Privacy Policy Banner

Privacy Policy

Data protection policy

We take our responsibility to protect personal data very seriously. This policy sets out how we handle your personal data. If you’re an employee, you’ll be given access to a data protection policy relating to you and your employment – this policy doesn’t relate to you.We have appointed a Data Manager who is responsible for ensuring that we are safely and legally processing data.  If you have any questions about this policy or the processing of personal data they would be delighted to help you to answer them. You can email them at

Protecting personal data

Here’s a bit more detail

  • We process personal data fairly and lawfully. Grounds for processing personal data include; with consent, to comply with a legal obligation, in the data subject’s vital interests, in the performance of a contract with the data subject or in our legitimate interests. If the personal data is sensitive, additional conditions will be met.
  • Where we don’t have an alternative lawful basis to process your personal data we’ll ask you for your consent to do so. In particular, we will only send you marketing emails or make contact about marketing initiatives where you have agreed to us doing so.
  • We will always be transparent about how we’re using your personal data. We’ll provide you with information about who controls your data, how and why it will be used, how it’s protected and how long it’s retained for within a privacy notice (which will usually be found on our website).
Requests to see your personal data
  • If you want us to show you personal data that we hold on you then you need to make a request in writing to the Personal Data Manager at We might ask you for more details about the request or give you a template letter to help with your request. Where the request isn’t made in person we will always ask for two forms of identity to confirm that it is you making the request.
  • We’ll always try and acknowledge your request when we receive it. We’ve got between 30 days and three months to respond in full to your request.
  • We may ask you to contribute towards the administration fee in processing your request.
Your rights to deletion, freezing data processing and corrections
  • You can ask us to delete your personal data where:
    1. Processing it is no longer necessary bearing in mind the reason it was collected;
    2. It is being processed unlawfully;
    3. You object to us processing your personal data (unless we have an over-riding legitimate interest for continuing to process it in which case we may continue to do so).
  • Where information we hold on you is inaccurate or incomplete you can ask us rectify the data.
  • You can ask us to stop processing your data where:
    1. Processing is unlawful;
    2. You say that the information that we hold is inaccurate;
    3. You don’t consider we have a ‘legitimate interest’ for processing the data (unless we have an over-riding legitimate interest for continuing to process it in which case we will continue to do so).

If we think that you’re abusing these rights and making unfounded or excessive requests we may refuse your request or may charge a reasonable administration fee for processing the request.

Training and audit
  • Our employees have undergone training to enable them to comply with this policy.
  • We test our systems and processes to ensure we meet with our obligations under this policy.
Automated processing
  • Generally, automated decision making is prohibited where the decision has a significant or legal effect on an individual. The exceptions to this are where:
    1. The data subject has explicitly consented;
    2. The automated processing is automated by law; or
    3. The automated processing is necessary for performing or entering into a contract.
  • If a decision is to be based on automated processing, we will inform you of this and let you know of your right to object. We’ll give you information on the logic involved in the decision making and give you the right to request human intervention, or to challenge the decision.
  • Before any automated processing is carried out, an impact assessment must be carried out.
Sharing personal data
  • Generally, we don’t share your personal data with third parties. We’ll only do so where:
    1. It is required by law (for example, to government bodies);
    2. They need to know the information in order to fulfil their contract with us (but provided they will not use your information for their own purposes);
    3. Internally where we need to do so to comply with our obligations to you;
    4. You’ve been informed and your consent has been obtained (where we have identified it is needed);
    5. The third party has adequate security measures in place;
    6. The transfer complies with any applicable restrictions on cross-border transfers;
    7. A fully executed written contract which contains GDPR compliant clauses has been obtained.