The General Data Protection Regulation ("GDPR") sets out how organisations must handle the personal data of individuals in the European Union and, in its UK form, the United Kingdom. Although Jones Blacksmith is based in Canada, where we offer services to or monitor individuals in those regions we act in accordance with the GDPR. This page explains how we comply and how you can exercise your rights.
Template notice — replace before publishing. This page is a structural template. The legal entity name and registered address, whether you are required to appoint an EU/UK representative or a Data Protection Officer, your processor list, your transfer mechanisms, and your lead supervisory authority all need to be confirmed and reviewed by a qualified data protection lawyer before this page goes live.
Our commitment
As a business technology and cybersecurity provider, protecting personal data is fundamental to our work. We are committed to handling personal data lawfully, fairly, and transparently, and to building data protection into the way we design and deliver our services.
This page should be read together with our Privacy Policy, which describes in full what personal information we collect and how we use it, and our Cookie Notice.
Data controller
For personal data we collect through our website and in the course of our own business — such as enquiries and client relationships — Jones Blacksmith is the data controller. This means we determine why and how that personal data is processed.
When we deliver services to a client, we may instead act as a data processor on that client's behalf. In those cases, the client is the controller and our processing is governed by the data processing terms in the applicable Service Agreement.
The principles we follow
We process personal data in line with the core principles of the GDPR:
- Lawfulness, fairness, and transparency — we have a valid legal basis and are clear about what we do.
- Purpose limitation — we collect data for specified, legitimate purposes and do not use it in incompatible ways.
- Data minimisation — we collect only what we actually need.
- Accuracy — we take reasonable steps to keep data accurate and up to date.
- Storage limitation — we keep data only as long as necessary.
- Integrity and confidentiality — we protect data with appropriate security measures.
- Accountability — we maintain records and processes to demonstrate our compliance.
Lawful bases for processing
Under the GDPR we must have a lawful basis for every processing activity. Depending on the situation, we rely on:
| Lawful basis | Typical use |
|---|---|
| Consent | Marketing emails and non-essential cookies — freely given and withdrawable at any time. |
| Contract | Steps needed to provide a service you have requested or to perform a Service Agreement. |
| Legitimate interests | Responding to enquiries, securing our systems, and improving our services, where not overridden by your rights. |
| Legal obligation | Keeping records and meeting regulatory or tax requirements. |
Your rights under the GDPR
If you are in the EU or UK, you have the following rights over your personal data:
Exercising your rights
To exercise any of these rights, contact us using the details at the bottom of this page. We will respond within one month, as required by the GDPR. That period can be extended by up to two further months for complex or numerous requests, in which case we will let you know.
We do not charge a fee to handle a request unless it is manifestly unfounded or excessive. We may need to verify your identity before acting on a request, to protect your data.
Where we act as a processor for a client, we will direct your request to that client as the controller, or assist them in responding.
Processors & sub-processors
We use carefully selected third parties to help us operate — for example hosting, communications, and the technology partners through whom we deliver client solutions. Where these parties process personal data on our behalf, we put written data processing terms in place that require them to protect the data and act only on our instructions.
To confirm: maintain a current list of your processors and sub-processors, and decide whether to publish it here or make it available on request.
International data transfers
Because we are based in Canada and work with providers in other countries, personal data of EU and UK individuals may be transferred outside those regions. Where that happens, we rely on a valid transfer mechanism — such as an adequacy decision, the UK extension to it, or Standard Contractual Clauses with appropriate safeguards — so that your data remains protected to GDPR standards.
Security measures
We maintain appropriate technical and organisational measures to protect personal data, taking into account the risk involved. These include access controls, encryption in transit, network and endpoint protection, monitoring, staff training, and regular review of our security practices. As a cybersecurity provider, these measures are central to how we operate.
Data breach response
We maintain procedures to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a risk to individuals' rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. Where the risk is high, we will also inform the affected individuals.
When we act as a processor, we will notify the relevant client controller without undue delay after becoming aware of a breach.
Data protection contact
We have a point of contact responsible for overseeing data protection questions and handling requests. You can reach this contact using the details below.
To confirm: assess whether you are legally required to appoint a formal Data Protection Officer and/or an EU or UK representative under Articles 27 and 37 of the GDPR. If so, name them and their contact details here.
Complaints
We would always prefer the chance to resolve any concern directly, so please contact us first. However, you also have the right to lodge a complaint with a data protection supervisory authority — in the EU, the authority in your country of residence or work; in the UK, the Information Commissioner's Office. If you are in Canada, you may also contact the Office of the Privacy Commissioner of Canada.
Contact us
For any GDPR-related question or to make a request, please get in touch: