Find UK People® - Tracing Agents who find people in the UK

GDPR Statement

Data & your search

Find UK People® - Tracing Agents who find people in the UK

GDPR Compliance & Commitment Statement

Legal Disclaimer: Compliance with UK GDPR and Data Protection Legislation

Find UK People® / Pavilion Digital Marketing Ltd (the “Company”) is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data. We operate under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws. This statement sets out our commitments, safeguards, and responsibilities.


1. Our Role

  • Independent Data Controller: Where services are instructed directly by individual clients.

  • Data Processor: Where services are carried out on the documented instructions of professional clients (e.g. solicitors, regulated firms).

We are transparent about our role in each instruction and accept responsibility for meeting the relevant obligations.


2. Lawful Basis of Processing

Processing is carried out only where a lawful basis exists under Article 6 UK GDPR, including:

  • Legitimate interests (e.g. debt recovery, litigation, beneficiary tracing).

  • Contractual necessity (to deliver a requested tracing service).

  • Legal obligation (to comply with statutory duties).

  • Consent (where required, e.g. family reconnection letters).

We will not act on instructions lacking a lawful basis or where the outcome could support harassment, stalking, or unlawful activity.

Article 14 notices. Where we obtain data from sources other than the individual, we provide an Article 14 privacy notice where proportionate and where doing so would not prejudice legal rights or the purpose of processing (e.g., debt recovery, enforcement). We may rely on the Data Protection Act 2018 Schedule 2 exemptions where appropriate. Individuals can contact us at [email] to exercise their UK GDPR rights (access, rectification, objection, restriction, erasure where lawful, and portability where applicable).


3. Technical & Organisational Safeguards

We implement appropriate measures to protect confidentiality, integrity, and availability of personal data:

  • Encryption: SSL/TLS encryption up to 256-bit and encrypted storage of personal data.

  • Access controls: Password-protected access, restricted to authorised staff and vetted partners.

  • Proportionality: Only information necessary for a trace is accessed and processed.

  • Audit & monitoring: Annual audits of governance, systems, and data handling.

  • Governance: Policies cover change management, data backups, redundancy, and incident response.

  • Training: Staff receive ongoing data protection and compliance training.


4. Third-Party Partners

  • Data may be shared with authorised investigation partners (e.g. credit reference agencies such as Experian, Equifax, or TransUnion) solely to complete the instructed trace.

  • All partners are vetted, ICO-registered, and contractually bound to handle data securely.

  • Data is never sold or transferred for unrelated purposes.


5. International Transfers

  • Where data is transferred outside the UK, this is done under approved mechanisms:

    • UK International Data Transfer Agreement (IDTA).

    • UK Addendum to EU Standard Contractual Clauses.

    • Adequacy decisions under UK law (e.g. the UK-US Data Bridge).

  • We do not rely on the invalidated EU-US Privacy Shield.


6. Data Retention

  • Data is retained only for as long as necessary and proportionate to the purpose.

  • Standard retention: up to six years (aligned to legal limitation periods).

  • Certain limited records may be retained longer to prevent misuse, maintain suppression lists, or comply with legal obligations.

  • Data is securely deleted or anonymised when no longer required.


7. Data Subject Rights

We respect and support the rights of individuals under UK GDPR, including:

  • Access to their data.

  • Rectification of inaccuracies.

  • Erasure (where lawful).

  • Restriction or objection to processing.

  • Portability (where applicable).

We will respond to valid requests within statutory timeframes, subject to lawful exemptions (e.g. DPA 2018 Schedule 2 exemptions where notification may prejudice legal rights).


8. Data Protection Impact Assessments (DPIAs)

Where high-risk or novel processing activities are introduced, the Company conducts DPIAs to evaluate risks and implement mitigations.


9. Client Responsibilities

  • Clients remain responsible for ensuring they have a lawful basis to instruct a trace.

  • Professional clients act as data controllers and must ensure their own GDPR compliance.

  • Individual clients confirm that they and the subject of the search are over 18 and that no legal restrictions prevent the instruction.


10. Marketing & Communications

  • Marketing communications are only sent where we have obtained valid consent or a lawful basis (e.g. soft opt-in for existing customers).

  • All marketing is double opt-in, and recipients may unsubscribe at any time.

  • Service communications (e.g. order updates, trace results) are essential and delivered to the provided email.


11. Disclaimer

This statement sets out the Company’s approach to compliance with UK GDPR and related laws. It does not constitute legal advice. Clients are encouraged to seek independent legal advice to ensure they meet their own obligations as data controllers.

By instructing the Company, clients confirm they have a valid lawful basis for the request and accept their own responsibilities under data protection law.

This statement is governed by the laws of the United Kingdom and reflects data protection requirements in effect as of 2025.