Skip to main content

Data Protection Policy

Definitions

In this Policy, where a phrase uses 'Capital Letters', it is a defined term and has the meaning set out below. We recommend you refer to this section as you read through the Policy.

Anonymous or Anonymised: Amending data so that the identity of the individual it concerns is permanently removed.

Automated Decision Making (ADM): When a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The Company does not carry out fully Automated Decision Making that produces legal or similarly significant effects on individuals unless explicitly authorised and subject to appropriate safeguards.

Automated Processing: Any form of Automated Processing of Personal Data where an individual's Personal Data is used to evaluate them. This includes where the Processing is used to analyse or predict the individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.

Company: Beyond Encryption Limited (company number 08814096) of 1 Gloster Court, Whittle Avenue, Fareham, Hampshire, England, PO15 5SH. Also referred to as The Company, We, or Our.

Company Personnel: All employees, workers, contractors, agency workers, consultants and directors.

Consent: Agreement which must be freely given, specific, informed and unambiguous. Consent is an indication of the Data Subject's wishes that they, by a statement or by a clear positive action, agree to the Processing of Personal Data relating to them.

Data Controller: The person or organisation that determines when, why and how to process Personal Data. The Data Controller is responsible for establishing practices and policies which conform to the GDPR and data protection law. We are the Data Controller of all Personal Data relating to Company Personnel and Personal Data used in Our business for Our own commercial purposes. We are the Data Processor for User/Clients who are businesses and a Data Controller for Our Users/Clients data who are individuals. Please see Our Privacy Notice for further details.

Data Processor: The organisation that processes Personal Data on behalf of a controller.

Data Protection Officer: Contact details for any Data Protection issues – Huw Thomas, email address dpo@beyondencryption.com

Data Subject: A living identified or identifiable individual about whom We hold Personal Data. Data Subjects may be nationals or residents of any country (i.e. they do not need to be within the EU and/or UK).

Data Privacy Impact Assessment (DPIA): A specific type of assessment used to identify and reduce the risks associated with a data processing activity. A DPIA is often carried out as part of Privacy by Design.

EEA: The European Economic Area

Explicit Consent: Consent which requires a very clear and specific statement (that is, not just an action).

Information Commissioner: The Data Protection Regulator in the UK, whose website is http://ico.org.uk.

Personal Data: Any information identifying a Data Subject or any information relating to a Data Subject and We can identify that Data Subject (directly or indirectly) from either that information alone, or by combining that information with other identifying information, We possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes Anonymous data. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.

Personal Data Breach: Any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data; or the physical, technical, administrative, or organisational safeguards that we or Our third-party service providers put in place to protect that data. The loss or unauthorised access, disclosure or acquisition of Personal Data is a Personal Data Breach.

Policy: This Data Protection Policy.

Privacy by Design: Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with GDPR.

Privacy Notices: Separate notices setting out information that may be provided to Data Subjects when The Company collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or a website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to specific purpose. Privacy Notices are also sometimes called “Privacy Policies”.

Process, Processing or Processed: Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data or carrying out any technical operation on the data, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymised: Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the Data Subject cannot be identified without the use of additional information (like a written 'key') which is meant to be kept separately and secure. Pseudonymised data is usually Personal Data because The Company has access (or can reasonably access) both the Pseudonymised information and the 'key'.

Special Category Personal Data: Information revealing an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. Sensitive Personal Data also includes Personal Data relating to criminal offences and convictions.

UK GDPR: The UK General Data Protection together with the Data Protection Act 2018 and any subsequent amendments or replacement legislation.

 

Introduction

This Policy sets out how The Company collects, Processes, stores, and protects Personal Data in accordance with applicable data protection legislation.

The Company is committed to ensuring that Personal Data is handled lawfully, securely, and transparently, maintaining the trust of customers, employees, and partners.

This Policy applies to all Personal Data We Process.

Personal Data can be stored on any medium (e.g. on paper or electronically). Personal Data can also refer to past or present Data Subjects. This includes current or former Company Personnel, customers, client or supplier contacts, shareholders and website users of The Company.

 

Scope

This Policy applies to:

  • all Personal Data Processed by The Company

  • all employees, contractors, and third parties acting on behalf of The Company

  • all systems, services, and Processes involving Personal Data

This includes data relating to:

  • employees and contractors

  • customers and users

  • suppliers and partners

  • website users and prospects

 

Roles and Responsibilities

The Company has appointed a Data Protection Officer:

Name: Mr Huw Thomas

Role: Data Protection, Compliance and Operations Manager

Contact: dpo@beyondencryption.com

All personnel are responsible for:

  • protecting Personal Data

  • following this Policy

  • reporting any suspected data breach

 

Personal Data Protection Principles

The Company adheres to the UK GDPR principles listed below. Next to each principle is a reference to the section of this Policy which explains that principle in more detail.

The Principles:

Lawfulness, Fairness and Transparency – section 4. Personal Data must be Processed lawfully, fairly and in a transparent manner

Purpose Limitation - section 5. Personal Data must be collected only for specified, explicit and legitimate purposes.

Data Minimisation - section 6 – Personal Data must be adequate, relevant, and limited to what is necessary for the purposes for which it is Processed.

Accuracy - section 7. Personal Data must be accurate and kept up to date.

Storage Limitation - section 8. Personal Data will not be kept for longer than is necessary to carry out the purposes for which the data was collected.

Security, Integrity and Confidentiality – section 9. Personal Data will be Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage.

Transfer Limitation - section 10. Personal Data will not be transferred to another country without appropriate safeguards being in place.

Data Subject's Rights and Requests - section 11. Personal Data will be made available to Data Subjects. Data Subjects will be allowed to exercise certain rights in relation to their Personal Data.

Accountability - section 12. We are responsible for and must be able to demonstrate compliance with the data protection principles listed above.

 

Lawful Basis for Processing

The Company can collect, Process and share Personal Data provided it is done so lawfully and fairly. Under GDPR, Personal Data is Processed lawfully and fairly if it is carried out on one of the grounds listed in Article 6 (for non-sensitive Personal Data only) or Article 9 (for Sensitive Personal Data only).

Performance of a contract: for example, where We Process a customer's Personal Data in order to provide them with a fee estimate for Our services. This could also include Processing of data after contact from an employee of a company who purchase services from us, including performance of Our Services, contract negotiations etc.

Legal Obligation: for example, keeping proper accounting records.

Legitimate Interest: for example, We have a legitimate interest in sending marketing material to existing customers or people who have made enquiries about Our products and services in the past. In this example, the Data Subject's interests, and fundamental rights and freedoms are not prejudiced because recipients can opt out of receiving marketing materials at any time (e.g., by clicking 'unsubscribe' in one of Our emails).

Consent: This is usually only required in the context of sending marketing communications where We cannot rely on the soft opt-in/legitimate interest grounds of Processing discussed above. A Data Subject Consents to Processing of their Personal Data if they indicate their agreement clearly by positive action. We confirm that if Consent is withdrawn, We will NOT send marketing communications on the legitimate interest basis by relying on the soft opt-in. Instead, all marketing communications to that person will be stopped unless they instruct us otherwise. Communications which concern their agreement/account with us and service announcements will still be sent in the usual way as it is our legal responsibility to issue these notices to our customers.

We will always identify the legal ground We are relying on. If the legal ground is not already set out in the relevant Privacy Notice, then We will make a written record of Our ground for Processing. Data Subjects have the right to withdraw their Consent at any time.

If a Data Subject tells us they are withdrawing their Consent, then we will Process that request promptly. Processing which was justified based on that (now withdrawn) Consent should be stopped unless another lawful basis for Processing can be identified.

Please see the ICO website for further information https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/

 

Classification of Data

For this Policy, data is classified into different categories in line with the Data Protection Act and UK GDPR legislation.

Non-sensitive data: data whose inappropriate use would not adversely affect an individual for example management information reports which do not identify individuals or which is already a matter of public record.

Special Category Personal Data: data relating to ethnic origin, political opinions, religious beliefs, membership of trade union organisations, physical or mental health, sexual offences or alleged offences.

Highly Sensitive Data: data, which if used inappropriately, may have a significant impact on either The Company or an individual (employee or user).

 

Transparency and Privacy Notices

The Company provides clear and accessible Privacy Notices that explain:

  • what data is collected

  • how is it used

  • lawful basis for Processing

  • retention periods

  • Data Subject rights

Privacy information is provided:

  • at the point of data collection

  • or within a reasonable time where data is obtained indirectly.

 

Data Subject Rights

Individuals have the following rights:

  • right of access

  • right to rectification

  • right to erasure

  • right to restrict Processing

  • right to object

  • right to data portability

  • rights relating to Automated Decision Making

Requests are handled:

  • without undue delay

  • within one month (unless extended lawfully)

  • subject to identity verification

Under a Subject Access Request, We will provide detailed, specific information to Data Subjects. The information will be concise, transparent, intelligible, easily accessible, and in clear and plain language.

 

Data Retention and Deletion

Personal Data is retained only as long as necessary.

The Company maintains a Data Retention Policy which defines:

  • retention periods

  • legal and regulatory requirements

  • secure deletion Processes

Personal Data will not be kept for longer than is necessary for the purposes for which the data is Processed. The exception to this is where the data is properly Anonymised so that the Data Subject is no longer identifiable.

The Company will not keep Personal Data in a form which permits the identification of the Data Subject for longer than is needed for the legitimate business purpose or purposes for which We originally collected it (including for satisfying any legal, accounting or reporting requirements). Detailed retention periods are defined in the Data Retention Policy which forms part of The Company’s Information Security Management System. This ensures that Personal Data is deleted after a reasonable time has elapsed, depending on the purpose for which it was being held. These retention periods are subject to any lawful requirement that The Company keep the data for a longer period.

We will take all reasonable steps to destroy or erase from The Company's systems all Personal Data that We no longer require, when the retention period has been reached and there is no justifiable reason (such as a legal obligation) to keep the information for a longer period.

 

Security of Personal Data

The Company implements appropriate technical and organisational measures, against unauthorised or unlawful Processing and against accidental loss, destruction or damage including:

  • encryption

  • access controls
  • secure system design
  • monitoring and logging
  • staff training

All Company Personnel are responsible for protecting the Personal Data We hold. They are required to implement reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of, or damage to, Personal Data. They are required to exercise care in protecting Sensitive Personal Data from loss and unauthorised access, use or disclosure.

It is a requirement that all The Company’s employees follow all procedures and technologies We put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. Personal Data will only be transferred to a third-party service provider who has agreed to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

Security measures are regularly reviewed and tested.

 

Purpose Limitation

Personal Data will be collected only for specified, explicit and legitimate purposes.

These purposes are typically set out in Our Privacy Policy (for customers and third parties) and in The Company's employment contracts and Employee Handbook (for Company Personnel).

If Processing needs to be carried out for a purpose not identified in (as applicable) Our Privacy Policy, Company contracts or Employee Handbook then We will send a separate notice to the Data Subject.

 

Data Minimisation

Personal Data must be adequate, relevant and limited to only what is necessary to carry out the Processing activities for which it was collected. Personal Data will only be Processed by The Company’s employees for whom the Processing of such data is a legitimate reason as part of their professional duties.

The information collected will not exceed the minimum required to carry out the required Processing activities. Employees will ensure that all collected Personal Data is adequate and relevant for its intended purpose or purposes.

 

Accuracy

The Company will make every effort to ensure that the Personal Data We collect, hold and Process is accurate and kept up to date. We will take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data (subject to The Company's Retention Policy, for example where out-of-date Personal Data may need to be kept longer for legal reasons).

 

Processing on behalf of Customers

Where The Company Processes Personal Data on behalf of customers using its Mailock platform, under UK GDPR, The Company acts as a Data Processor for businesses but as a Data Controller for individual non business Data Subjects.

In this role, The Company:

  • Processes or controls Personal Data only in accordance with documented customer instructions;

  • implements appropriate technical and organisational security measures;

  • ensures confidentiality obligations for personnel;

  • supports customers with subject access requests where applicable;

  • maintains appropriate contracts with sub processors;

  • assists customers with breach notifications and DPIAs where required.

 

Personal Data Breach

All Personal Data Breaches must be reported immediately.

Where required:

  • breaches are reported to the ICO within 72 hours

  • affected individuals are notified where there is high risk

All breaches are recorded and investigated.

 

Transfer Limitation

Personal Data may be transferred outside the UK only where the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks or the transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between The Company and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or, in some limited cases, for Our legitimate interest.

The transfer must be with the appropriate safeguards exist including

  • UK Adequacy Regulations.

  • the UK International Data Transfer Agreement (IDTA).

  • the UK Addendum to EU Standard Contractual Clauses.

  • the UK-US Data Bridge, where applicable.

 

Data Subjects’ Rights and Requests

Data Subjects have rights when it comes to how We handle their Personal Data. These include rights to:

  • withdraw Consent to Processing at any time (see section 4 for more information);

  • receive certain information about the Data Controller's Processing activities;

  • request copies of any Personal Data that We hold (known as a 'Subject Access Request') and for it be provided in a structured commonly used and machine-readable format.

  • prevent Our use of their Personal Data for direct marketing purposes;

  • ask us to erase Personal Data (Right to be Forgotten)if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;

  • restrict Processing in specific circumstances;

  • challenge Processing which has been justified on the basis of Our legitimate interests or in the public interest;

  • request a copy of an agreement under which Personal Data is transferred outside of the EEA;

  • object to decisions based solely on Automated Processing, including profiling;

  • prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;

  • be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;

  • make a complaint to the supervisory authority;

  • where technically feasible to receive their Personal Data in a format that can be easily transmitted to another controller.

We will request all necessary information to enable us to verify the identity of any individual requesting data under the rights listed above. Personal Data will not be disclosed to any third party without appropriate authorisation.

Any Data Subject Access Request (“SAR”) should be directed the Data Protection Officer (dpo@beyondencryption.com). Any request will be Processed without delay.

 

Data Sharing and Third Parties

Personal Data is shared only when necessary and subject to:

  • appropriate contractual agreements

  • data processing agreements

  • security and due diligence checks

We require all third parties to implement appropriate data protection measures.

 

Privacy by Design and Data Privacy Impact Assessment (DPIA)

The Company applies Privacy by Design and Default measures when Processing Personal Data. This involves implementing appropriate technical and organisational measures to ensure compliance with data privacy principles.

Data Privacy Impact Assessments (DPIA) when implementing new systems

We will conduct a DPIA when implementing any changes to programs or business processes which involve the Processing of Personal Data. These can include:

  • use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);

  • large scale processing

  • sensitive data processing

 

Automated Decision Making/Use of AI

The Company ensures that:

  • Automated Processing is transparent and lawful

  • individuals are not subject to solely Automated Decision Making with legal or significant effects without safeguards.

  • appropriate human oversight is applied where required.

 

Children’s Data

The Company does not knowingly Process Personal Data of children without appropriate safeguards and, where required, parental Consent.

 

Monitoring and Compliance

The Company:

  • maintains records of Processing activities

  • conducts regular audits and reviews

  • monitors compliance with this Policy

Non-compliance may result in disciplinary action.

 

Direct Marketing

Marketing communications comply with:

  • UK GDPR

  • Privacy and Electronic Communications Regulations (PECR)

Individuals are:

  • given clear opt-in choices where required

  • able to opt out at any time

A Data Subject's prior Consent is required for electronic direct marketing (for example, by email or telephone).

The limited exception for existing customers known as "soft opt in" allows The Company to send marketing texts or emails using the contact details obtained during the course of a sale, if they are marketing similar products or services. The Company will give the Data Subject the ability to opt out of marketing when first collecting the details and in every subsequent message.

For Data Subjects who sign up for Our Services, We will send you information about Our products and services. This will include communications relevant to the registration or account management process, use of the service and information about service updates, faults or changes to Our Terms and Conditions. This is a legal obligation and opting out of such emails is not possible.

If a customer Data Subject opts out at any time, their details will be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future (e.g. that person's email address is kept on a 'do not contact' list which is checked against The Company's marketing database).

 

Training and Awareness

All personnel receive regular training on:

  • data protection obligations

  • security awareness

  • incident reporting

Training records are maintained.

 

Policy Review

This Policy is reviewed:

  • annually

  • following regulatory or business changes

  • following security or data incidents

 

This Policy does not override any applicable national data privacy laws and regulations in England and Wales.