When we no longer need the data but they require it for legal claims
• When they have objected to processing pending verification of legitimate grounds

4.6 Right to Data Portability

Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. This right applies when:

• The processing is based on consent or contract
• The processing is carried out by automated means

4.7 Right to Object

Individuals have the right to object to:

• Processing based on legitimate interests or the performance of a task in the public interest
• Direct marketing (including profiling)
• Processing for scientific/historical research and statistics

4.8 Rights Related to Automated Decision Making and Profiling

Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. When we use automated decision-making:

• We ensure it's necessary for entering into or performance of a contract
• We obtain explicit consent where required
• We implement suitable safeguards
• We offer a way to request human intervention or challenge a decision

5. International Data Transfers

As a UK-registered company with users in both the UK and US, we sometimes need to transfer personal data outside the UK and European Economic Area (EEA). We ensure all such transfers comply with GDPR requirements.

5.1 Adequacy Decisions

Whenever possible, we transfer data to countries that have been granted adequacy decisions by the UK or European Commission, recognizing that they provide adequate protection for personal data.

5.2 Appropriate Safeguards

For transfers to countries without adequacy decisions, including the United States, we implement appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the UK or European Commission
• Binding Corporate Rules (BCRs) where applicable
• Codes of conduct or certification mechanisms

5.3 Risk Assessments

Following the Schrems II decision, we conduct risk assessments for international data transfers to ensure that the recipient country provides a level of protection essentially equivalent to that guaranteed within the UK and EU. These assessments consider:

• The nature of the personal data being transferred
• The laws and practices of the recipient country
• The additional safeguards implemented
• The potential risks to data subjects' rights

5.4 Supplementary Measures

Where our assessment identifies risks, we implement supplementary measures to enhance data protection, such as:

• Strong encryption with keys retained within the UK/EEA
• Pseudonymization of data where feasible
• Contractual commitments from recipients regarding access requests
• Technical measures to prevent unauthorized access

6. Data Protection Measures

NextIn implements comprehensive technical and organizational measures to ensure a level of security appropriate to the risk involved in processing personal data. We follow the principle of data protection by design and by default.

6.1 Technical Measures

Our technical security measures include:

• Encryption of personal data in transit and at rest
• Strong access controls and multi-factor authentication
• Regular security testing, including penetration testing and vulnerability assessments
• Secure development practices and code reviews
• Comprehensive logging and monitoring systems
• Regular system updates and patch management
• Backup systems and disaster recovery procedures

6.2 Organizational Measures

Our organizational security measures include:

• Data protection training for all staff members
• Detailed information security policies and procedures
• Access controls based on the principle of least privilege
• Confidentiality agreements with employees and contractors
• Vendor assessment procedures for third-party service providers
• Regular audits and compliance checks
• Clear incident response procedures

6.3 Data Protection by Design and Default

We integrate data protection into our processing activities and business practices, from the design stage throughout the lifecycle. This includes:

• Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing
• Minimizing data collection to what is strictly necessary
• Implementing privacy-enhancing technologies
• Setting strict data retention periods
• Ensuring that by default, only personal data necessary for each specific purpose is processed

Protection Measure	Implementation Details	Review Frequency
Access Control	Role-based access controls, principle of least privilege, regular access reviews	Quarterly
Encryption	TLS 1.2+ for data in transit, AES-256 for data at rest	Annual review of protocols
Security Testing	Penetration testing, vulnerability scanning, code reviews	Bi-annual
Staff Training	Mandatory data protection and security awareness training	Annual with quarterly updates
Vendor Management	Due diligence, contractual safeguards, regular audits	Annual reviews

7. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when processing is likely to result in a high risk to the rights and freedoms of individuals, in accordance with Article 35 of the GDPR.

7.1 When We Conduct DPIAs

We conduct DPIAs in the following circumstances:

• Prior to implementing new technologies with potential privacy impacts
• When processing involves systematic and extensive profiling or automated decision-making
• When processing special categories of data on a large scale
• When monitoring publicly accessible areas on a large scale
• For any other processing activities identified as high risk

7.2 DPIA Process

Our DPIA process includes the following steps:

• Identifying the need for a DPIA and consulting with our DPO
• Describing the processing operations and purposes
• Assessing the necessity and proportionality of the processing
• Identifying and assessing risks to individuals
• Identifying measures to mitigate those risks
• Consulting with relevant stakeholders, including data subjects where appropriate
• Implementing recommendations and documenting outcomes
• Consulting with the supervisory authority when risks cannot be sufficiently mitigated

7.3 Ongoing Review

We regularly review and update our DPIAs when there is a change in the risk of processing activities. This ensures that our data protection measures remain appropriate and effective over time.

8. Data Breach Procedures

NextIn has implemented comprehensive procedures to detect, report, and investigate personal data breaches in accordance with Articles 33 and 34 of the GDPR.

8.1 Breach Detection and Internal Reporting

We have systems in place to detect potential data breaches, including:

• Security monitoring and alerting systems
• Regular log reviews and audit trails
• Clear internal reporting channels for staff to report suspected breaches
• Employee training on recognizing and reporting security incidents

8.2 Breach Assessment

When a potential breach is detected, our response team:

• Confirms whether a breach has occurred
• Identifies the nature and extent of the breach
• Assesses the categories and approximate number of data subjects affected
• Evaluates the categories and approximate volume of records concerned
• Assesses the likely consequences and risks to individuals
• Determines whether the breach is notifiable to authorities and/or individuals

8.3 Notification to Authorities

Where a breach is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority (the UK Information Commissioner's Office) without undue delay and within 72 hours of becoming aware of the breach. Our notification includes:

• A description of the nature of the breach
• The contact details of our Data Protection Officer
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate potential adverse effects

8.4 Notification to Affected Individuals

Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify the affected individuals without undue delay. We communicate in clear, plain language:

• The nature of the breach
• The name and contact details of our Data Protection Officer
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate potential adverse effects
• Recommendations for individuals to protect themselves

8.5 Documentation

We document all breaches, including:

• The facts surrounding the breach
• The effects of the breach
• Remedial action taken
• The reasoning behind decisions made (especially if a breach was not reported)

9. Data Protection Officer

NextIn has appointed a Data Protection Officer (DPO) to oversee our compliance with data protection laws and serve as a point of contact for data subjects and supervisory authorities.

9.1 Role and Responsibilities

Our DPO's responsibilities include:

• Informing and advising the organization and employees about their obligations under data protection laws
• Monitoring compliance with the GDPR and other data protection laws
• Advising on Data Protection Impact Assessments
• Cooperating with supervisory authorities
• Acting as a contact point for supervisory authorities on issues related to processing
• Handling data subject requests and inquiries
• Training staff involved in data processing operations

9.2 Independence

Our DPO operates independently within the organization and:

• Reports directly to the highest level of management
• Is not instructed on how to perform their tasks
• Is not penalized or dismissed for performing their duties
• Is provided with necessary resources to carry out their tasks
• Has no conflicts of interest with other duties

9.3 Contact Information

Data subjects can contact our DPO with any questions or concerns about how we process their personal data or to exercise their data protection rights:

10. US Customers and GDPR

As a UK-registered company serving customers in both the UK and US, we recognize the importance of addressing the specific considerations related to US customers and GDPR compliance.

10.1 Application of GDPR to US Customers

The GDPR may apply to our processing of US customers' personal data in the following scenarios:

• When we offer services to US customers from our UK establishment
• When we monitor the behavior of US individuals that takes place within the UK or EU
• When we process US customers' data within the UK or EU

10.2 GDPR Rights for US Customers

US customers whose data is subject to GDPR have the same rights as UK and EU customers, including:

• The right to be informed about how their data is used
• The right to access their personal data
• The right to rectification of inaccurate data
• The right to erasure in certain circumstances
• The right to restrict processing in certain circumstances
• The right to data portability for data processed on the basis of consent or contract
• The right to object to certain processing activities
• Rights related to automated decision making and profiling

10.3 US Data Protection Laws

In addition to GDPR compliance, we also respect applicable US data protection laws, such as:

• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• The Virginia Consumer Data Protection Act (VCDPA)
• The Colorado Privacy Act (CPA)
• Other state-specific privacy laws as applicable

10.4 UK-US Data Transfers

For personal data transfers between the UK and US, we implement appropriate safeguards as described in the International Data Transfers section, including:

• Standard Contractual Clauses with supplementary measures
• Risk assessments for each transfer scenario
• Data minimization and encryption for transferred data
• Contractual commitments from US recipients regarding government access requests

11. Accountability

NextIn takes its accountability obligations under the GDPR seriously. We have implemented measures to demonstrate our compliance with data protection principles.

11.1 Documentation

We maintain comprehensive documentation of our data processing activities, including:

• Records of Processing Activities (RoPA) as required by Article 30 of the GDPR
• Data Protection Impact Assessments (DPIAs)
• Privacy policies and notices
• Consent records
• Data breach records
• Data subject request records
• Staff training records
• Data processor agreements

11.2 Data Protection Governance

We have established a data protection governance structure that includes:

• A designated Data Protection Officer
• Clear allocation of data protection responsibilities within the organization
• Regular reporting to senior management on data protection matters
• Integration of data protection considerations into risk management processes
• Regular internal audits and compliance checks

11.3 Staff Training and Awareness

We ensure that all staff members who handle personal data receive appropriate training and guidance:

• Mandatory data protection training for all new employees
• Regular refresher training for existing staff
• Role-specific training for staff with key data protection responsibilities
• Awareness communications and updates on data protection matters
• Clear guidelines and procedures for handling personal data

11.4 Continuous Improvement

We regularly review and update our data protection program to ensure it remains effective:

• Regular reviews of policies and procedures
• Monitoring of regulatory developments and guidance
• Incorporating lessons learned from incidents and near misses
• Seeking feedback from data subjects and stakeholders
• Benchmarking against industry best practices

12. Contact Information

If you have any questions, concerns, or requests regarding this GDPR Compliance Statement or our data protection practices, please do not hesitate to contact us:

For UK residents: You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (https://ico.org.uk). However, we would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

For US residents: While the GDPR may apply to the processing of your personal data by NextIn, you may also have rights under US privacy laws. Please refer to our Privacy Policy for more information on your rights under US law.