Privacy Policy
A legal disclaimer
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
​
Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
-
Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
-
Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
-
Your right to erasure - You have the right to ask us to delete your personal information. You can read more about this right here.
-
Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
-
Your right to object to processing - You have the right to object to the processing of your personal data. You can read more about this right here.
-
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
-
Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.
​
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information for information updates or marketing purposes are:
-
Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:
-
Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Where we get personal information from
-
Directly from you
How long we keep information
Please refer to the Data Retention Policy below.
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details in the webpage footer.
​
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Data Retention Policy
​Scope
The data which Tom Francis LX (TFLX) creates and receives is subject to this Data Retention Policy.
​
Retention policy
Any data should only be kept for as long as there is an administrative need to keep it to enable the TFLX to carry out its business or support functions, or for as long as it is required to demonstrate compliance for audit purposes or to meet legislative requirements. Legislative requirements include, but are not limited to, compliance with the Public Record Act 1958 (selection and disposition of records), the Enterprise and Regulatory Reform Act 2013, the Competition Law Act 1998, the Code of Practice on the Management of Records issued under section 46 the Freedom of Information Act 2000, the Data Protection Act 2018 and the UK GDPR.
​
Retention of personal data
Any personal data processed as part of an enquiry should only be kept for as long as there is a business need, otherwise it should be destroyed at the earliest opportunity.
​
Data protection law requires that ‘Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’.
‘Personal data’ is any information relating to a living individual who can be identified, directly or indirectly from it, in particular by reference to a name, an identification number, location data, an online identifier or to factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
‘Processing’ is anything we do to personal data for example collecting, receiving, storing, viewing, accessing, disclosing, sharing, profiling, deleting, redacting.
Examples of where personal data might be being processed and what needs to be done with the personal data to ensure compliance with data protection law are listed below:​
-
Email accounts - Emails containing personal data that is no longer required should be deleted as soon as possible.
-
OneDrive – Documents containing personal data that is no longer required should be deleted as soon as possible.