UK GDPR Addendum

Who this applies to

This addendum applies to customers and users located in the United Kingdom. It explains how UK data protection law applies to your use of DashboardFox, and where the UK position differs from the EU GDPR position described in our main Privacy Policy and Data Processing Agreement.

If you are an EU-based customer, the EU GDPR applies to you — this addendum does not. If you operate across both the EU and the UK, both frameworks may apply and this addendum should be read alongside the main DPA.

Applicable law

For UK customers, the applicable data protection framework is the UK GDPR — the General Data Protection Regulation as retained and amended in UK law by the European Union (Withdrawal) Act 2018 — together with the Data Protection Act 2018. The UK GDPR is substantively similar to the EU GDPR, with some differences in transfer mechanisms and supervisory authority.

Data Processing Agreement — UK Annex

Our Data Processing Agreement governs the processing of personal data on your behalf as a data processor. The DPA includes Annex A, which supplements the DPA for UK customers and incorporates the UK International Data Transfer Addendum (IDTA) issued by the ICO where applicable.

UK customers who require a countersigned DPA for procurement or compliance purposes should contact team@dashboardfox.com. The web version of the DPA at /legal/dpa/ is the authoritative version.

International data transfers

Where personal data is transferred from the UK to a country without a UK adequacy decision, we rely on the UK International Data Transfer Addendum (IDTA) — the mechanism approved by the ICO for UK-to-third-country transfers — as the transfer mechanism. This applies to the same sub-processors identified in our Sub-processor Registry that require a transfer mechanism for EU transfers.

The IDTA is incorporated as Annex A to our Data Processing Agreement and supplements the Standard Contractual Clauses used for EU transfers.

Supervisory authority

For UK customers, the relevant supervisory authority is the Information Commissioner's Office (ICO). You have the right to lodge a complaint with the ICO if you believe your personal data has been processed in breach of the UK GDPR.

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
ico.org.uk — 0303 123 1113

UK representative

5000fish, Inc. is a US-based company with no establishment in the UK. Under Article 27 of the UK GDPR, controllers established outside the UK that are subject to the UK GDPR must designate a UK representative in certain circumstances. We are in the process of evaluating this requirement as our UK customer base grows.

In the meantime, all UK data protection inquiries, data subject requests, and correspondence should be directed to our privacy contact:

Your rights under UK GDPR

Your rights as a UK data subject are substantively identical to those available under the EU GDPR. These include the rights of access, rectification, erasure, restriction, portability, and objection — as well as the right to withdraw consent where processing is based on consent. These rights are described in full in the Your Rights section of our Privacy Policy.

To submit a data subject request, email team@dashboardfox.com or use the self-service options available in the management portal. We will respond within 30 days, with a possible extension of a further two months for complex requests.

What's the same as EU GDPR

The following aspects of our data protection approach apply equally to EU and UK customers with no material difference:

• The personal data we collect and how we use it — see Privacy Policy
• Legal bases for processing (contract, legitimate interests, legal obligation, consent)
• Data retention periods — see Data Retention Policy
• Sub-processor commitments and the 30-day advance notification requirement for sub-processor changes
• Breach notification timelines (72 hours to you; 60 days for HIPAA-covered entities)
• Your ability to request a countersigned DPA
• Data subject request response timeframes (30 days)