GDPR Privacy / Policy Notice – May 2018

The data we collect about you is held only by us for our core business processing, it is not shared with anyone and we are fully compliant with new GDPR regulations.

General Data Protection Principles

Any data will be processed lawfully, fairly and in a transparent manner in relation to individuals. It will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Any data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

Data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes.

Data will be processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Our lawful basis for processing of data.

If our lawful basis for processing is contract. We have a contract with the individual and need to process their personal data to comply with obligations under the contract. If we haven’t yet got a contract with the individual, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask the lawful basis applies.

The processing is necessary to deliver our side the contract with this particular person. As the processing is necessary for a contract with the individual, processing is lawful on this basis and you we not need to get separate consent.

Right to withdraw consent / removal.

We tell individuals they can withdraw their consent. We ensure that individuals can refuse to consent without detriment. We avoid making consent a precondition of a service. We act on withdrawals of consent as soon as we can. We don’t penalise individuals who wish to withdraw consent.

Right to access all data stored.

All individuals have the right to access all data we store about them. Any requests should be made in writing or by email to our head office address as per our contact page on our website or details below.

Right to rectification.

If you feel that the data we hold about you is incorrect please contact us in writing or by email to our head office address as per our contact page on our website or details below.

Right to erasure.

If you feel that the data we hold about you is incorrect or wish to have it erased please contact us in writing or by email to our head office address as per our contact page on our website or details below.

Right to restrict processing.

Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, we are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing. We will respond within one calendar month to a request.

Right to data portability.

Personal data will not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Data portability requests can be made verbally or in writing. We transmit personal data in structured, commonly used, machine readable format. If we refuse a request we will provide the reasons to individuals. We will respond to a request for data portability without undue delay and within one month of receipt.

Data destruction.

Our waste paper and any confidential documents are destroyed in a secure manner by m and s shredding Ltd. Digital data stored on magnetic storage disks in I.T. equipment or peripherals are securely erased with a DOD specified wipe before disposal / Resale or recycling.


If we process children’s personal data we will design our systems and processes to protect them from the outset. Compliance with the data protection principles and in particular fairness is central to processing of children’s personal data.

If consent is our lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent. For children under this age we will get consent from whoever holds parental responsibility for the child. If we process children’s data we will write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.

Our privacy notices will be clear, and written in plain, age-appropriate language. We use child friendly ways of presenting privacy information, such as: diagrams, cartoons, graphics and videos, dashboards, layered and just-in-time notices, icons and symbols. We explain to children why we require the personal data we have asked for, and what we will do with it, in a way which they can understand. As a matter of good practice, if we are relying upon parental consent then we offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one aimed at the child.

Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.

We regularly review available age verification and parental responsibility verification mechanisms to ensure we are using appropriate current technology to reduce risk in the processing of children’s personal data.

If we send electronic marketing messages to children we will comply with the Privacy and Electronic Communications Regulations 2003.

If you require further information please contact us in writing or by email to our head office address as per our contact page on our website or details below.

Information security Compliance.

Our compliance with data protection in the specific areas of information and cyber security policy and risk, mobile and home working, removable media, access controls and malware protection is taken very seriously and we make every effort to ensure all data has adequate protection.

How we protect data.

We undertake an analysis of the risks presented by our processing and use this to assess the appropriate level of security we need to put in place. We make sure that we regularly review our information security policies and measures and, where necessary, improve them. We understand the requirements of confidentiality, integrity and availability for the personal data we process. We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process. We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.

We use an antivirus with live protection and email scanning to protect any vulnerable equipment. We ensure a recommended firewall is installed and up to date. We ensure all relevant software has any up to date security patches.

Data breach reporting.

We have a prepared response plan for addressing any personal data breaches that may occur. Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred or not. We have in place processes to assess the likely risk to individuals as a result of a breach. We will inform individuals in a timely manner in accordance with current GDPR regulations.

Data protection officer.

A Data Protection Officer is Required for Public Authorities or for certain types of processing. We have appointed a responsible person to manage our data protection.

Our appointed person is.

Jou Wong


We document our processing activities in writing and conduct regular reviews of the personal data we process and update our documentation accordingly. We document our processing activities in electronic form so we can add, remove and amend information easily.

Further information.

If you require further information please contact us.

197, Hullbridge Rd, South Woodham Ferrers,
Chelmsford, Essex,

Tel 01245 329 686
Fax 01245 328049
Mob 07836 386755