Privacy Policy

Privacy Notice
Version: 2.0
Last Updated: 12 February 2025

1. Introduction

Welcome to The Data Privacy Group. This Privacy Notice explains how we collect, use, disclose, and protect your personal data in compliance with the UK GDPR and the Data Protection Act 2018. This version supersedes Version 1.0, which was last updated on 30 May 2019.

2. Data Controller Details

The Data Privacy Group. is the data controller responsible for your personal data. Our registered address is:

Chandos House,
School Lane,
Buckingham,
MK18 1HD,
United Kingdom.

We are registered with the Information Commissioner’s Office (ICO) under registration number ZA497846.
For any questions regarding this Privacy Notice, please contact us at:
privacy@thedataprivacygroup.com

3. Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Notice. Our DPO is Mr Peter Borner, and you can contact him at Peter.Borner@thedataprivacygroup.com or via phone at +44 1908 915660.

4. Personal Data We Collect

We may collect and process the following categories of personal data:

  • Identification details (e.g., name, job title, company name)
  • Contact details (e.g., email address, phone number, postal address)
  • Online identifiers (e.g., IP address, cookies, device information)
  • Communication data (e.g., correspondence with us)
  • Any other data provided voluntarily (e.g., inquiries, feedback, or complaints)

5. Legal Basis for Processing

We process your personal data based on one or more of the following legal bases:

  • Consent (where required and explicitly given)
  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate interests, such as:
  • Provision of Consulting and Operationalisation Services
  • Business Development and Client Relationship Management
  • Compliance with Legal and Regulatory Obligations
  • IT and Security Management
  • Financial and Contractual Management
  • Staff and Supplier Management.

6. Retention Periods

We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Notice. Specific retention periods may include:

  • Contract-related data: 6 years from contract termination.
  • Inquiry data: 12 months for inquiries that do not convert into business; 6 years if the inquiry leads to a contract.
    Marketing data: Until the individual opts out; reviewed every 2 years to remove outdated data.

7. International Data Transfers

We do not transfer personal data outside the UK/EEA that we control.

8. Automated Decision-Making & Profiling

We do not use automated decision-making, profiling, or monitoring.

9. Data Subject Rights

You have the following rights under the UK GDPR:

  • Right to access your data
  • Right to rectification
  • Right to erasure (‘right to be forgotten’)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the ICO.

To exercise these rights, please contact us at privacy@thedataprivacygroup.com. We aim to respond within 30 days under UK GDPR. This timeframe may vary in other jurisdictions.

10. Complaints to the ICO

If you are not satisfied with how we handle your personal data or our response to your data protection requests, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

You can contact the ICO at:
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

We encourage you to contact us first at privacy@thedataprivacygroup.com so we can address your concerns before you escalate to the ICO.

11. Security Measures

We take the security of personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, or misuse. Our security measures include:

  • A formal Data Protection and Information Security Framework aligned with UK GDPR and ISO 27001.
  • Centrally managed staff devices with enforced security policies via Microsoft Intune.
  • Encryption of all laptops and endpoint protection with threat detection.
  • Multi-Factor Authentication (MFA) for access to company systems.
  • Secure data transmission using TLS encryption.
  • Regular security training and awareness programs for all employees.
  • A formal Incident Response Plan for handling security incidents and data breaches.
  • For a full description of our Technical and Organisational Measures (TOMs), these are available upon request. You may also refer to our Data Processing Agreement (DPA) for clients, which outlines additional security measures and data protection commitments.

12. Updates to This Privacy Notice

We may update this Privacy Notice periodically. Any changes will be communicated via our website or direct communication where necessary.
For further information, please contact us at privacy@thedataprivacygroup.com.

13. No Contractual Rights

This Privacy Notice is for informational purposes only and does not create any contractual or legal rights for any party. Any rights and obligations regarding personal data processing will be governed by applicable laws and any contracts in place between the parties.