Coaley Peak®

Pre-Engagement Resources

Data Processor Statement.

Coaley Peak's formal statement of its role and obligations as a data processor under UK GDPR, EU GDPR, and applicable US state privacy laws. Prepared for legal, compliance, and procurement review.

Notice

This statement is a summary for due-diligence purposes. It does not constitute legal advice and does not supersede the Data Processing Agreement (DPA), which governs the specific processing relationship with each client. © Coaley Peak Ltd 2026.

← Back to Pre-Engagement Resources

Coaley Peak's Role in Data Processing

Data Processor

Coaley Peak Ltd acts as a data processor within the meaning of:

  • Article 4(8) UK GDPR
  • Article 4(8) EU GDPR (Regulation (EU) 2016/679)
  • California Civil Code § 1798.140(ag) (as a “Service Provider” under CCPA/CPRA)
  • The equivalent “processor” definition under Virginia CDPA (§ 59.1-571), Colorado CPA (§ 6-1-1303), Connecticut CTDPA (§ 42-515a), and other applicable US state privacy laws

Data Controller

The client organisation engaging Coaley Peak is the data controller within the meaning of:

  • Article 4(7) UK GDPR / EU GDPR
  • The “business” or “controller” under applicable US privacy laws

The client, as data controller, retains full primary legal responsibility for: (a) establishing and maintaining a lawful basis for processing; (b) ensuring data subjects have been appropriately informed; (c) responding to data subject rights requests; and (d) compliance with all applicable privacy laws in the client's jurisdiction.

Coaley Peak's obligations, liabilities, and responsibilities as a processor are defined and limited by this statement and the executed DPA. Coaley Peak does not assume the obligations of a data controller unless expressly agreed in writing.

UK GDPR: Article 28 Processor Obligations

Under Article 28 UK GDPR, Coaley Peak provides sufficient guarantees to implement appropriate technical and organisational measures, such that processing meets UK GDPR requirements and protects data subject rights.

1

Processing on instructions only

Coaley Peak processes personal data only on documented instructions from the controller. Instructions must be provided in the DPA or in subsequent written communications. Where Coaley Peak is required by UK law to process data other than on such instructions, it will inform the controller before processing, unless prohibited by law.

2

Confidentiality

All Coaley Peak personnel authorised to process personal data are subject to a contractual or statutory duty of confidentiality.

3

Security

Coaley Peak implements technical and organisational measures appropriate to the risk (Article 32 UK GDPR), including ISO 27001:2022-certified information security controls, AES-256 encryption at rest, TLS 1.2+ in transit, multi-factor authentication, and role-based access control.

4

Sub-processors

Coaley Peak does not engage a sub-processor without prior written authorisation from the controller, either specific or general. Where general authorisation is granted, Coaley Peak will inform the controller of any changes to sub-processors with a minimum of 30 days’ notice, giving the controller the opportunity to object. The same data protection obligations are imposed on each sub-processor by contract.

5

Data subject rights assistance

Coaley Peak will assist the controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by UK GDPR, by providing such information and taking such steps as are reasonably within its control. Responsibility for the substantive response to data subject rights requests rests with the controller.

6

Deletion or return

On termination of the engagement, Coaley Peak will, at the controller’s election, delete or return all personal data and delete existing copies, unless UK law requires continued storage. A deletion certificate is provided on request.

7

Audit and cooperation

Coaley Peak will make available to the controller all information reasonably necessary to demonstrate compliance with Article 28 obligations, and will allow for and contribute to audits and inspections conducted by the controller or a mandated auditor, subject to reasonable prior notice and confidentiality obligations.

8

ICO cooperation

Coaley Peak will cooperate with the Information Commissioner’s Office as required under Article 31 UK GDPR.

Limitation of liability

Coaley Peak's liability as data processor is limited to breaches of its own obligations under Article 28 and this statement. Coaley Peak is not liable for any non-compliance arising from the controller's failure to establish a lawful basis for processing, the controller's instructions, pre-existing data quality issues, or any processing carried out outside the agreed scope. The controller indemnifies Coaley Peak against claims, penalties, or losses arising from the controller's own compliance failures.

EU GDPR and International Data Transfers

EU GDPR applicability

Where the client organisation is established in the EU, or where processing relates to data subjects in the EU, EU GDPR (Regulation (EU) 2016/679) applies in addition to or in place of UK GDPR. Coaley Peak’s obligations under EU GDPR are substantially equivalent to those described in Section 3 above, subject to enforcement by the relevant EU supervisory authority.

UK→EU and EU→UK transfers

The UK has been granted adequacy status by the European Commission under Article 45 EU GDPR, meaning data may flow between the UK and EU without additional transfer mechanisms in most circumstances. Where additional safeguards are required, Coaley Peak will rely on the EU Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).

UK→Third Country and third-country transfers

For transfers of personal data from the UK to countries not covered by an adequacy decision, Coaley Peak relies on the UK International Data Transfer Agreement (IDTA) or the Addendum to the EU SCCs, as appropriate, in each case approved by the Secretary of State under Article 46 UK GDPR. No personal data is transferred to the United States or any third country without an appropriate transfer mechanism in place. Specific transfer arrangements are confirmed in the DPA.

United States Privacy Laws

Coaley Peak provides services to clients in the United States and processes personal information of US residents only as a data processor or service provider acting on the client's documented instructions. The following sets out Coaley Peak's position under applicable US privacy laws.

1

CCPA/CPRA (California)

Under the California Consumer Privacy Act (Cal. Civil Code § 1798.100 et seq.) as amended by the California Privacy Rights Act, Coaley Peak acts as a Service Provider (§ 1798.140(ag)). Coaley Peak: (a) does not “sell” or “share” personal information within the meaning of the CCPA/CPRA; (b) retains, uses, and discloses personal information solely for the specified business purpose of providing services to the client; (c) does not retain, use, or disclose personal information outside the direct business relationship with the client; and (d) certifies that it understands and will comply with these restrictions. The client, as the “Business”, is responsible for providing required notices to California consumers and for any obligations arising from the client's role as Business under CCPA/CPRA.

2

US State Privacy Laws

Coaley Peak's processor obligations under the following laws are substantially equivalent to those described in this statement: Virginia Consumer Data Protection Act (CDPA, Va. Code § 59.1-571 et seq.); Colorado Privacy Act (CPA, C.R.S. § 6-1-1301 et seq.); Connecticut Data Privacy Act (CTDPA, Conn. Gen. Stat. § 42-515a et seq.); Oregon Consumer Privacy Act (OCPA); Montana Consumer Data Privacy Act (MCDPA); and other applicable US state privacy laws. In each case, the client is the “controller” or “business” bearing primary compliance responsibility.

3

Data Sale prohibition

Coaley Peak does not sell, rent, or transfer personal information to third parties for monetary or other valuable consideration for the third party’s own commercial purposes.

4

No cross-context behavioural advertising

Coaley Peak does not use personal information processed on behalf of clients for cross-context behavioural advertising.

5

US transfer safeguards

Where personal data of US residents is processed by Coaley Peak on behalf of clients, it is processed within the UK or EEA, subject to ISO 27001-certified controls. Any onward transfer outside the UK or EEA requires the application of appropriate safeguards as set out in Section 4 above.

Client responsibility

Coaley Peak makes no representation that its services or this statement render the client compliant with US federal or state privacy laws. The client, as controller/business, is solely responsible for assessing its own compliance obligations, obtaining legal advice as appropriate, and ensuring that its instructions to Coaley Peak are lawful under applicable law.

Controller Obligations

The following obligations rest with the client as data controller and are a condition of engaging Coaley Peak as processor. Coaley Peak relies on the controller having met these obligations before providing its services.

  • Lawful basis: The controller must identify and maintain a lawful basis for processing (UK GDPR Article 6; EU GDPR Article 6; or equivalent under applicable US law) before providing personal data to Coaley Peak.
  • Data subject information: The controller must ensure that data subjects have been provided with appropriate privacy notices that encompass processing by Coaley Peak as a sub-processor or service provider.
  • Data minimisation: The controller must provide only personal data that is necessary for the agreed scope of services. Coaley Peak processes only the data provided to it within the agreed scope.
  • Accuracy: The controller is responsible for the accuracy of personal data provided to Coaley Peak. Coaley Peak bears no liability for inaccurate, incomplete, or corrupted data provided by the controller.
  • Data subject rights: The controller is responsible for receiving, assessing, and substantively responding to data subject rights requests. Coaley Peak provides reasonable technical assistance only.
  • Applicable law compliance: The controller is responsible for compliance with all privacy laws applicable in the client’s jurisdiction, including any notification obligations to regulatory authorities arising from the controller’s own acts or omissions.

Data Processing Agreement

A Data Processing Agreement (DPA) is required before any personal data is shared with Coaley Peak. The DPA governs the specific processing relationship, sets out the subject matter, nature, purpose, and duration of processing, the type of personal data, and the categories of data subjects. This statement is a summary only and does not constitute or replace the DPA.

To request a DPA or ask a question about this statement:

Email legal@coaleypeak.co.uk with your organisation name and the name of your authorised signatory. A countersigned DPA is returned within five business days.

View our Data & Security overview →

Document reference: ISO_webpage_get-started_processor-statement_v1

Last modified: 29 March 2026

Pre-Engagement Resources·Data Processor Statement