Privacy

GLYPHICS DATA PROTECTION POLICY

For cookie policy see Cookie Policy

1. POLICY STATEMENT

Everyone has rights with regard to the way in which their personal data in handled. During the course of our activities we will collect, store and process personal data about our employees, contractors, clients, prospective clients, emergency contacts, newsletter recipients and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in our organisation and the services we provide.

2. ABOUT THIS POLICY

2.1 The types of personal data that Glyphics Limited (We) may be required to handle include names, titles, physical addresses, email address, telephone numbers, dates of birth, national insurance numbers, proof of right to work in the UK, training records and financial information relating to our employees, contractors, clients, prospective clients, newsletter recipients and other third parties. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified the UK General Data Protection Regulation (UK GDPR) in relation to individuals in the UK and EU General Data Protection Regulation (EU GDPR) in relation individuals in the European Economic Area (EEA), each as amended and/or updated from time to time (Data Protection Legislation).

2.2 This policy and any other documents referred to in it sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources. This policy sets out rules on data protection and the legal conditions that must be satisfied when we obtain, handle, process, transfer and store personal data.

2.3 The Data Protection Compliance Manager is responsible for ensuring compliance with the Data Protection Legislation and with this policy. That post is held by Timothy Heppell; 020 7739 7818; enquiries@glyphics.co.uk. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the Data Protection Compliance Manager.

3. DEFINITION OF DATA PROTECTION TERMS

3.1 Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3.2 Data is information which is stored electronically, on a computer, or in certain paper-based filing systems.

3.3 Data subjects for the purpose of this policy include all living individuals about whom we hold personal data. A data subject need not be a UK or an EEA national or resident. All data subjects have legal rights in relation to their personal information.

3.4 Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the Data Protection Legislation.

3.5 Data users are those of our employees and contractors whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times. GLYPHICS DATA PROTECTION POLICY

3.6 Data processors include any person or organisation that is not a data user that processes personal data on behalf of a data controller or on its instructions. Employees of data controllers are excluded from this definition, but it could include suppliers which handle personal data on the data controller’s behalf.

3.7 Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

3.8 Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

3.9 Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

3.10 Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

3.11 Special category personal data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, genetic data, biometric data (where used for identification purposes) or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Special category personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

4. DATA PROTECTION PRINCIPLES

Anyone processing personal data must comply with the enforceable principles of good practice. These provide that personal data must be:

(a) Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).

(b) Processed for specified, explicit and legitimate purposes and not further processed in a manner that is in compatible with those processes (‘purpose limitation’).

(c) Adequate, relevant and limited to what is necessary in relation to the purpose for which the data is processed (‘data minimisation’).

(d) Accurate and where necessary kept up to date (every reasonable step must be taken to ensure that personal data that is inaccurate having regard to the purpose for which it was processed is erased or rectified without delay) (‘accuracy’).

(e) Kept in a form which permits the identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed (‘storage limitation’). GLYPHICS DATA PROTECTION POLICY

(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures (‘integrity and confidentiality’).

(g) Processed in line with data subjects' rights.

(h) Not transferred to people or organisations situated in countries without adequate protection.

5. LAWFULNESS, FAIRNESS AND TRANSPARENCY

5.1 The Data Protection Legislation is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.

5.2 For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out in the Data Protection Legislation. These include, among other things, the data subject's consent to the processing, or that the processing is necessary for the performance of a contract with the data subject, for the compliance with a legal obligation to which the data controller is subject, or for the legitimate interest of the data controller or the party to whom the data is disclosed. When special category personal data is being processed, additional conditions must be met. When processing personal data as data controllers in the course of our business, we will ensure that those requirements are met.

6. PURPOSE LIMITATION

6.1 In the course of our business (including the provision of services involving data processing to our clients), we may collect and process the personal data set out in the Schedule. This may include data we receive directly from a data subject (for example, in person, by telephone, text or email and/or via our website) and data we receive from other sources (for example, where prospective clients are referred to us by existing clients, from publicly accessible sources (eg Companies House, LinkedIn), third-party sources, from a third party with the data subject’s consent (eg bank or building society), from cookies on our website (for more information on our use of cookies, please see our cookie policy), via our IT systems (eg: through automated monitoring of our websites and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems)). More details on our sources of personal data are set out in the Schedule.

6.2 We will only process personal data for the specific purposes set out in the Schedule or for any other purposes specifically permitted by the Data Protection Legislation.

7. SPECIAL CATEGORY PERSONAL DATA

7.1 Certain personal data is treated as a special category to which additional protections apply under data protection law:

(a) personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership

(b) genetic data

(d) data concerning health, sex life or sexual orientation GLYPHICS DATA PROTECTION POLICY

7.2 Where we process special category personal data, we will also ensure we are permitted to do so under data protection laws, eg:

(a) we have the data subject’s explicit consent

(b) the processing is necessary to protect the data subject’s (or someone else’s) vital interests where they are physically or legally incapable of giving consent

(d) the processing is necessary for reasons of substantial public interest

7.3 We do not currently collect or process special category personal data.

8. DATA MINIMISATION

Personal data will only be collected to the extent that it is required for the specific purpose notified to the data subject by the data controller.

9. ACCURACY

We will ensure that personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

10. STORAGE LIMITATION

We will not keep personal data longer than is necessary for the purpose or purposes for which it is used.

Different retention periods apply for different types of personal data. Further details on this are set out in the Schedule.

Following the end of the of the relevant retention period, we will take all reasonable steps to destroy, erase from our systems or anonymise the personal data.

11. INTEGRITY AND CONFIDENTIALITY

11.1 Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, which are designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Data Protection Legislation and to protect the rights of data subjects.

11.2 In order to ensure data protection by design and by default, we will:

(a) take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

(b) put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself. GLYPHICS DATA PROTECTION POLICY

(c) maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:

(i) Confidentiality means that only people who are authorised to use the data can access it.

(ii) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.

(iii) Availability means that authorised users should be able to access the data if they need it for authorised purposes.

11.3 In particular, the following technical and organisational measures and processes are in place:

(a) intrusion detections and prevention measures and processes;

(b) malware protection measures and process;

(d) backup provision;

(e) pseudonymisation and/or encryption of data (where possible);

(f) company mobile phones, tablets and other devices, as well as personal mobile phones, tablets and other devices, used for the purposes of accessing business emails are secured with a password and can be remotely cleared of all data in the event that any device is lost or stolen;

(g) internal data storage systems are password protected;

(h) employees undertake data protection training;

(i) We have appropriate security measures to prevent personal data from being lost accidentally, or used or accessed unlawfully. We limit access to personal data to those who have a genuine business need to access it. Those processing personal data will do so only in an authorised manner and are subject to a duty of confidentiality; and

(j) We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

12. WHERE PERSONAL DATA IS HELD

12.1 Personal data may be held at our premises and those of our third party agencies, service providers, representatives and agents as described under clause 15 (‘Disclosure and Sharing of Personal Information’) and set out in the Schedule.

12.2 Some of these third parties may be based outside the UK/EEA. For more information, including on how we safeguard personal data when this happens, see clause 13 (‘Transferring Personal Data to a Country Outside the UK and EEA’).

13. TRANSFERRING PERSONAL DATA TO A COUNTRY OUTSIDE THE UK AND EEA

13.1 Personal data may be transferred outside the UK and European Economic Area, provided that one of the following conditions applies:

(a) the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy regulation’) further to Article 45 of the UK GDPR. GLYPHICS DATA PROTECTION POLICY

(b) in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an ‘adequacy decision’) further to Article 45 of the EU GDPR

(c) there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for the data subject, or

(d) a specific exception applies under relevant data protection law.

13.2 Where we transfer personal data outside the UK or EEA, we do so on the basis of an adequacy regulation or (where this is not available) legally approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR and/or EU GDPR.

13.3 In the event we cannot or choose not to continue to rely on either of those mechanisms at any time, we will not transfer personal data outside the UK/EEA unless we can do so on the basis of an alternative mechanism or exception provided by UK data protection law and reflected in an update to this policy.

13.4 Any changes to the destinations to which we send personal data or in the transfer mechanisms we rely on to transfer personal data internationally will be notified to the data subject in accordance with the section on ‘Changes to This Policy’ below.

14. NOTIFYING DATA SUBJECTS

14.1 Where personal data is collected directly from data subjects, the data controller shall inform them about:

(a) the identity and contact details of the data controller and where appropriate the data controller’s data protection representative;

(b) the contact details of the data protection officer or Data Protection Compliance Manager, where applicable;

(c) the purposes of the processing for which the personal data is intended as well as the legal basis for processing (e.g. the consent of the data subject or the legitimate interests pursued by the data controller or a third party);

(d) the legitimate interests pursued by the data controller or a third party, where processing is carried out on that basis;

(e) the recipients or categories of recipients of the personal data, if any;

(f) the fact that the data controller or the data processor intends to transfer the data outside the UK or EEA and the basis for that transfer, where applicable;

(g) the period for which the personal data will be stored or if that is not possible the criteria used to determine that period;

(h) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(i) the existence of the right to withdraw consent to the processing of personal data relating to the data subject (without affecting the lawfulness of processing based on consent before its withdrawal), where processing is carried out on the basis of consent;

(j) the right to lodge a complaint with a supervisory authority (including the Information Commissioner’s Office); GLYPHICS DATA PROTECTION POLICY

(k) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of the failure to provide such data;

(l) the existence of any automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

14.2 If we receive personal data directly from the data subject, clause 14.1 shall not apply where and insofar as we can demonstrate that the data subject already has the information.

14.3 If we receive personal data from other sources (e.g. from our clients), clause 14.1 shall not apply where and insofar as we can demonstrate that the data subject already has the information, where the provision of such information proves impossible or would involve a disproportionate effort or in accordance with any other exception to this obligation expressly provided for in the Data Protection Legislation.

14.4 Where we are a data processor, we will notify the data controller without undue delay after becoming aware of a personal data breach.

15. DISCLOSURE AND SHARING OF PERSONAL INFORMATION

15.1 We may share personal data we hold with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries.

15.2 We may also disclose personal data we hold to third parties:

(a) In the event that we sell or buy any business or assets, in which case we may disclose personal data we hold to the prospective seller or buyer of such business or assets;

(b) If we or substantially all of our assets are acquired by a third party, in which case personal data we hold will be one of the transferred assets; or

(c) If we are under a duty to disclose or share a data subject's personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect our rights, property, or safety of our employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

15.3 We also routinely share personal data with:

(a) third parties we use to help deliver our services, eg payment service providers, our cloud service suppliers;

(b) other third parties we use to help us run our business, eg marketing agencies or website hosts;

(c) third parties approved by data subjects, eg social media sites a data subject chooses to link its account to or third party payment providers; and

(d) our banks.

15.4 We may also share personal data we hold with selected third parties for the purposes set out in the Schedule. GLYPHICS DATA PROTECTION POLICY

15.5 We or the third parties mentioned above occasionally also share personal data with:

(a) our and their external auditors, eg in relation to the audit of our or their accounts, in which case the recipient of the information will be bound by confidentiality obligations;

(b) our and their professional advisors (such as lawyers and other advisors), in which case the recipient of the information will be bound by confidentiality obligations;

(c) law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations; or

(d) other parties that have or may acquire control or ownership of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale, initial public offering or in the event of our insolvency—usually, information will be anonymised but this may not always be possible. The recipient of any personal data will be bound by confidentiality obligations.

16. RIGHTS OF DATA SUBJECTS

16.1 Data subjects have the following right, which they can exercise free of charge:

Access - The right to be provided with a copy of their personal data

Rectification - The right to require us to correct any mistake in their personal data

Erasure (also known as the right to be forgotten) - The right to require us to delete their personal data in certain situations

Restriction of processing - The right to restrict processing of their personal data in certain circumstances, e.g.if you contest the accuracy of the data

Data portability - The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that daa to a third party-in certain situations

To object - The right to object to - at any time to their personal data being processed for direct marketing (including profilling) - in certain other situations to our continued processing of their personal data e.g. processing carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims

Not to be subject to automated individual decision making - The right not to be subject to a decision based solely o automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

The right to withdraw consent - If you have provided us with the consent to use their personal data you have a right to withdraw that consent easily at any time. A daa subject may withdraw consent by contacting us. Withdrawing consent will not affect the lawfulness of our use of their personal data in reliance on that consent before it was withdrawn

16.2 For more information on each of those rights, including the circumstances in which they apply, please contact us (see ‘How to contact us’ below).

16.3 If a data subject would like to exercise any of those rights, they should:

(a) Email or call us (see ‘How to contact us’ below);

(b) provide enough information to identify themselves (eg full name, address and customer or matter reference number) and any additional identity information we may reasonably request from them; and

17. DEALING WITH REQUESTS BY THE DATA SUBJECT

17.1 Data subjects may make a request regarding any of the rights set out in clause 16.

17.2 All such requests should be made in writing and sent to the Data Protection Compliance Manager as specified in clause 2.3 (our employees will refer a request to their line manager or the Data Protection Compliance Manager for assistance in difficult situations).

17.3 When receiving telephone enquiries, we will only disclose personal data we hold on our systems if the following conditions are met:

(a) We will check the caller's identity to make sure that information is only given to a person who is entitled to it; and

(b) We will suggest that the caller put their request in writing if we are not sure about the caller’s identity and where their identity cannot be checked.

18. HOW TO COMPLAIN

18.1 Please contact us if you have any queries or concerns about our use of your personal data (see ‘How to contact us’ below). We hope we will be able to resolve any issues you may have.

18.2 You may also have the right to lodge a complaint with the Information Commissioner (the UK data protection regulator) and/or the relevant supervisory authority in your jurisdiction.

19. CHANGES TO THIS POLICY

This policy may change from time to time. Where appropriate, we will notify data subjects of those changes via our website, mail or email.

20. UPDATING PERSONAL DATA

We take reasonable steps to ensure your personal data remains accurate and up to date. To help us with this, please let us know if any of the personal data you have provided to us has changed, eg your surname or address - see ‘How to contact us’ below.

21. HOW TO CONTACT US

21.1 You can contact us by post, email or telephone if you have any questions about this data protection policy or the information we hold about you, to exercise a right under data protection law or to make a complaint.

21.2 Our contact details are shown below:

Email: enquiries@glyphics.co.uk

Telephone number: 020 7739 7818

Glyphics Limited, February 2026

Data processing activities of Glyphics Limited

1.Current, former and prospective employees

What personal data is processed?

Name; title; date of birth; contact details; financial details; national insurance numbers; proof of right to work in UK

What is the source of the personal data?

The data subject (in person, by telephone, text or email and/or via our website); your manager; your personnel records; the Home Office; pension administrators; your doctors; medical and occupational health professionals we engage; our insurance benefit administrators; other employees, consultants and other professionals we may engage, eg to advise us generally and/or in relation to any grievance, conduct appraisal or performance review procedure; via our systems (eg door entry systems, swipe card systems, time management system, time clock records, application logs, screen capture, application logs, webcams, automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, remote access systems, email and instant messaging systems, intranet and Internet facilities, telephones, voicemail, mobile phone records, data loss prevention tools, next-generation firewalls, unified threat management systems, transport layer security, eDiscovery technology, mobile device management systems and visits to our website)

Is personal shared with third parties?

HMRC; Royal Bank of Scotland Mentor Services; NatWest Mentor for HR and H&S; Google Workspace

Where is the information stored and processed?

UK; USA

Purpose(s) for processing

Maintenance of the data subject’s employment file; Payment of the employee’s salary; Other purposes directly connected with the data subject’s employment

Retention period

6 years from the date of termination of employment

Legal basis for processing under the UK GDPR and EU GDPR

Article 6(1)(c) - legal obligation; Article 6(1)(b) - contract

2. Current, former and prospective suppliers and other contractors who are not employees

What personal data is processed?

Name; title; contact details; financial details; national insurance numbers; proof of right to work in UK; training records

What is the source of the personal data?

The data subject (in person, by telephone, text or email and/or via our website); third-party sources; your manager; our employees; other consultants and other professionals we may engage, eg to advise us generally and/or in relation to any grievance; via our systems (eg door entry systems, swipe card systems, automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, remote access systems, email and instant messaging systems, intranet and Internet facilities, telephones, voicemail, mobile phone records, data loss prevention tools, next-generation firewalls, unified threat management systems, transport layer security, eDiscovery technology, mobile device management systems and visits to our website)

Who is the information shared with?

Streamtime; Clarity Software; Google Workspace

Where is the information stored and processed?

UK; USA; Australia

Purpose(s) for processing

Maintenance of records of services provided by the data subject to the data controller; Payment of service fees for services provided by the data subject to the data controller; Other purposes directly connected with the data subject’s provision of services to the data controller

Retention period

5 years from the date the controller last placed an order, or made contact regarding an order, with the data subject

Legal basis for processing under the UK GDPR and EU GDPR

Article 6(1)(b) – contract; Article 6(1)(f) – legitimate interest

3.Current and former clients

What personal data is processed?

Name; contact details (including email address and telephone number, company details and job titles); financial details (your billing information, transaction and payment card information); your contact history; information from accounts you link to us, eg Facebook, LinkedIn; information about how you use our website, communication and other systems

What is the source of the personal data?

The data subject (in person, by telephone, text or email and/or via our website); from publicly accessible sources, eg Companies House, LinkedIn; from a third party with your consent, eg your bank or building society; from cookies on our website; via our IT systems, eg through automated monitoring of our websites and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems

Who is the information shared with?

Streamtime; Clarity Software; Google Workspace

Where is the information stored and processed?

UK; USA; Australia

Purpose(s) for processing

Maintenance of records of services provided by the data controller to the data subject; Processing of service fees for services provided by the data controller to the data subject; Other purposes directly connected with the data controller’s provision of services to the data subject; Marketing and marketing analytics

Retention period

Personal data deleted 6 years after the completion of the services provided by the data controller to the data subject

Legal basis for processing under the UK GDPR and EU GDPR

Article 6(1)(b) – contract; Article 6(1)(f) – legitimate interest

4.Prospective clients

What personal data is processed?

Name; contact details (including email address and telephone number, company details and job titles); your contact history; information from accounts you link to us, eg Facebook, LinkedIn; information about how you use our website, communication and other systems

What is the source of the personal data?

The data subject (in person, by telephone, text or email and/or via our website); third-party sources; from publicly accessible sources, eg Companies House, LinkedIn; from a third party with your consent, eg your bank or building society; from cookies on our website; via our IT systems, eg through automated monitoring of our websites and other technical systems, such as our computer networks and connections, communications systems, email and instant messaging systems

Who is the information shared with?

Clarity Software; Google Workspace, Call Rail

Where is the information stored and processed?

UK; USA

Purpose(s) for processing

Processing of quotes for services provided by the data controller to the data subject; Direct marketing to prospective clients; Marketing and marketing analytics

Retention period

1 year with a monthly review

Legal basis for processing under the UK GDPR and EU GDPR

Article 6(1)(f) – legitimate interest

5.Newsletter recipients

What personal data is processed?

Name; contact details

What is the source of the personal data?

The data subject (e.g. via our website)

Who is the information shared with?

Google Workspace

Where is the information stored and processed?

UK; USA

Purpose(s) for processing

Until the newsletter recipient unsubscribes from the newsletter.

Legal basis for processing under the UK GDPR and EU GDPR

Article 6(1)(f) – legitimate interest

6.Emergency contacts

What personal data is processed?

Name; contact details

What is the source of the personal data?

Current, former and prospective employees; Current, former and prospective suppliers and other contractors who are not employees

Who is the information shared with?

Google Workspace, Nat West

Where is the information stored and processed?

UK; USA

Purpose(s) for processing

To ensure we can act responsibly in the event of an accident or serious illness involving an employee, supplier or contractor

Retention period

For emergency contacts of current, former and prospective employees - 7 years from date of termination of employment.

For emergency contacts of current, former and prospective suppliers - 5 years from the date our last order or contact regarding an order was made.

Legal basis for processing under the UK GDPR and EU GDPR

Article 6(1)(f) – legitimate interest