GDPR Compliance

How Prova protects your data under UK GDPR

Our Commitment to Data Protection

Prova is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a security vetting platform handling sensitive personal data, we take our data protection responsibilities extremely seriously.

This page explains how we comply with UK GDPR principles and how we protect your rights as a data subject.

Data Controller Information

Data Controller

Prova
Southampton, United Kingdom
Email: privacy@useprova.co.uk

We act as the Data Controller for personal information collected through our platform. In certain circumstances, we may also act as a Data Processor on behalf of employer clients.

The Six GDPR Principles

We process all personal data in accordance with the six principles of UK GDPR:

1. Lawfulness, Fairness and Transparency

We only process personal data where we have a lawful basis to do so. Our lawful bases include:

  • Consent — For DBS checks, credit reference checks, and contacting referees
  • Contract — To deliver our vetting services
  • Legal Obligation — To comply with BS7858 and employment law requirements
  • Legitimate Interests — For fraud prevention and service improvement
  • Substantial Public Interest — For processing criminal conviction data

We are transparent about our data practices through our Privacy Policy and clear consent mechanisms.

2. Purpose Limitation

Personal data is collected for specified, explicit and legitimate purposes — specifically, to conduct BS7858-compliant security vetting. We do not use your data for unrelated purposes such as marketing or profiling.

3. Data Minimisation

We only collect personal data that is necessary for vetting purposes. While BS7858 requires extensive information (5-year history, identity verification, etc.), we do not collect data beyond what is needed.

4. Accuracy

We take steps to ensure personal data is accurate and kept up to date:

  • Candidates can review and correct their information before submission
  • We verify information against official sources where possible
  • You can request corrections at any time

5. Storage Limitation

We retain personal data only for as long as necessary:

Data Type Retention Period
Completed vetting records Duration of employment + 7 years
Unsuccessful applications 6 months
Consent records Lifetime of vetting record
Financial records 7 years (legal requirement)

6. Integrity and Confidentiality (Security)

We implement robust security measures to protect personal data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Secure cloud infrastructure (AWS) with UK/EU data residency
  • Access controls and authentication
  • Regular security testing and vulnerability assessments
  • Staff training on data protection
  • Incident response procedures

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access (Article 15)

Request a copy of all personal data we hold about you. We will respond within one month.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

Request deletion of your personal data in certain circumstances. Note: legal retention requirements may apply.

Right to Restrict Processing (Article 18)

Request limitation of processing while we verify accuracy or assess objections.

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format.

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent

Withdraw consent at any time for processing based on consent. This does not affect prior processing.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

We will:

  • Verify your identity before processing requests
  • Respond within one month (extendable by two months for complex requests)
  • Provide information free of charge (unless requests are manifestly unfounded or excessive)

Special Category Data

BS7858 vetting requires processing of special category data, specifically criminal conviction information. We process this data under:

  • Article 9(2)(g) — Substantial public interest
  • Schedule 1, Part 2 of the Data Protection Act 2018 — Preventing or detecting unlawful acts

Appropriate safeguards are in place, including encryption, access controls, and staff training.

International Transfers

Your personal data is primarily stored and processed within the United Kingdom and European Economic Area. Where we use service providers outside these regions, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Binding Corporate Rules

Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours
  • Notify affected individuals without undue delay if there is a high risk
  • Document all breaches and remedial actions taken

Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk
Helpline: 0303 123 1113

We encourage you to contact us first at privacy@useprova.co.uk so we can try to resolve your concerns directly.