GDPR Policy

Last Updated: March 2026

Important Notice

This document is a good-faith GDPR Compliance Statement prepared by VanCamp Consultants Ltd. It reflects our genuine commitment to data protection and our efforts to meet the requirements of the General Data Protection Regulation (EU) 2016/679 and the UK GDPR. VanCamp Consultants Ltd does not hold formal GDPR certification, as no official certification scheme is mandated under the GDPR. Our compliance is based on internal practices, policies, and ongoing review rather than third-party certification. This statement should not be relied upon as legal advice.

1. Introduction and Scope

VanCamp Consultants Ltd ("VanCamp", "we", "us", or "our") is committed to protecting the privacy and rights of individuals whose personal data we process. This GDPR Compliance Statement sets out how we approach our obligations under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, the UK General Data Protection Regulation ("UK GDPR") as retained in UK law following the United Kingdom's departure from the European Union.

This statement applies to all personal data processed by VanCamp Consultants Ltd in connection with our website www.vancamp.cloud and our consultancy activities. It should be read alongside our Privacy Policy and Cookie Policy, which are available at www.vancamp.cloud.

We recognize that GDPR compliance is an ongoing responsibility and we are committed to reviewing and updating our practices as our business evolves and as regulatory guidance develops.

2. Our Role as Data Controller

VanCamp Consultants Ltd acts as a data controller in respect of personal data collected through our website and in connection with our consultancy services. As data controller, we determine the purposes and means of processing personal data and bear primary responsibility for ensuring that our processing activities comply with applicable data protection law.

Where we engage third-party service providers who process personal data on our behalf (for example, website hosting providers or analytics platforms), those parties act as data processors. We ensure that appropriate data processing agreements are in place with all such processors, as required under Article 28 of the GDPR.

We do not currently have a designated Data Protection Officer (DPO), as we are not required to appoint one under Article 37 of the GDPR based on the nature and scale of our processing activities. However, we have assigned internal responsibility for data protection oversight, and any data protection enquiries should be directed to us via the contact details in Section 12.

3. Our Commitment to the GDPR Principles

Article 5 of the GDPR sets out six core principles that underpin all lawful processing of personal data. VanCamp Consultants Ltd is committed to upholding each of these principles in our data handling practices.

3.1 Lawfulness, Fairness, and Transparency

We process personal data on a lawful basis and are transparent with individuals about how their data is used. Our Privacy Policy sets out in clear, plain language what data we collect, why we collect it, and how it is used. We identify an appropriate legal basis for each category of processing activity we carry out.

3.2 Purpose Limitation

We collect personal data only for specified, explicit, and legitimate purposes, and we do not process it in a manner incompatible with those purposes. If we wish to use personal data for a new purpose, we will assess compatibility and, where required, seek fresh consent or identify a new legal basis.

3.3 Data Minimization

We collect only the personal data that is necessary and relevant for the purposes for which it is processed. We do not collect excessive or unnecessary data, and we regularly review the data we hold to ensure it remains relevant and proportionate.

3.4 Accuracy

We take reasonable steps to ensure that the personal data we hold is accurate and kept up to date. We have processes in place to correct or delete inaccurate data promptly upon becoming aware of it. Individuals also have the right to request rectification of inaccurate data at any time.

3.5 Storage Limitation

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. We have a data retention schedule that defines retention periods for different categories of personal data, and we dispose of data securely when it is no longer needed.

3.6 Integrity and Confidentiality (Security)

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration. Our security practices are reviewed regularly to ensure they remain effective and proportionate to the risks involved.

4. Legal Bases for Processing

The GDPR requires that every processing activity is founded on at least one of the six lawful bases set out in Article 6. VanCamp Consultants Ltd relies on the following legal bases for our processing activities:

• Consent (Article 6(1)(a)) — We rely on consent for the use of non-essential cookies, for marketing communications, and for any other processing where we have specifically sought and obtained your agreement. Consent is freely given, specific, informed, and unambiguous. You may withdraw consent at any time.

• Legitimate Interests (Article 6(1)(f)) — We rely on legitimate interests for activities such as improving our website, fraud prevention, and contacting prospective clients where there is a reasonable expectation of such communication. We conduct a legitimate interests assessment (LIA) to confirm that our interests are not overridden by your rights and freedoms.

• Contractual Necessity (Article 6(1)(b)) — We process personal data where it is necessary to enter into or perform a contract with you or your organization.

• Legal Obligation (Article 6(1)(c)) — We process personal data where necessary to comply with a legal obligation, such as tax, accounting, or regulatory requirements.

5. Individual Rights Under the GDPR

The GDPR grants individuals a number of rights in relation to their personal data. VanCamp Consultants Ltd is committed to honoring these rights and has processes in place to handle requests in a timely and transparent manner.

The rights available to individuals include:

• Right of access (Article 15) — the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of it along with supplementary information about how it is processed.

• Right to rectification (Article 16) — the right to have inaccurate personal data corrected without undue delay.

• Right to erasure / 'right to be forgotten' (Article 17) — the right to request deletion of your personal data in certain circumstances, such as where it is no longer necessary for the purpose it was collected.

• Right to restriction of processing (Article 18) — the right to request that we limit how we use your data in certain circumstances.

• Right to data portability (Article 20) — the right to receive your personal data in a structured, commonly used, machine-readable format and to transfer it to another controller.

• Right to object (Article 21) — the right to object to processing based on legitimate interests or for direct marketing purposes.

• Rights related to automated decision-making and profiling (Article 22) — the right not to be subject to a decision based solely on automated processing that has a legal or similarly significant effect on you.

• Right to withdraw consent — the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us using the details in Section 12. We will acknowledge and respond to all valid requests within one calendar month. Where requests are complex or numerous, we may extend this period by up to two additional months, in which case we will notify you accordingly.

We will not charge a fee for handling data subject requests except where requests are manifestly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or decline to act.

6. International Data Transfers

Where personal data is transferred outside the United Kingdom or the European Economic Area (EEA) to a country that does not benefit from an adequacy decision, we ensure that appropriate safeguards are in place to protect the data in accordance with our obligations under Chapter V of the GDPR. These safeguards may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner's Office (ICO).

• Reliance on adequacy decisions issued by the European Commission or the UK Secretary of State.

• Other legally recognized transfer mechanisms as appropriate.

For example, data processed by Google Analytics may be transferred to and stored in the United States. We ensure that such transfers are subject to appropriate contractual protections. Further details are set out in our Privacy Policy and Cookie Policy.

7. Data Security Measures

We have implemented a range of technical and organizational security measures designed to protect personal data from unauthorized access, accidental loss, destruction, or alteration. These include:

• Encryption of personal data in transit using SSL/TLS protocols.

• Access controls ensuring that only authorized individuals can access personal data.

• Regular review of our information security practices and third-party provider security standards.

• Use of reputable, security-conscious third-party service providers subject to appropriate data processing agreements.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk to individuals, we will also notify the affected individuals without undue delay, as required by Article 34.

8. Data Retention

We retain personal data only for as long as is necessary to fulfil the purpose for which it was collected, or as required or permitted by law. Our approach to retention is guided by the principle of storage limitation under Article 5(1)(e) of the GDPR.

Key retention periods applied by VanCamp Consultants Ltd include:

• Enquiry and contact data: up to 3 years from the date of last interaction, unless a longer period is required for legal or contractual reasons.

• Marketing data: until consent is withdrawn or the individual unsubscribes.

• Website analytics data: typically, up to 26 months, subject to our cookie settings.

• Financial and accounting records: as required by applicable law (typically 6-7 years).

When personal data is no longer required, it is deleted or anonymized in a secure and irreversible manner.

9. Third-Party Processors and Vendors

Where we engage third-party organizations to process personal data on our behalf, we ensure that:

• A written data processing agreement (DPA) is in place that meets the requirements of Article 28 of the GDPR.

• The processor provides sufficient guarantees to implement appropriate technical and organizational measures.

• The processor processes personal data only on our documented instructions.

• Sub-processing is subject to the same data protection obligations.

Our current third-party processors include providers of website hosting, analytics (including Google Analytics), and marketing services. A full list of processors is available upon request.

10. Cookies and Consent Management

We use cookies and similar tracking technologies on our website. In accordance with the GDPR and applicable e-privacy regulations, we obtain explicit consent before placing any non-essential cookies on your device. Our Cookie Policy, available at www.vancamp.cloud, provides full details of:

• The categories of cookies we use and their purposes.

• How to manage, restrict, or withdraw your cookie consent at any time.

• Third-party cookies and the relevant third-party privacy policies.

11. Right to Lodge a Complaint

If you are unhappy with how VanCamp Consultants Ltd handles your personal data, we encourage you to contact us in the first instance using the details in Section 12 so that we can seek to resolve your concern.

However, you also have the right at any time to lodge a complaint with the relevant data protection supervisory authority in your jurisdiction. For individuals in the United Kingdom, the relevant authority is:

Information Commissioner's Office (ICO)

Website: www.ico.org.uk

Helpline: 0303 123 1113

For individuals in the European Economic Area, please contact the relevant national supervisory authority in your country of residence.

12. Contact Us

For any questions, concerns, or requests relating to this GDPR Compliance Statement or our data protection practices, please contact us:

• Phone: (+234) 0811-337-1455

• Email: info@vancamp.cloud (Include the subject title: "VanCamp Consultants GDPR Policy)

We will acknowledge all legitimate data protection enquiries promptly and respond fully within the timeframes required by applicable law.

13. Review of This Statement

This GDPR Compliance Statement will be reviewed at least annually, or sooner if required by changes in our business activities, applicable law, or regulatory guidance. Any material updates will be reflected in the "Last updated" date at the top of this document and, where appropriate, communicated to affected individuals.