Legal

Data Protection Policy

Data Protection Act 2018 · Diligent Safety Training & Consultancy Ltd · ICO registration ZC162138

1. Introduction

This Policy sets out the obligations of Diligent Safety Training & Consultancy Ltd ("the Company") regarding data protection and the rights of customers and business contacts ("data subjects") in respect of their personal data under the Data Protection Act 2018 (formerly EU Regulation 2016/679, the General Data Protection Regulation, "GDPR").

The Data Protection Act 2018 defines "personal data" as any information relating to an identified or identifiable natural person — one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

This Policy sets out the Company's obligations regarding the collection, processing, transfer, storage and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors or other parties working on behalf of the Company.

The Company is committed not only to the letter of the law, but also to the spirit of the law, and places high importance on the correct, lawful and fair handling of all personal data, respecting the legal rights, privacy and trust of all individuals with whom it deals.

2. The data protection principles

This Policy aims to ensure compliance with the Data Protection Act 2018, which requires that all personal data must be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject;
• collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (further processing for archiving in the public interest, or for scientific, historical research or statistical purposes, is not considered incompatible);
• adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
• accurate and, where necessary, kept up to date, with every reasonable step taken to erase or rectify inaccurate data without delay;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed; and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

3. The rights of data subjects

The Data Protection Act 2018 sets out the following rights applicable to data subjects:

• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure (also known as the "right to be forgotten");
• the right to restrict processing;
• the right to data portability;
• the right to object; and
• rights with respect to automated decision-making and profiling.

4. Lawful, fair & transparent processing

Processing of personal data is lawful only if at least one of the following applies:

• the data subject has given consent for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at their request prior to entering a contract;
• processing is necessary for compliance with a legal obligation;
• processing is necessary to protect the vital interests of the data subject or another person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority; or
• processing is necessary for the legitimate interests of the Company or a third party, except where overridden by the fundamental rights and freedoms of the data subject (in particular where the data subject is a child).

Where the personal data is "special category data" (sensitive personal data, such as data concerning health), at least one further condition must be met, including the data subject's explicit consent; protection of vital interests where the subject is incapable of consent; data clearly made public by the data subject; or processing necessary for the conduct of legal claims.

5. Purposes & data minimisation

The Company only collects, processes and holds personal data for the specific purposes set out in this Policy (or for other purposes expressly permitted by the Data Protection Act 2018), whether collected directly from data subjects or obtained from third parties. Data subjects are kept informed at all times of the purpose(s) for which the Company uses their personal data.

The Company will only collect and process personal data to the extent necessary for the specific purpose(s) of which data subjects have been informed.

6. Accuracy & retention

The Company shall ensure that all personal data it collects, processes and holds is kept accurate and up to date, including the rectification of personal data at the request of a data subject. Accuracy is checked when data is collected and at regular intervals thereafter; inaccurate or out-of-date data is amended or erased without delay.

The Company shall not keep personal data for any longer than is necessary in light of the purpose(s) for which it was collected. When personal data is no longer required, all reasonable steps are taken to erase or dispose of it without delay. Full details are set out in the Company's Data Retention Policy.

7. Accountability & record-keeping

The Company's Data Protection Officer is responsible for overseeing the implementation of this Policy and for monitoring compliance with it, the Company's other data-protection policies, and the Data Protection Act 2018. The Data Protection Officer can be contacted at info@dstccoltd.com or +44 (0) 7495 768562.

The Company keeps written internal records of all personal data collection, holding and processing, incorporating:

• the name and details of the Company, its Data Protection Officer and any applicable third-party data processors;
• the purposes for which the Company collects, holds and processes personal data;
• the categories of personal data and of data subject to which it relates;
• details of any transfers of personal data to non-EEA countries, including mechanisms and security safeguards;
• how long personal data will be retained; and
• detailed descriptions of all technical and organisational security measures.

8. Data protection impact assessments

The Company carries out Data Protection Impact Assessments for any new projects and/or new uses of personal data. Overseen by the Data Protection Officer, these address: the type(s) of personal data involved; the purpose(s) of use; the Company's objectives; how the data is to be used; the parties to be consulted; the necessity and proportionality of the processing; the risks posed to data subjects and to the Company; and proposed measures to minimise and handle identified risks.

9. Keeping data subjects informed

Where personal data is collected directly from data subjects, they are informed of its purpose at the time of collection. Where data is obtained from a third party, the data subject is informed when first contacted, before any transfer to another party, or in any event no more than one month after the data is obtained. The information provided includes:

• details of the Company, including the identity of its Data Protection Officer;
• the purpose(s) of processing and the legal basis for it;
• where applicable, the legitimate interests relied upon;
• the categories of personal data (where not obtained directly from the data subject);
• details of any recipients or third parties, and of any transfers outside the EEA and the safeguards in place;
• details of data retention;
• the data subject's rights, including the right to withdraw consent and to complain to the Information Commissioner's Office; and
• details of any automated decision-making or profiling, including its significance and consequences.

10. Subject access requests

Data subjects may make subject access requests ("SARs") at any time to find out more about the personal data the Company holds about them, what it is doing with it, and why. SARs may be made in writing, using the Company's Subject Access Request Form or other written communication, addressed to the Data Protection Officer at info@dstccoltd.com.

Responses are normally made within one month of receipt, extendable by up to two months for complex or numerous requests (the data subject is informed if so). All SARs are handled by the Data Protection Officer. No fee is charged for normal SARs; the Company reserves the right to charge reasonable fees for additional copies, or for requests that are manifestly unfounded, excessive or repetitive.

11. Rectification, erasure & restriction

Rectification

Data subjects have the right to require the Company to rectify inaccurate or incomplete personal data. The Company will do so, and inform the data subject, within one month (extendable by up to two months for complex requests). Where the affected data has been disclosed to third parties, those parties are informed of the rectification.

Erasure

Data subjects may request erasure where: the data is no longer necessary for its original purpose; consent is withdrawn; the data subject objects and there is no overriding legitimate interest; the data has been processed unlawfully; or erasure is required to comply with a legal obligation. Unless there are reasonable grounds to refuse, requests are complied with within one month (extendable by up to two months). Third parties to whom the data was disclosed are informed where possible.

Restriction

Data subjects may request that the Company restricts processing of their personal data. The Company retains only the amount of data necessary to ensure it is not processed further, and informs any third parties of the applicable restrictions where possible.

12. Objections to processing

Data subjects have the right to object to processing based on legitimate interests, to direct marketing (including profiling), and to processing for scientific/historical research and statistics. Where a data subject objects to processing based on legitimate interests, the Company ceases that processing unless it can demonstrate overriding legitimate grounds or that the processing is necessary for legal claims. Where a data subject objects to direct marketing, the Company ceases such processing immediately.

13. Data security

Transferring personal data & communications

• all emails containing personal data must be encrypted and marked "confidential";
• personal data may be transmitted over secure networks only, and not over a wireless network where a reasonably practicable wired alternative exists;
• personal data in the body of an email should be copied out and stored securely, and the email (and temporary files) securely deleted;
• hardcopy personal data should be passed directly to the recipient or sent by Royal Mail Registered or Signed For post; and
• personal data transferred physically (hardcopy or removable media) must be in a suitable container marked "confidential".

Storage

• electronic copies are stored securely using passwords and data encryption;
• hardcopies and removable media are stored securely in a locked box, drawer or cabinet;
• data stored electronically is backed up at least daily, with encrypted backups;
• no personal data is stored on any mobile device without the formal written approval of the Data Protection Officer; and
• no personal data is transferred to devices personally belonging to employees, and only to devices of agents/contractors who have agreed to comply fully with this Policy and the Act.

Disposal

When personal data is to be erased or disposed of for any reason, it is securely deleted and disposed of.

Use of personal data

• no personal data may be shared informally; access must be formally requested from the Data Protection Officer;
• no personal data may be transferred to any party without the authorisation of the Data Protection Officer;
• personal data must be handled with care and never left unattended or on view to unauthorised parties;
• unattended computers displaying personal data must be locked; and
• where personal data is used for marketing, appropriate consent must be obtained and no data subject may have opted out (directly or via a service such as the TPS).

IT security

• passwords protecting personal data are changed regularly, are not easily guessed, and combine uppercase and lowercase letters, numbers and symbols;
• passwords are never written down or shared between any parties, irrespective of seniority;
• all software and operating systems are kept up to date with security updates; and
• no software may be installed on Company devices without prior approval.

14. Organisational measures

The Company ensures that, among other measures: all parties handling personal data are made fully aware of their responsibilities and provided with a copy of this Policy; access is limited to those who need it to carry out their duties; staff handling personal data are appropriately trained and supervised; collection and processing methods are regularly evaluated and reviewed; all personal data is reviewed periodically per the Data Retention Policy; and all agents, contractors and other parties handling personal data are bound by contract to do so in accordance with the principles of the Act and this Policy, indemnifying the Company against any failure in those obligations.

15. Transfers outside the EEA

The Company may from time to time transfer personal data to countries outside the EEA. Such transfers take place only where one or more of the following applies:

• the transfer is to a country, territory or sector that the European Commission has determined ensures an adequate level of protection;
• the transfer is subject to appropriate safeguards (e.g. binding corporate rules, standard data protection clauses, an approved code of conduct or certification mechanism);
• the transfer is made with the informed consent of the relevant data subject(s);
• the transfer is necessary for the performance of a contract with the data subject (or pre-contractual steps at their request);
• the transfer is necessary for important public interest reasons or for the conduct of legal claims;
• the transfer is necessary to protect the vital interests of the data subject or others where they cannot give consent; or
• the transfer is made from a public register intended to provide information to the public.

16. Data breach notification

• all personal data breaches must be reported immediately to the Company's Data Protection Officer;
• where a breach is likely to result in a risk to the rights and freedoms of data subjects, the Data Protection Officer ensures the Information Commissioner's Office is informed without delay, and in any event within 72 hours of becoming aware of it;
• where a breach is likely to result in a high risk to the rights and freedoms of data subjects, all affected data subjects are informed directly and without undue delay; and
• breach notifications include the categories and approximate numbers of data subjects and records concerned, the contact point for more information, the likely consequences, and the measures taken or proposed to address the breach.

17. Contact & approval

For any data-protection question or to exercise your rights, contact the Company's Data Protection Officer at info@dstccoltd.com or +44 (0) 7495 768562, or write to 440 Charter Avenue, Canley, Coventry, CV4 8BD. If you are unhappy with how we handle your data, you may complain to the UK Information Commissioner's Office at ico.org.uk.

This Policy was approved and authorised by Andrew Foster, Founder & Managing Director, on 7 June 2026, and is reviewed annually.