Last updated: 3 Dec 2025
Security & How BHD Handles Your Data
We handle regulatory notices, privacy matters, and sensitive communications on behalf of our clients. Protecting this information is core to how we operate.
At BHD Governance, we operate a deliberately small, highly controlled processing footprint. Our only role is to receive, document, and forward regulatory or data-subject communications to you as your appointed EU/UK Representative.
This page explains, in clear and practical terms, how we handle that data and how we keep it secure.
1. Purpose of Processing
We process personal data solely to:
receive regulatory and DSAR communications,
confirm they relate to your organisation,
log receipt for evidence, and
forward them to you on your instructions.
We do not collect data for our own purposes.
2. What We Receive
We only hold the information necessary to deliver our services as statutory representative. Where possible, we minimise, pseudonymise, or avoid collecting data entirely. Depending on your regulators and end users, we may receive:
emails from regulators or data subjects
postal mail (scanned securely)
phone calls or voicemails
supporting documents included in those messages
Special category data may appear within those messages, but we do not extract, store, or analyse it.
3. How We Handle It
We review each communication manually.
We record receipt in our evidence log.
We forward the communication directly to your nominated contacts.
We retain only what is necessary for compliance and audit purposes.
We do not run analytics, automation, AI, or call transcription.
4. Our Processors (Minimal and Controlled)
BHD uses a very small set of carefully selected processors:
Google Workspace — email and secure storage
Hoxton Mix (UK) — scanning UK mail
Irish Formations (IE) — scanning EU mail
1st Formations (UK) — backup mail handling
Zadarama — phone/voicemail routing (all optional analytics/insights disabled)
We do not use any third-party analytics, AI, or machine-learning services.
5. International Transfers
If you are located outside the EU/UK/EEA, BHD will forward regulatory or data-subject communications to you only on your documented instructions, as required under Art. 28.
You, as the Data Controller, remain responsible for ensuring appropriate safeguards in your own jurisdiction.
BHD does not transfer data to third countries for its own purposes.
6. Retention
We retain regulatory notices and related correspondence only for as long as required by law or contract. Clients may request deletion or export at any time (subject to lawful bases). We retain the minimum necessary for legal compliance and to ensure there is a robust record of BHD performing its statutory role appropriately.
7. Security Measures
Encrypted email and storage
2FA on all systems
Restricted access
No automated transcription, scanning, or analytics
Manual review of all regulatory communications
Minimal processor model
Evidence log for all regulatory contacts
If you require more detail, we maintain an internal Record of Processing Activities and can make a summary available on request. If you have any security questions, or wish to report an issue, please contact: admin@bhdgovernance.com.