Personal data is processed only where necessary for contracts, legal obligations, or legitimate interests, with appropriate transparency and retention limits.
Access controls, training, and breach procedures support compliance with UK GDPR and the Data Protection Act.