Section 3 — UK GDPR + DUAA 2025 Refresher
=========================================
Statutory anchor: UK GDPR + Data (Use and Access) Act 2025
(complaints procedure mandatory from 19 June 2026).

DUAA readiness status:
  · Complaints procedure                ✓ Published, staff trained, 30-day SLA
  · ROPA addendum                       ✓ Reviewed 11 Mar 2026
  · Sub-processor list                  ✓ Current; 6 sub-processors documented
  · Cookie/PECR posture                 ✓ Klaro consent manager; AUP signed
  · Special-category data (Article 9)   ✓ Identified handlers all trained

Role overlays applied:
  · DPO overlay (20 min, 0.5 CPD hours) — assigned to 1 DPO
  · Processor-handling overlay (12 min) — assigned to 8 ops staff
  · Special-category data overlay (15 min) — assigned to 3 HR staff

Training records: see attached gdpr-training-records.csv
Audit log:        see attached gdpr-audit-log.csv (17 entries this quarter)
