UK GDPR

The legal landscape

Following the UK's departure from the EU, the EU GDPR was retained in UK domestic law as "UK GDPR" and is read together with the Data Protection Act 2018 (DPA 2018). The substantive principles, lawful bases, data subject rights, and obligations on controllers and processors are materially identical to EU GDPR. The key differences for vendors:

• Regulator: The UK Information Commissioner's Office (ICO) is the supervisory authority, not a European data protection authority.
• Adequacy: The European Commission has recognized the UK as providing adequate protection for personal data; transfers EU → UK do not require additional safeguards.
• UK to third-country transfers: Require either UK-specific Standard Contractual Clauses (the UK IDTA), the UK Addendum to the EU SCCs, or another transfer mechanism recognized by UK law.
• Penalties: Up to the greater of £17.5 million or 4% of global annual turnover, mirroring the EU framework.

Koji as a UK-relevant processor

Koji B.V. (Netherlands) processes UK personal data on behalf of UK customers acting as controllers. The same operating practices and contractual framework that govern EU processing apply to UK processing:

• Article 28-equivalent processor obligations under UK GDPR are incorporated into our Data Processing Agreement.
• The same technical and organizational measures apply.
• The same sub-processor register applies, with notification of changes at least thirty days in advance.
• The same incident response process applies, with the same seventy-two-hour personal data breach notification window.

International transfers from the UK

UK customers who select EU residency for their Koji deployment rely on the European Commission's adequacy decision for the UK, meaning EU → UK transfers are lawful without additional safeguards (the same logic in reverse for UK → EU transfers, recognized under UK adequacy regulations).

Where transfers go to countries without UK adequacy (notably the United States, when a customer selects US residency), Koji incorporates the UK International Data Transfer Addendum to the EU SCCs (UK Addendum) into the DPA. The UK Addendum modifies the EU SCCs so they are valid as a UK transfer mechanism. This is the most common and ICO-recommended approach.

The standalone UK IDTA (International Data Transfer Agreement) is available on request for customers whose procurement process specifically requires it.

UK data subject rights

UK data subjects have the same rights as their EU counterparts (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). Koji's platform and operational processes support these rights in the same way for UK and EU subjects. See GDPR for the detailed treatment.

ICO complaints

UK data subjects have the right to lodge a complaint with the Information Commissioner's Office:

• Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
• ico.org.uk/make-a-complaint

UK-specific ICO guidance Koji follows

• ICO guidance on AI and data protection (relevant to Koji's AI-moderated interview features). See also our AI governance page.
• ICO Children's code (Age Appropriate Design Code) — Koji is not directed at children under 13 and does not knowingly collect their data; customer deployments targeting under-18s should contact [email protected] to configure appropriate safeguards.
• ICO guidance on cookies and similar technologies (UK PECR), honored by Koji's cookie consent mechanism. See Cookie policy.

UK representative

Koji B.V. is established in the Netherlands. Where a UK representative is required under Article 27 UK GDPR for a specific customer deployment, Koji arranges the appointment as part of enterprise onboarding. Customers can confirm the current UK representative arrangement by emailing [email protected].

Contact

For UK GDPR contract questions, email [email protected]. For data-subject requests, email [email protected].