DPIA summary — secure document upload
This is a plain-English summary of the Data Protection Impact Assessment (DPIA) for our document pre-check upload service. The full DPIA is held internally and signed off by our Privacy Lead before the feature goes live.
Review required. This summary is a working draft. The document-upload feature does not accept uploads until the full DPIA is signed and the secure storage is provisioned.
What the processing is
When you pay for a document pre-check, you may upload supporting documents (for example passport scans, bank statements, invitation letters) so an adviser can review them before you submit your application.
Personal data involved
- Identity and contact details, passport/ID data, travel details.
- Documents you choose to upload, which may contain special-category data (e.g. data revealing health or biometric identifiers in some documents).
Lawful basis
- Article 6(1)(b) UK GDPR — processing necessary to perform our contract with you.
- Article 9(2)(a) — your explicit consent for any special-category data, captured at upload.
Key safeguards
- Uploads go to an isolated quarantine store via a short-lived, single-use upload link; files are malware-scanned before any adviser can open them, then moved to a separate clean store.
- Access is restricted to the adviser handling your case.
- Files are retained only as long as needed for the pre-check and then deleted (target retention is confirmed in the signed DPIA).
- Transfers are encrypted in transit and at rest.
Your rights
You can request access, correction, deletion or restriction of your data, and withdraw consent at any time. See the Privacy Policy for full detail and how to contact us, including your right to complain to the ICO.