Version: 1.0. Effective from 1 May 2026.
This policy explains how Prodigi Group Ltd and its operating companies and affiliates ("Prodigi", "we", "us") identify, contain, investigate, notify and respond to personal data breaches and security incidents. It supports the commitments Prodigi makes in its Privacy & Cookie Policy and Data Processing Addendum and is supported by detailed internal incident-response procedures.
1. Scope and roles
1.1 Prodigi processes personal data in different roles. Where Prodigi acts as controller, this policy supports Prodigi's own breach notification obligations under applicable Data Protection Laws (including the UK GDPR, the Data Protection Act 2018 and the EU GDPR). Where Prodigi processes Merchant Customer Data as processor, this policy supports Prodigi's obligation to notify the relevant Merchant without undue delay so that the Merchant can comply with its own controller obligations.
1.2 This policy applies to all personal data processed by Prodigi, regardless of format, and to all Group personnel, contractors, consultants, suppliers and subprocessors processing personal data on behalf of Prodigi.
2. Definitions
2.1 "Personal data breach" has the meaning given in applicable Data Protection Laws and includes a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
2.2 "Security incident" means any event or action that may compromise the confidentiality, integrity or availability of Prodigi systems or data, whether or not it amounts to a personal data breach.
3. Reporting an incident
3.1 Personal data breaches affecting Prodigi or Merchant Customer Data, security incidents and vulnerability reports should all be reported to dpo@prodigi.com.
3.2 Subprocessors and fulfilment partners are required by their contracts with Prodigi to report personal data breaches affecting Merchant Customer Data without undue delay.
3.3 An initial report should include, to the extent known: the nature of the incident; when it occurred or was discovered; the type and approximate volume of personal data affected; the approximate number of individuals involved; and any immediate containment steps already taken.
4. Response and investigation
4.1 Prodigi will carry out an initial triage promptly and, wherever possible, within 24 hours of discovery or report. Where the incident is still in progress, immediate steps will be taken to contain it.
4.2 Prodigi will assess the severity of the incident and the risk it presents to affected individuals, including the type and sensitivity of the data involved, the protections in place, what has happened to the data, and any wider consequences.
4.3 Where appropriate, Prodigi will engage external advisers and notify law enforcement, regulators, banks, card schemes or insurers.
5. Notification
5.1 Where Prodigi acts as controller and an incident is a personal data breach that meets the threshold for notification under applicable Data Protection Laws, Prodigi will notify the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
5.2 Where Prodigi processes Merchant Customer Data as processor, Prodigi will notify the relevant Merchant without undue delay after becoming aware of a personal data breach affecting that Merchant's data, in accordance with the Data Processing Addendum. The Merchant remains responsible for assessing whether and how to notify supervisory authorities and data subjects.
5.3 Where required by Data Protection Laws, Prodigi will notify affected individuals without undue delay where a personal data breach is likely to result in a high risk to their rights and freedoms. Notifications will, where appropriate, include a description of how and when the breach occurred and the data involved, clear advice on what affected individuals can do to protect themselves, what action has been taken to mitigate the risks, and a way to contact Prodigi for further information.
6. Records
6.1 Prodigi maintains an internal record of personal data breaches and significant security incidents in accordance with applicable Data Protection Laws, including the facts relating to the breach, its effects and the remedial action taken. The record is provided to supervisory authorities on request.
7. Review and improvement
7.1 Following each incident of significance, Prodigi reviews the causes, the effectiveness of the response and any changes that should be made to systems, processes or controls. Where appropriate, recommendations are reported to the Prodigi Group board.
8. Reporting incidents to Prodigi
Personal data breach reports, security incidents and vulnerability reports: dpo@prodigi.com
Postal: Data Protection, Prodigi, Unit 20, Caker Stream Road, Alton, Hampshire, GU34 2QA, UK.