GDPR & Data Processing Agreement

✓

Every VLS Sourcing UK engagement includes a signed Data Processing Agreement (DPA). We do not begin work until the DPA is in place. Contact us at privacy@vlssourcing.uk to request a copy of our standard DPA template.

How We Approach GDPR Compliance

UK GDPR (as retained in UK law by the Data Protection Act 2018) applies to the processing of personal data relating to UK data subjects. When a UK business engages VLS Sourcing to provide remote staffing services, personal data may flow from the UK client to VLS Sourcing's team in India — and that transfer must be appropriately governed.

We take this seriously. GDPR compliance is built into our standard engagement process — not bolted on as an afterthought.

The Data Processing Agreement (DPA)

A Data Processing Agreement is a legally binding contract between a data controller (your UK business) and a data processor (VLS Sourcing) that governs how personal data is handled. Under UK GDPR Article 28, a DPA is required whenever a controller engages a processor to handle personal data on its behalf.

Our standard DPA covers:

The subject matter, duration, and nature of the processing
The types of personal data processed and categories of data subjects
The obligations and rights of the controller
Instructions for processing — VLS Sourcing processes only on your documented instructions
Confidentiality obligations on all staff who access personal data
Security measures appropriate to the risk
Sub-processor restrictions and notification obligations
Data subject rights assistance — we help you respond to requests
Data return or deletion on termination
Audit rights — you have the right to audit our compliance

International Data Transfers — India

India does not currently hold a UK adequacy decision. This means that transfers of personal data from the UK to India require an appropriate safeguard under UK GDPR Article 46.

VLS Sourcing relies on International Data Transfer Agreements (IDTAs) — the UK equivalent of Standard Contractual Clauses — as the transfer mechanism for all UK-to-India personal data transfers. Our standard DPA incorporates the relevant IDTA provisions.

We also conduct Transfer Risk Assessments (TRAs) where appropriate, to evaluate whether the protections in the IDTA are effective in the context of Indian law.

What Personal Data Is Typically Involved?

The personal data involved in a VLS Sourcing engagement depends entirely on the role. For most admin, finance, and customer support roles, the data involved is routine business information:

Names and contact details of your customers, suppliers, or colleagues
Financial transaction data (for bookkeeping roles)
Customer service correspondence
CRM or database records

We do not encourage or permit the transfer of special category data (health, financial credentials, biometric data, etc.) to remote hires without specific additional safeguards and your explicit instruction.

Security Measures

All VLS Sourcing remote professionals are subject to:

Signed confidentiality and NDA agreements before commencement
Data handling training specific to their role
Access controls — they are given access only to data necessary for their function
Use of company-approved devices and communication channels where applicable
Immediate access revocation upon termination of the engagement

Your Responsibilities as the Controller

As the data controller, your UK business remains responsible for:

Ensuring you have a lawful basis for sharing personal data with VLS Sourcing
Updating your own privacy notices to reflect third-party processing by VLS Sourcing where relevant
Granting appropriate access levels — we recommend applying the principle of minimum necessary access
Notifying VLS Sourcing promptly of any changes to your data processing instructions

Data Breach Notification

VLS Sourcing will notify you without undue delay — and within 48 hours — of becoming aware of any personal data breach involving data processed on your behalf. We will provide sufficient information for you to assess the breach and fulfil your own notification obligations to the ICO (where applicable).

Requesting Our DPA

Request a Copy of Our Standard DPA

We provide our standard DPA template to all prospective clients before engagement begins. If you would like to review it as part of your due diligence, email us and we'll send it within one business day.

Request DPA Template →

ICO Registration

VLS Sourcing Pvt. Ltd. is based in India and is not a UK-established organisation. As a data processor processing data on behalf of UK controllers, we are subject to UK GDPR obligations under Article 3(2) (extra-territorial scope). We comply with those obligations through our DPA framework and IDTA transfer mechanism.

Your UK business, as the data controller, should ensure it is registered with the ICO where required. Check your registration status at ico.org.uk.

Questions

For any GDPR or data protection queries, contact privacy@vlssourcing.uk. We aim to respond within one business day.