Records of Processing Activities
UK GDPR Article 30 summary register
Version 1.0 · Last updated 6 May 2026
TRM Flex Limited is the data controller. The table below summarises the processing activities we carry out. The full internal RoPA, sub-processor DPAs and retention schedule are available to enterprise customers and to the ICO on request.
Worker onboarding & verification
- Purpose
- Identity, right-to-work and self-employment verification for marketplace participation
- Lawful basis
- Art 6(1)(b) Contract; Art 6(1)(c) RTW legal obligation
- Data categories
- Name, contact, RTW documents, NI/UTR, bank details, photo ID
- Data subjects
- Self-employed workers
- Retention
- 6 years post last engagement (HMRC) · ID docs purged at 12 months
- Recipients
- TRM Flex admins; Stripe (payouts)
Client account & event delivery
- Purpose
- Operate platform, deliver event coverage, billing
- Lawful basis
- Art 6(1)(b) Contract
- Data categories
- Name, work contact, company, billing address, event briefs
- Data subjects
- Client team members
- Retention
- 7 years post contract end (UK accounting)
- Recipients
- TRM Flex admins; Stripe; Resend
B2B cold outreach (Apollo cohort)
- Purpose
- Role-relevant introductions to the Event Operations Platform
- Lawful basis
- Art 6(1)(f) Legitimate interest; PECR 22(2) corporate subscriber
- Data categories
- Work email, name, job title, seniority, employer
- Data subjects
- UK corporate decision-makers
- Retention
- 6 months from approval (auto-anonymise)
- Recipients
- Resend; Apollo (source)
Inbound brief & demo capture
- Purpose
- Respond to enquiries, build event brief, schedule demos
- Lawful basis
- Art 6(1)(b) pre-contract; Art 6(1)(f) follow-up
- Data categories
- Name, work email, phone, company, event description
- Data subjects
- Prospective clients
- Retention
- 72h public draft / 6 months authed unpinned / indefinite if pinned
- Recipients
- TRM Flex admins; Calendly
Subject Access & Erasure requests
- Purpose
- Fulfil UK GDPR Articles 15–22
- Lawful basis
- Art 6(1)(c) Legal obligation
- Data categories
- Identifying data + audit log
- Data subjects
- Any data subject
- Retention
- 6 years (statute of limitations)
- Recipients
- TRM Flex DPO
Security & threat response
- Purpose
- Detect and mitigate platform abuse
- Lawful basis
- Art 6(1)(f) Legitimate interest (network security)
- Data categories
- IP address, UA, request metadata
- Data subjects
- All visitors
- Retention
- 30 days (IP/UA), 12 months (incident records)
- Recipients
- TRM Flex admins
Worker payouts & client invoicing
- Purpose
- Process payments, generate invoices, file accounts
- Lawful basis
- Art 6(1)(b) Contract; Art 6(1)(c) Tax law
- Data categories
- Name, bank/Stripe ID, amounts, VAT registration
- Data subjects
- Workers, clients, suppliers
- Retention
- 7 years (HMRC) · invoices immutable
- Recipients
- Stripe; HMRC on request
International transfers
Where personal data is transferred outside the UK (e.g. to US-based sub-processors such as Stripe, Resend or Apollo), transfers are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, plus supplementary technical measures (TLS in transit, encryption at rest).
Contact
Data Protection Officer · Mr Thomas Rhys Morris · privacy@trmflex.com
Document controller
TRM Flex Limited · Company No. 17090539 · Registered in England & Wales
Registered Office: C/O Eaccounts, Ground Floor Cardigan House, Castle Court, Swansea, SA7 9LA
ICO Data Protection Registration: ZC121365
Data Protection Officer: Mr Thomas Rhys Morris · hello@trmflex.com
Supervisory authority: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF · ico.org.uk · 0303 123 1113.