← Back to Governance

Data Protection Policy

Version 1.0 · Effective April 2026 · IsoGentiX Ltd

Legal framework

IsoGentiX Ltd is subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy sets out how IsoGentiX collects, uses, stores, and protects personal data, and the obligations of all personnel who handle personal data in the course of their work.

Data protection principles

IsoGentiX processes personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency — personal data is only processed where there is a valid lawful basis and data subjects are informed of how their data is used
  • Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes
  • Data minimisation — only data that is necessary for the stated purpose is collected and retained
  • Accuracy — reasonable steps are taken to keep data accurate and up to date
  • Storage limitation — data is not retained longer than necessary for the purpose for which it was collected
  • Integrity and confidentiality — data is protected against unauthorised access, loss, or destruction using appropriate technical and organisational measures

Lawful bases for processing

IsoGentiX relies on the following lawful bases depending on context: contractual necessity (processing required to perform a contract with the data subject); legitimate interests (where processing is necessary for IsoGentiX's legitimate business purposes and these are not overridden by the data subject's rights); legal obligation; and consent where required.

Data subject rights

Individuals whose personal data IsoGentiX processes have rights under UK GDPR including the right to access their data, the right to correction, the right to erasure in certain circumstances, and the right to object to certain processing. Requests should be directed to a director. IsoGentiX will respond within the statutory timeframe.

International transfers

Where personal data is transferred outside the UK — including to Madagascar in connection with field operations — IsoGentiX will ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

Breaches

Any actual or suspected personal data breach must be reported to a director immediately. Where a breach meets the threshold for notification under UK GDPR, IsoGentiX will notify the Information Commissioner's Office within 72 hours and, where required, the affected individuals.

Further information

For details of how IsoGentiX processes personal data in connection with use of this website, see the Privacy Policy.