1. Your personal data – what is it?
The processing of personal data is governed by the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the Data Use and Access Act 2025. Personal data relates to any natural or legal person, public authority, agency or other body which, alone or jointly can be identified from that data. Identification can be by the information alone or in conjunction with any associated information in the data controller’s possession or likely to come into its possession.

2. Who are we?
Sota Solutions Limited (Sota) is a data controller, meaning it decides how your personal data is processed and for what purposes. Sota is also a data processor, meaning it is responsible for processing personal data on behalf of a controller. In response to the data protection accountability and governance principles, Sota has implemented appropriate technical and organisational measures to ensure it can demonstrate that it complies with the Act and the Regulations. This includes the formulation of Data Protection policies and procedures, whilst also carrying out associated activities such as staff training, internal audits of processing activities and reviews of internal policies.

3. What types of personal data do we collect?
In order for you to use our services, receive email responses regarding a service enquiry or updates you may be asked to provide us with personal information about yourself such as your name, job title, phone number, e-mail and other contact details.

3a. Call and Meeting Recording
When you contact us by phone, or participate in a digital meeting, your interaction may be recorded and transcribed using AI technology. This means we may process the following personal data during calls:

• Voice recordings (which may include names, job titles, and other identifiers shared during the call)

• Contact details provide during the conversation

• Contextual information such as account details, service queries, or transaction references

• Video and shared content, where applicable in digital meetings

Recordings are used for the following purposes:

Quality assurance and staff training

Compliance with legal and regulatory obligations
Resolving disputes and verifying information
Improving customer service
Supporting productivity tools for licensed users

Processing is carried out under: SOTA SOLUTIONS LTD CLASSIFICATION: PUBLIC Sota Solutions – Website Data Privacy Notice

• Legitimate Interests (e.g., ensuring service quality and compliance)

• Legal Obligation (e.g., regulatory requirements) Consent, where applicable

Call and meeting recordings are retained for 120 days, unless a longer period is required for legal or regulatory purposes. After this period, recordings are securely deleted.

Where automated tools assist in transcription or analysis, Sota will apply DUAA required safeguards, including the right to request human review and to challenge automated outcomes.

4. How do we process your personal data?

Sota complies with its obligations by:

• Keeping personal data up to date;

• Using the DUAA “reasonable and proportionate” standard when responding to data subject requests

• Storing and destroying it securely;

• Not collecting or retaining excessive amounts of data;

• Protecting personal data from loss, misuse, unauthorised access and disclosure and

• Ensuring that appropriate technical measures are in place to protect personal data.

We may use your personal data for the following purposes:

• To enable us to provide you with IT infrastructure and managed services, consultancy and support.

• To provide you with connectivity and communication services.

• To respond to enquiries and requests for information.

• To market our services and solutions.

• To maintain our own accounts and records.

• To respond to applications for employment.

• To inform you of news, events and activities.

Cookies and Tracking Technologies

Our website uses essential cookies to maintain session functionality, track basic time settings and support core site operations. These cookies do not store any identifiable personal information and are used solely to ensure the website runs correctly.

5. What is the lawful basis for processing your personal data?

The legal basis for processing your personal data will be dependent on the purpose for which it was collected:

• In the case of Sota being able to market and offering its services, the legal basis will be legitimate interest.

In all instances, Sota will be able to identify a legitimate interest with respect to the SOTA SOLUTIONS LTD CLASSIFICATION: PUBLIC Sota Solutions – Website Data Privacy Notice provision of its services and show that the processing is necessary to achieve it, whilst balancing it against the individual’s interests, rights and freedoms.

• Sota will not in all cases solely rely on legitimate interest as the lawful basis for processing, and when conducting marketing activity will look to gain genuine consent.

• Processing of information required for carrying out legal and regulatory obligations, such as employment, social security or social protection law, or a collective agreement where the lawful basis would be a legal obligation. Sota may use limited automated tools to support the delivery of our services; however, we do so in a fair, transparent and proportionate manner. We will only use automated processes where they are appropriate and beneficial, and never in a way that would produce legal or similarly significant effects without additional checks. Where automated methods are used, you have important protections, including the right to request human involvement, the right to challenge an outcome, and the right to provide any information you feel should be considered.

6. Sharing your personal data

Your personal data will be treated as strictly confidential and will only be shared with other members of Sota in order to respond to enquiries and applications, to carry out and provide its services. We will only ever share your data with third parties outside the organisation with your consent or unless we are under a legal obligation to do so.

7. How long do we keep your personal data?

Sota Solutions will only retain personal data for the minimum period required or as defined by a legal obligation. Your personal data will be erased following this minimum period.

8. Your rights and your personal data

Unless subject to an exemption under the Act or Regulations, you have the following rights with respect to your personal data:

• The right to request a copy of the personal data which Sota holds about you.

• The right to request that Sota corrects any personal data, if it is found to be inaccurate or out of date.

• The right to request that your personal data is erased, in cases where it is no longer necessary to retain this data under a legal basis.

• The right to withdraw your consent to the processing of your data at any time.

• The right to request that Sota provides the data subject with his / her personal data and, where possible, to transmit that data directly to another data controller, (known as the right to data portability) where applicable and where possible. [Only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case where the data controller processes the data by automated means].

• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request that a restriction is placed on further processing.

• The right to object to the processing of personal data where applicable. [Only applies where processing is based on legitimate interests (or the performance of a task in the public interest / exercise of official authority); direct marketing and processing for the purposes of scientific / historical research and statistics].

• The right to request human review where an automated decision has been made.

9. Further processing

Right to Complain You must first raise any privacy or data protection complaint directly with Sota. We will:

• Acknowledge your complaint within 30 days

• Investigate “without undue delay”

• Provide progress updates

• Issue a written outcome If you remain dissatisfied, you may escalate the matter to the Information Commissioners Office.

10. Contact Details

To exercise all relevant rights, request a copy of our Data Protection Policy, make queries or complaints, please contact the Data Protection Officer (DPO) at data.protection@sota.co.uk or write to Sota Solutions Ltd, 300 Cornforth Drive, Kent Science Park, Sittingbourne, Kent, ME9 8PX. For escalations or complaints you can also contact the Information Commissioners Office on 0303 123 1113; via email https://ico.org.uk/global/contact-us/email/ or by writing to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.