Home / Privacy Policy

Privacy Policy

Last updated 01 April 2026

1. Introduction

This Privacy Policy applies to the processing of personal data related to the use of www.gxp-auditing.com (the “Website”). GXP Engaged Auditing Services (“GXP Engaged”, “we”, “us”) acts as the Data Controller and is committed to complying with:

  • Regulation (EU) 2016/679 (the General Data Protection Regulation – GDPR);
  • The UK GDPR as incorporated into UK law, and the UK Data Protection Act 2018 (as amended);
  • All other applicable EU and UK data protection laws.
  • Together, these are referred to as Data Protection Laws.

 

2. Who this Privacy Policy applies to

This Privacy Policy applies to:

  • Visitors to our Website;
  • Individuals who contact us via email or contact forms;
  • Job applicants;
  • Visitors to our company pages on social media platforms, including LinkedIn.

 

3. General use of the Website and social media

Access to the Website implies full acceptance of this Privacy Policy and our Cookie Policy. This Policy applies to all pages hosted on the Website.

This Policy does not apply to third‑party websites that may be linked from our Website. We are not responsible for the privacy practices of those third parties.

This Privacy Policy also applies to other websites or online presences operated by GXP Engaged, including our company pages on LinkedIn. For LinkedIn company pages, GXP Engaged and LinkedIn act as joint controllers solely in relation to the processing of aggregated statistical data (e.g. page insights). For all other processing activities, LinkedIn acts as the sole Data Controller. Further details can be found in LinkedIn’s own privacy Policy.

 

4. Why, how and for how long we process personal data

We process personal data only where necessary and for specified, explicit purposes. Personal data is retained for no longer than necessary to fulfil those purposes or to comply with legal obligations.

Where processing is based on our legitimate interests, we have carried out a Legitimate Interests Assessment to ensure that our interests are not overridden by your rights and freedoms.

4.1 Contact enquiries
  • Purpose: To respond to enquiries submitted via email or contact forms
  • Types of personal data: Name, company, email address, and any information you choose to provide
  • Legal basis: Legitimate interest
  • Retention period: For the time required to respond to your enquiry and for up to 12 months thereafter for follow‑up and record‑keeping purposes

 

4.2 Job applications
  • Purpose: Recruitment and assessment of job applications
  • Types of personal data: Name, contact details, CV and application information
  • Legal basis: Legitimate interest
  • Retention period: For the duration of the recruitment process and for up to 12 months after the recruitment decision, unless you consent to longer retention

 

4.3 Statistical and analytical purposes
  • Purpose: Understanding how our Website and company pages are used
  • Types of personal data: Aggregated statistical data (e.g. page visits, country-level information)
  • Legal basis: Legitimate interest
  • Retention period: As defined by the relevant platform (e.g. LinkedIn). Any exported reports are anonymised

 

4.4 Cookies

We use cookies to ensure the proper functioning of the Website. Subject to your consent where required, we also use analytics cookies to understand how visitors interact with the Website.

Cookies may, in certain circumstances, collect personal data such as IP address, browser type, operating system, or location. Further details are available in our Cookie Policy

 

5. Data sharing and international transfers

We do not sell or trade personal data to third parties.

Where personal data is transferred outside the European Economic Area (EEA) and/or the United Kingdom, GXP Engaged ensures that such transfers comply with Data Protection Laws by relying on:

  • Adequacy decisions issued by the European Commission and/or the UK Government; or
  • Appropriate safeguards, such as EU Standard Contractual Clauses (including the UK Addendum) and/or the UK International Data Transfer Agreement (IDTA).
    Copies of relevant transfer safeguards may be obtained by contacting our Data Protection Officer.

 

6. How we protect your information

GXP Engaged treats personal data in a confidential manner and implements appropriate technical and organisational security measures to protect it. These measures include, where appropriate:

  • Access controls based on the principle of least privilege.
  • Encryption;
  • Procedures for detecting, managing, and reporting personal data breaches in accordance with Data Protection Laws.

 

7. Your rights

Under the GDPR and/or UK GDPR, you have the following rights, subject to applicable conditions:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to object to processing
  • Right to data portability (where applicable)

 

These rights are not absolute and will be assessed on a case‑by‑case basis.

To exercise your rights, please contact our Data Protection Officer using the details below. You also have the right to lodge a complaint with a supervisory authority.

  • EEA residents: You may contact the supervisory authority in your country of residence, place of work, or where the alleged infringement occurred.
  • UK residents: You may lodge a complaint with the Information Commissioner’s Office (ICO) at
    https://ico.org.uk

 

8. Changes to this Privacy Policy

This Privacy Policy is effective as of the date stated above. We may update it from time to time. Where changes are material, we will take reasonable steps to bring them to your attention.

 

9. Contact details

Data Controller
GXP Engaged Auditing Services
Theresienhöhe 28
80339 München
Germany

Data Protection Officer
Email: dpo@gxp-auditing.com

EU supervisory authorities
https://edpb.europa.eu/about-edpb/about-edpb/members_en