The GRC Director (“We, Us, Our”) understands that your privacy is important and that you care about how your personal data is used. We respect and value the privacy of all individuals (known as Data Subjects) that is provided to or obtained by Us during the course of Our business activities and will only collect and use personal data in ways that are described here, and in a way that is consistent with Our obligations and your rights under the law.
The (“Applicable Data Protection Law”) means all legislation and regulations in force from time to time regulating the use of personal data and the privacy of electronic communications including, but not limited to, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”), as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 as amended, The Data Use and Access Act 2025, and any successor legislation.
1. Information About Us as a Data Controller
The GRC Director is the trading name of Stephen Murray a sole trader operating in England and Wales.
Data Protection Officer: Stephen Murray (CIPP/E, CIPM).
· Email address: stephen@thegrcdirector.co.uk .
· Telephone number: 07762 292 979.
· Postal address: 2 Bayfield Close, Hade Edge, Holmfirth, HD9 2QX.
We are regulated by The Information Commissioners Office (ICO).
2. What Does This Notice Cover?
This Privacy Notice explains how We use your personal data:
· how it is collected;
· how it is held; and
· how it is processed.
It also explains your rights under the law relating to your personal data.
3. What Is Personal Data?
Personal data is defined by the Applicable Data Protection Law as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that We use is set out in section 5, below.
It is important that your personal data is kept accurate and up to date. If any of the personal data We hold about you changes, please keep Us informed whilst ever We have that data.
4. What Are My Rights?
Under the Applicable Data Protection Law, you have the rights to:
a. Request accessto your personal data (commonly known as a "data subject access request or DSAR"). This means you can ask for and receive a copy of the personal data We hold about you and check that We are lawfully processing it.
b. Request correction of the personal data that We hold about you. This means you can have any incomplete or inaccurate data We hold about you corrected, though We may need to confirm the accuracy of any new data you provide.
c. Request erasure of your personal data (sometimes referred to as the right to be forgotten). This means you can ask Us to delete or remove personal data where there is no good reason for Us continuing to process it. You also have the right to ask Us to delete your personal data where you have successfully exercised your right to object to processing (see below), where We may have processed your information unlawfully or where We are required to erase your personal data to comply with the law. However, We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
d. Object to processing of your personal data where We are relying on a legitimate interest (or those of a third party) as you feel it impacts on your fundamental rights and freedoms and there is something about your particular situation which makes you want to object to the processing. You also have the right to object where We are processing your personal data for direct marketing purposes. In some cases, We may demonstrate that We have compelling legitimate grounds to process your information which override your rights and freedoms.
e. Request restriction of processing of your personal data. This means you can ask Us to suspend the processing of your personal data in the following scenarios: (a) to establish the data's accuracy; (b) where Our use of the data is unlawful but you do not want Us to erase it; (c) where you need Us to hold the data even if We no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to Our use of your data but We need to verify whether We have overriding legitimate grounds to use it.
f. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for Us to use or where We used the information to perform a contract with you.
g. Withdraw consent at any time where We are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, We may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Note We do not rely on consent as a legal basis for processing personal data. We are working with you in a business or not for profit organisation or similar capacity, and We consider that you are not providing data which relates to you as an individual nor in respect of your personal life.
If you wish to exercise any of the rights set out above, please contact Us. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, We may refuse to comply with your request in these circumstances.
Additionally, We may need to request specific information from you to help Us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up Our response.
Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
If you have any cause for complaint about Our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact Us first, using the details in section 11 below.
5. What Personal Data Do You Collect and How?
We may collect and use your personal data which We have collected because you are:
(i) a businessperson or organisation that purchase services from Us by any agreed method (“Business Client”)
(ii) a businessperson or organisation with whom We would like to do business with (“Prospect”) or
(iii) a supplier to Us (“Third-Party Supplier”).
The data We collect and Our use of it depends on the context of Our dealings with you as Business Client or Third-Party Supplier. In this notice where We refer to “you” We do not make a distinction between these routes of collection and uses, and this distinction will be driven by the context. However, We have indicated the Data Types and data subjects in the table below.
We do not collect any ‘special category’ or ‘sensitive’ personal data or personal data relatingto children.
Should you provide and personal data relating to your customers, service users or members, We will only process these in accordance Our the Data Processing Notice or as instructed by you as the Controller of that data. All services are supplied in accordance with Our Standard Terms and Conditions.
Data Type
Data Subjects
Data Collected
How the Data is Collected
Account Data
Business Clients
Identity and contact Information including:
Name
Telephone
Job Title
Business / Organisation name / legal entity
Business / Organisation address
We will ask you to provide it to Us to enter when setting up your account details on Our CRM system and customer information files on Our servers
Billing Data
Business Clients
Third-Party Suppliers
Business / Organisation name / legal entity
Business / Organisation billing address
Your reference (if applicable)
You will input the required data directly into Our ordering platform as part of the registration process and/or as part of an order; or We will ask you to provide it to Us to enter when setting up your account on your request, or by way of setting up supplier details.
Financial Data
Business Clients
Third-Party Suppliers
Bank account details for debits and credits
Provided by Business Clients & Third-Party Suppliers as part of the finance set up process
Order Data
Business Client
Third-Party Supplier
Details about services requested and amounts payable to and from you and other details relating to the order you have placed with Us or We have purchased from you
Provided as agreed in any contract and normally via email.
Profile Data
Business Clients;
Prospects.
Purchases or orders made by you, your interests, preferences, feedback and survey responses
Inputted / generated in Our CRM, or captured verbally and held in associated files on Our servers
Marketing and Communications Data
Business Clients
Third-Party Suppliers
Prospects
Your preferences in receiving marketing from Us
Your communication preferences Identity and contact Information
Captured in Our CRM or similar/connected systems
6. How Do You Use My Personal Data?
Under the Applicable Data Protection Law, We must always have a lawful basis for using personal data.
Most commonly, We will use personal data in the following circumstances:
· Where We need to perform the contract We are about to enter into or have entered into with you.
· Where it is necessary for Our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
· Where We need to comply with a legal or regulatory obligation.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Legitimate Interest means the interest of Our business in conducting and managing Our business to enable Us to give you the best service and the best and most secure experience. We make sure We consider and balance any potential impact on you (both positive and negative) and your rights before We process personal data for Our legitimate interests. We do not use personal data for activities where Our interests are overridden by the impact on you (unless We have your consent or are otherwise required or permitted to by law). You can obtain further information about how We assess Our legitimate interests against any potential impact on you in respect of specific activities by contacting Us.
Comply with a legal or regulatory obligation means processing personal data where it is necessary for compliance with a legal or regulatory obligation that We are subject to.
The following table describes how We intend to use your personal data, and Our lawful bases for doing so:
Purpose/Activity
Data Type
Lawful basis for processing including basis of legitimate interest
To register you as a Client
including user of an online ordering platform or Integration
Account Data
Billing Data
Financial Data.
Necessary for the performance of a contract with you.
To process and deliver your
order including:
(a) Manage payments, fees and
charges
(b) Collect and recover money
owed to Us
Financial Data
Billing Data
Order Data
Marketing and Communications Data
Necessary for the performance of a contract with you and/or necessary for Our legitimate interests (to recover debts due to Us).
To manage Our relationship with
you which will include:
(a) Notifying you about changes
to Our terms or privacy and other legal notices
(b) Letting you know about any
website or other service issues
(c) Communicating with you to
deliver services
(d) Requesting feedback, recommendation, or referral of Our services
Account Data
Financial Data
Marketing and Communications Data
Necessary for the performance of a contract with you and/or necessary to comply with a legal obligation and/or necessary for Our legitimate interests (to research how customers use the products / services We provide in order to review and develop them and grow Our business).
To administer and protect Our
business and Our websites / ordering platforms (including
troubleshooting, data analysis,
testing, system maintenance,
support, reporting, Integrations
and hosting of data)
Account Data
Order Data
Technical Data
Necessary for Our legitimate
interests (for running Our
business, provision of
administration and IT services,
network security, to prevent
fraud and/or necessary to comply with a legal obligation).
To use data analytics to
improve Our websites, ordering platforms, products/services,
marketing, customer relationships and experiences
Technical Data
Usage Data
Marketing and Communications Data
Necessary for Our legitimate
interests (to define types of
customers for Our products and
services, to keep Our website
updated and relevant, to develop
Our business and to inform Our
marketing strategy).
To make suggestions and
recommendations to you about
goods or services that may be of interest to you
Account Data
Technical Data
Usage Data
Profile Data
Marketing and Communications Data
Necessary for Our legitimate
interests (to develop Our
products/services and grow Our
business).
Marketing and Communications Data
We may also use your personal data for marketing purposes, which may include contacting you with information, news and offers about Our products and services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with Our obligations under the Applicable Data Protection Law and you will always have the opportunity to opt-out at any time. We do not share your personal data with third parties for marketing purposes.
We will only use your personal data for the purpose(s) for which it was originally collected unless We reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose.
If We need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, We will inform you and explain the legal basis which allows Us to do so.
In some circumstances, where permitted or required by law, We may process your personal data without your knowledge or consent. This will only be done within the bounds of the Applicable Data Protection Law and your legal rights.
7. How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
Type of Data
How Long We Keep It
Information required for fulfilment of a contract
Communication Data
Financial Data
For seven years after they cease being clients for tax purposes
Until you unsubscribe or otherwise opt out of receiving communications for Us
For seven years after they cease being clients for tax purposes
Marketing contact data/email addresses (unsubscribes)
For people who have requested Us to remove them from the marketing database We keep this record indefinitely so as to prevent resending
Anonymised Data for research and development
In some circumstances We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case We may use this information indefinitely without further notice to you.
8. How and Where Do You Store or Transfer My Personal Data?
Generally, for Our internal functions We do not transfer your personal data outside the UK or the European Economic Area (EEA). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the EU GDPR and/or to equivalent standards by law. Transfers of personal data to the EEA from the UK are permitted without additional safeguards.
We use Cloud Based data storage solutions and personal data collected by Us may be transferred to the following data processors:
Data Processor
Service Provided
Location of Processor
Legal Framework
Processor Privacy Notices / Further Information
Microsoft Office 365
MS Office Software .e.g Outlook and Sharepoint file data storage
Republic of Ireland
UK GDPR Compliant
use of Standard Contractual Clauses
https://www.microsoft.com/en-gb/trust-center/privacy ; https://privacy.microsoft.com/en-GB/privacystatement
GoDaddy.com LLC
Website host and developer
USA
UK GDPR Compliant
use of Standard Contractual Clauses
https://www.godaddy.com/en-ie/legal/agreements/data-processing-addendum
Some of your personal data may be processed in countries outside of the UK or the EEA. These are known as “third countries”. We will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Applicable Data Protection Law as follows:
· limiting access to your personal data to those employees, agents, contractors, and other third parties with a legitimate need to know and ensuring that they are subject to duties of confidentiality;
· procedures for dealing with data breaches (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data) including notifying you and/or the Information Commissioner’s Office where We are legally required to do so;
· whilst We are not required under Applicable Data Protect Law to appoint a Data Protection Officer, We have chosen to do so;
· We have several documented policies and processes detailing the organisational and technical measures used to protect personal data We control and/or process. These include:
o Data Protection Policy
o Data Processing Notice
o Data & IT Security Policy
o Cookie Notice
o Data Breach Policy
o Data Breach Record
o Data Protection Impact Assessments
o Data Retention Policy
These are all reviewed annually, or sooner, if Our business processes or the Applicable Data Protection Law should change.
9. Do You Share My Personal Data?
As detailed in section 8 We may share Personal Data with third parties to supply services you order from Us.
If any of your personal data is shared with a third party, as described above, We will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights.
If We sell, transfer, or merge parts of Our business or assets, your personal data may be transferred to a third party. Any new owner of Our business may continue to use your personal data in the same way(s) that We have used it, as specified in this Privacy Notice.
In some limited circumstances, We may be legally required to share certain personal data, which might include yours, if We are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
10. How Can I Access My Personal Data?
If you want to know what personal data We hold about you, you can ask Us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “data subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in section 11.
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover Our administrative costs in responding.
We will respond to your data subject access request within one month of receiving it and normally aim to provide you with a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date We receive your request. You will be kept fully informed of Our progress.
11. How Do I Contact You?
To contact Us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details for the attention of Stephen Murray:
Email address: stephen@thegrcdirector.co.uk.
Telephone number: 01484 686 183.
Postal Address: 2 Bayfield Close, Hade Edge, Holmfirth, HD9 2QX.
12. Changes to this Privacy Notice
This Privacy Notice will be reviewed annually, or sooner, if the Applicable Data Protection Law or Our business processes should change in a way that affects personal data protection.
Should this notice change then any historic versions will be retained.
ENDS
