What the framework requires
Article 32 — security of processing
Controllers and processors must implement appropriate measures considering the state of the art, the cost of implementation, and the nature, scope, context, and purposes of processing. The article specifically lists pseudonymisation, encryption, confidentiality, integrity, availability, resilience, and the ability to restore data and regularly test effectiveness.
Article 28 — processor relationships
Where the operator engages a security supplier as a processor, the relationship must be governed by a written contract or other legal act binding the processor to the controller, setting out subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the obligations and rights of the controller.
CCTV, visitor logs, and screening
Each is processing of personal data with its own legitimate-interest balancing test, retention rule, and data-subject information requirement. Suppliers must understand which controller's processing they are operating under and adopt the controller's notice and retention rules.
How our services map to compliance
- Documented processor governance. Standard processor agreements, sub-processor lists, and incident-notification commitments aligned to Article 28 — produced as part of every engagement, not after-the-fact.
- CCTV and visitor-log handling. Security operations are designed around the controller's retention and notice regime — visitor-log fields, CCTV retention, and incident-record sharing all align to the controller's documented rules.
- Background investigations under GDPR. Pre-employment screening and due-diligence work is run under documented lawful bases, with data minimisation, retention rules, and data-subject communication that satisfy GDPR.