Privacy Policy
Introduction
Data Protection & Privacy Expert (DPPE) is committed to ensuring compliance with all relevant and applicable data protection laws and regulations. We recognise and accept our responsibility to manage personal data in line with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018) and other relevant and applicable legislation in relation to the collecting and using of personal data.
This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use our services. It also outlines your Information Rights and how the law protects you.
Across each of the services we provide, we are dedicated to maintaining the confidentiality and rights to privacy of all our patients, service users, employees, contractors, and other individuals we engage with. We take our responsibilities in relation to data protection and information rights seriously and maintain robust processes for safeguarding the personal information we hold in order to carry out our services and provide easy access to the information rights of individuals.
Data Controller
Laura Palmariello, t/a Data Protection & Privacy Expert is the data controller for the information being collected and processed, unless otherwise stated. If you wish to contact us, this can be done via email (info@dataprivacyexpert.co.uk) or telephone (07943 879 142). We are based in the UK.
A data controller is the business that collects your data AND decides how it is processed. A data processor is the business that may process personal data but only acts on behalf of the data controller. If you are a client and we have to process your data as part of delivering our services, we will generally do this on your behalf, making us the data processor for such scenarios.
The UK GDPR requires every organisation that processes personal information to be registered with the Information Commissioner's Office (ICO). Our registration number is ZB563052.
Our promise to you
We are committed to our responsibility to be fair, lawful, and transparent when it comes to managing your information. We endeavour to make our processing activities easy to read and understand and we welcome your feedback.
We promise that:
​
✓ We will do everything physically possible to keep your information secure and confidential.
✓ You are in control of how we communicate with you – and you can change your preferences at any time by contacting us.
✓ We will train our staff to ensure that they know how to manage your information appropriately and in line with regulations.
✓ We will not transfer your data to third parties, except for individuals who conduct work for us and trusted partners who carry our specialist processing e.g., accountant, bank for financial transactions.
✓ We have done all checks possible to verify that any third parties comply with data protection legislation and will only use them if we are satisfied that they take your privacy seriously.
Personal Data
Personal data refers to any information relating to an identified or identifiable natural person (often referred to as a "data subject"). An identifiable person is one who can be identified, directly or indirectly, especially by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This means if the information you have can lead you to identify a specific person, either on its own or when combined with other pieces of information you might reasonably access, it's considered personal data. Examples include email addresses, social security numbers, and even IP addresses.
Personal Special Category Data
Personal Special Category Data is a subset of personal data that is considered more sensitive, and therefore requires higher levels of protection. According to the UK General Data Protection Regulation ( UK GDPR) and GDPR, special categories include details about an individual's:
​
✓ Racial or ethnic origin
✓ Political opinions
✓ Religious or philosophical beliefs
✓ Trade union membership
✓ Genetic data
✓ Biometric data (where used for identification purposes)
✓ Health information
✓ Sex life or sexual orientation
The processing of these special categories of personal data is generally prohibited, except under specific conditions, such as when the data subject has given explicit consent, or the processing is necessary for specific legal or health-related purposes. The idea is to safeguard the rights and freedoms of individuals, given the sensitivity of this data and the potential for discrimination or harm if it were misused.
​
We only process special category data where it is necessary as part of our consultancy service and only for as long as necessary for the intended purpose.
Legal Basis
Where we process personal data, we will only this if we have identified a legal basis to do so according to the UK GDPR/GDPR. In instances where we process special categories of personal data, such processing is undertaken only when a legitimate legal basis exists, and in conjunction with a specific condition for processing as outlined under Article 9 of the relevant data protection regulation.
We are committed to the principle of data minimisation, ensuring that special categories of personal data and personal data all together are processed solely when absolutely necessary, and avoiding any processing of data that is not essential for our operations.
Generally, for personal data, we rely on LEGITIMATE INTEREST, CONSENT, CONTRACT, or LEGAL OBLIGATION, depending on the purpose of processing. We will delete or anonymise your data as soon as it is no longer needed and not required by law.
Consent
Where we rely on consent for legal basis, you have the right to withdraw this at any time. The same is true for legitimate interest unless there is an overriding reason not to and this aligns with the law. Please contact us via email to withdraw your consent. For cookie consent, please update your preferences on our website. You can also opt out of any marketing communications you receive from us at any time, by following the instructions for opting out within any communication.
Personal Data that we process
Information we collect and store depends on the service you have requested or are interested in requesting and whether we are entering into a contract. We always collect the minimum data necessary for the purpose of the services requested.
Contracting Services
When you contract our services, we collect your organisation's details, your contact information, and any details of contacts you provide to ensure we can fulfill our contractual obligations. We process commercial, confidential, and sensitive information as specified in the contract and data processing agreement. This includes processing financial details for invoicing and financial transactions. Upon termination of our contract, we adhere to all specified instructions regarding the handling of personal and other data processed on your behalf. Our legal basis for these activities is Legitimate Interest, as the contract does not directly involve your employees, whose data we process as part of our contractual obligations.
​
Enquiring About Our Services
If you enquire about our services, we collect personal details through your preferred communication method, either email or telephone. This data collection is based on your Consent, which you provide voluntarily for the purposes specified in your inquiry. Additionally, we may contact you regarding other services based on Legitimate Interest, assuming there is a clear basis for such interest and provided you have not opted out of such communications. You have the right to request the deletion of your information at any time; however, this may affect our ability to respond to your enquiry if deletion is requested before we have replied.
​
We commit to reminding you annually of your rights to update your preferences. Upon your request for data deletion, we ensure that the deletion is performed securely, making the data irretrievable.
International Transfers
While we do not directly transfer data outside the European Economic Area (EEA), some of our service providers may need to transfer data internationally to fulfil specific service requirements. In such cases, we ensure that both we and our suppliers implement appropriate safeguards to protect your data in accordance with UK GDPR standards. This may include the use of Standard Contractual Clauses or ensuring that the providers are certified under privacy frameworks recognised by the UK.
​
Systems and Software
We use the following Microsoft products:
Teams, SharePoint and Outlook which are supported outside of the UK. We will only use Microsoft Forms if requested or approved by our clients. We have a Data Protection Impact Assessment in place for the use of Microsoft 365.
​​
Microsoft have confirmed that other tools such as Microsoft Forms are backed up on servers operating procedures for our staff to ensure safe usage.
​​
Information Sharing, Security and Retention
We will not share your information with any third parties for the purposes of direct marketing. We use third parties to support the provision of our services and therefore under GDPR/ UK GDPR they are considered data processors. These third parties include accountancy services, banking services and freelancers. Our cloud environments and information security are safely and securely managed by our partners at Data Privacy Simplified, who have Cyber Essentials Certification and are one of our trusted suppliers. We also work in partnership with them for some of our contracts. We do not download any sensitive information; all sensitive and personal information is kept in secure SharePoint folders within the Microsoft environment. All laptops and computers have 2FA and are encrypted. All cloud-based applications for hosting, storing, and processing your data, depending on the service or contract we have with you, fall under Microsoft products. Their privacy policy can be found here: https://privacy.microsoft.com/en-gb/privacystatement
We also use WIX forms by WIX, our website host, where you use the application to contact us through our website. Wix does transfer data out of the UK and they have appropriate safeguards in place to protect personal information.
Their privacy policy can be found here: https://www.wix.com/about/privacy .
Retention
We and our cloud providers will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
​
Any data we process, where we act as data processor on your behalf, will be deleted as soon as we no longer need to process it for the purposes of delivering our services to you or whenever you ask us to, unless there is a legal obligation for us to keep it longer. Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information.
We encourage you to read the privacy notices on the other websites you visit.
Your Data Protection Rights
Under data protection law you have certain rights that you can exercise in regard to your personal data, these are outlined below:
✓ You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
✓ You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
✓ You have the right to ask us to erase your personal information in certain circumstances. ✓ You have the right to ask us to restrict the processing of your information in certain circumstances.
✓ You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests. Your right to portability only applies to information you have given us.
You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right applies when we are processing your data with your consent or for the performance of a contract and when we are carrying out the processing by automated means.
Your rights are not absolute in some cases and exemptions and/or restrictions may apply. You can find out more about your rights on the ICO website. If you are the data subject of one of our clients and you make an information rights request with us, we will refer your request to them as the data controller.
Cookies
Cookies are simple text files that are stored on your computer or mobile device by a website’s server. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier, website’s domain name, and some digits and numbers.
Cookie Consent
We need your consent in order to use these cookies and consent is sought as soon as you visit our website. Should you reject cookies that are necessary to run the website, you may not be able to use it. There is no obligation to accept non-essential cookies.
What types of cookies we use?
We use necessary and analytics cookies on our website. You can accept/decline/change settings any time you visit our website, however we will only ask you for consent the first time and every time we make major changes to our website. Necessary cookies are required to use basic function and features of our website allow us to offer you the best possible experience when accessing and navigating through our website. Analytics cookies are cookies that track how users navigate and interact with a website.
The information collected is used to help the website owner improve.
How to delete cookies or change preferences
If you want to restrict or block the cookies that are set by our website, you can do so through your browser setting or our cookie setting widget. Alternatively, you can visit www.internetcookies.com, which contains comprehensive information on how to do this on a wide variety of browsers and devices. You will find general information about cookies and details on how to delete cookies from your device.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us via email on info@dataprotectionexpert.co.uk or via phone on 07943 879 142.
You also have the right to complain to the ICO if you are unhappy with how we use or have used your data.
The ICO's address:
Information Commissioner's Office Wycliffe House Wilmslow Cheshire SK9 5AF
Helpline number: 0303 123 1113
Website: https://ico.org.uk
Review and Updates
This Privacy Notice will be reviewed annually or as and when legislation, or regulations change and when our data processing activities change. The last review of this Privacy Notice took place on 3rd September by Laura Palmariello. The next review of this Privacy Notice will take place by 2nd September 2025. We will inform data subjects of any changes to our processing activities via email.