OSCABE LTD is committed to compliance with the UK General Data Protection Regulation, the Data Protection Act 2018, the EU General Data Protection Regulation 2016/679, the Privacy and Electronic Communications Regulations 2003 (PECR) as amended by the Data (Use and Access) Act 2025, and equivalent laws in the EEA jurisdictions we operate in.
This statement summarises our compliance programme. For the full detail see our Privacy Policy, Data Processing Agreement, Cookie Policy and Data Retention Schedule.
1. Roles
- Controller - OSCABE LTD is the controller of personal data we collect for our own purposes (account management, billing, marketing, security).
- Processor - OSCABE LTD is the processor when a Client uses the Platform to process personal data belonging to their own customers, leads or staff. The terms in our DPA apply.
2. Data Protection Lead
We are not required to appoint a statutory Data Protection Officer (Art 37 UK GDPR) but have designated a Data Protection Lead (currently the CEO) reachable at info@oscabe.com.
3. Lawful bases at a glance
We document a lawful basis for every processing activity in our Record of Processing Activities (Art 30). The most common bases are:
- Contract - running your account, matching, invoicing.
- Legal obligation - tax, anti-fraud, regulatory.
- Legitimate interests - fraud prevention, security, CE verification quality. We have completed a Legitimate Interests Assessment for each.
- Consent - marketing email, non-essential cookies, voluntary special-category disclosures.
4. Data subject rights and how to exercise them
Under Arts 15-22 UK/EU GDPR you can:
- Ask for a copy of your data (Subject Access Request)
- Correct inaccurate data
- Have your data erased
- Restrict processing
- Receive your data in a portable format
- Object to processing carried out under legitimate interests
- Withdraw consent at any time
- Refuse a solely-automated decision (where Art 22 applies)
Send your request to info@oscabe.com. We respond within one calendar month and free of charge unless your request is manifestly unfounded or excessive. Engineers and Clients can also use the "Download my data" and "Request deletion" buttons inside their profile.
Engineers can also see the AI matching explanation for any AI shortlist on which they appeared by emailing the same address. We will identify the influential factors used by the matcher and offer human review of the outcome.
5. International transfers
We use the UK ICO's International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses where personal data flows to engineers and service providers in India, the UAE and other non-adequate jurisdictions. Every transfer is preceded by a Transfer Risk Assessment ("TRA") in line with the ICO's January 2026 guidance and the 5 February 2026 "not materially lower" standard.
Neither India nor the UAE currently has UK adequacy. The UK Government withdrew its published "priority destinations" framing in April 2025, and no adequacy regulation is in force for India, the UAE or the Dubai International Financial Centre as of mid-2026. We therefore treat both India and the UAE as restricted-transfer destinations and rely on the safeguards above. India's Digital Personal Data Protection Act 2023 (with the DPDP Rules 2025) will add further cross-border conditions when its transfer provisions commence; we monitor that timeline. If the UK later adopts an adequacy decision for either jurisdiction, we will rely on it and update this section.
6. Breach notification
We will notify the ICO of any notifiable personal data breach within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights and freedoms we will also notify you without undue delay. See Breach Notification Policy.
7. Records and DPIAs
We maintain a Record of Processing Activities (RoPA) as required by Art 30. We carry out a Data Protection Impact Assessment (DPIA) before any material new processing that is likely to be high risk, including any future change to our AI matching that would move it within Article 22 scope.
8. Training and culture
All OSCABE staff complete annual data-protection and information-security training. We run a quarterly review of access permissions and a yearly tabletop breach exercise.
9. Children
OSCABE is a business platform. We do not knowingly collect personal data of children under 18.
10. Complaints
If you are unhappy with how we have handled your data, please contact us first at info@oscabe.com so we can put things right. You also have the right to lodge a complaint with the:
- UK ICO - ico.org.uk/make-a-complaint
- The Data Protection Authority of your country of residence in the EEA - full list at edpb.europa.eu