Privacy & data protection policy in accordance with the EU General Data Protection Regulation (GDPR)
Introduction and application
Gadby Limited (trading as Gadby Leadership Consulting) gathers and processes data on individuals and companies for the purposes of executive assessment, leadership development and executive mentoring. This policy describes how personal data is collected, handled and stored in order to meet Gadby Limited’s data protection standards and to comply with GDPR. Gadby Limited takes the privacy rights of individuals, whether members of staff, candidates or clients, seriously and aims to always protect them and act with transparency. This policy protects the rights of staff, candidates and clients.
Policy scope
This policy applies to all employees of Gadby Limited. All Gadby Limited employees are data processors. This policy applies to all data that the company holds relating to identifiable individuals. Third party providers to Gadby Limited are required to confirm that they comply with the provisions of GDPR and the terms of this policy as a data processor on Gadby Limited’s behalf.
Definitions
A data processor is an employee of Gadby Limited who is responsible for processing personal data on behalf of the company. Third party providers contracted by Gadby Limited are also data processors for the purposes of the legitimate services they provide to Gadby Limited. Third party providers to Gadby Limited are bound by the provisions of this policy and confirm their compliance with it. For the purposes of this document, Data Protection Legislation includes the General Data Protection Regulation (EU) 2016/679 (GDPR) and any national implementing laws, regulations and secondary legislation relating to data protection and privacy, as amended or updated from time to time, in the UK, as well as any successor legislation to the GDPR and Data Protection act 2018. For GDPR, the data controller is Gadby Limited of Audley House ℅ HJP Chartered Accountants, Northbridge Road, Berkhamsted, HP4 1EH. The term ‘Gadby Limited employee’ refers to any full or part time member of Gadby Limited, whether on a permanent or temporary contract.
Categories of personal data
Personal data for the purposes of Gadby Limited’s legitimate business interests includes but is not limited to:
- Name
- Address/location
- Date of birth
- Gender
- Education
- Work history
- Psychometric tests and questionnaires
- Performance and potential appraisals
- 360-degree reports
- Telephone, email, social media and other contact details
- Formal and informal references
Gadby Limited does not process sensitive personal data, such as ethnic origin, political opinions, religious beliefs or physical or mental health.
Categories of individuals
Personal data is collected by Gadby Limited about:
- potential and actual candidates or delegates
- potential and actual clients
- referees, both named and informal
- potential and actual mentors
- employees
Sources of data
The personal data processed by Gadby Limited is sourced via one or more of the following methods:
- Direct telephone, email, online, and in-person contact with the individual in question
- Third party individuals, such as referees
- The client, candidate and delegate interview process
- Public company records, websites and press releases
Categories of recipients of personal data
Personal data collected for business development, executive assessment, leadership development and executive mentoring purposes will only be shared on a need-to-know basis with:
- Potential and actual candidates
- Potential and actual clients
- Potential and actual mentors
- Individuals employed by Gadby Limited
The transfer of personal data to a client outside the EU will only be carried out with the explicit consent of the individual.
Length of time data is retained for
In general, we will retain your personal information for the necessary period to fulfil our purpose as defined by GDPR regulations. This is commonly a three-year retention period for our services, with our reports being valid for a two-year period. We will only retain information about you past this three-year retention point if it is necessary: such as your name, email address and why and when you used our services.
Data storage and access
Gadby Limited stores personal data as follows:
- Data is stored (documents, emails, and contacts) via Gadby Limited’s IT system, which includes outlook and a shared drive
- Handwritten records are either securely shredded or are stored in locked filing cabinets at Gadby Limited’s offices
- Gadby Limited uses third parties, who comply with similar undertakings of privacy and confidentiality as Gadby Limited, as they perform outsourced operational functions on our behalf and who also provide services to us. These organisations include:
- Technology operations companies who run Gadby Limited’s IT or support GADBY’s systems.
- Associate psychologists and associate leadership consultants.
- Psychometric Assessment Suppliers
Gadby Limited employees will have access to personal data stored about candidates and clients (actual or potential). Employees access this data via Gadby Limited’s on-premises IT equipment and mobile devices. Gadby Limited employees must follow comprehensive guidelines regarding the entry and processing of data. Gadby Limited outsources its IT management and data security provision to Systemagic Limited, which carries out annual assessments of system and data security in-line with GDPR regulations. Individual personal data may be accessible by Systemagic Limited for the purpose of its IT service provision. Other third-party providers may have limited access to personal data held and processed by Gadby Limited for specific and limited purposes.
Sharing of personal data outside the EU
If a client of Gadby Limited is based outside the EEA (EU member states, and Norway, Iceland and Liechtenstein), personal data will be transferred only if all safeguards in this policy are met. Gadby Limited will endeavour to seek consent from individuals before such a transfer.
Rights of access and objection
Individuals about whom Gadby Limited processes data are entitled to:
- confirmation that their data is being processed
- access to their personal data
- a copy of Gadby Limited’s privacy and data protection policy
Individuals who request access to their personal data in writing will be provided with their data within three weeks of their request. An individual who has reviewed the personal data held on them by Gadby Limited has the right to have their personal data rectified within four weeks if it is inaccurate or incomplete, in which instance Gadby Limited will inform any third party who has received the data in question of the rectification where possible.
An individual has the right to object to the processing of their personal data at any point by emailing Gadby Limited’s managing director at Helen@Gadby.co.uk In that instance, Gadby Limited will continue to store their data but will not process it for any purpose. The right to object explicitly forms part of Gadby Limited’s initial consent request (see above).
An individual has the right to object to the storage of their personal data at any point by emailing: Gadby Limited’s managing director at Helen@Gadby.co.uk. In that instance, Gadby Limited will destroy/delete the data stored on the individual. The right to object explicitly forms part of Gadby Limited’s initial consent request (see above).
Data breaches
In the event of a data breach about which Gadby Limited becomes aware, it will report the details of the breach to the Data Commissioners Office and any individual(s) and client(s) affected within 72 hours, where feasible or as soon thereafter as possible.
How to make a complaint
Individuals can write to Gadby Limited’s managing irector at Helen@Gadby.co.uk with details of their complaint: A written response will be provided after an internal investigation and within 30 days.
Individuals also have the right to raise their concerns with the Information
Commissioner’s Officer (ICO) at https://ico.org.uk/concerns