Privacy Policy

1st Aesthetics ltd strategic values and responsibilities

  • We vow to demonstrate full responsibility and dutiful respect as a keeper of customer, client and employee data.
  • We totally support GDPR and its requirements, and will do everything within our power to appropriately resource and fund any changes we must enforce to ensure [1st Aesthetics ltd] can meet its obligations.
  • We promise to maintain ownership and transparency concerning data protection and privacy across all elements of our company.
  • We pledge to create and maintain a purposeful data processing inventory documenting all data operations, including collection, processing and storage.
  • We guarantee to extend every possible show of support to individuals intent on exercising their rights as outlined under GDPR legislation.
  • We will conduct a regular review to assess the legality and purpose for the collection, processing and storage of personal data.
  • We vow to act upon identified gaps and develop robust processes to maintain full GDPR compliance.
  • We promise to clearly communicate the business purpose and legal grounds for any transfer of data – including transfer outside of the European Union. 
  • We will contact all partner organisations, contractors or other third parties to identify their own GDPR commitments, establish relevant contract terms and solidify GDPR compliance controls.

[1ST AESTHETICS LTD] collects, processes and stores the information and personal data you submit to our website in relation to [CLIENT DATA PROCESSING]. All processing activities shall be carried out in accordance with your individual rights as defined by the European Union’s General Data Protection Regulation.


Please note that by submitting information about yourself through our website, you are agreeing for [1ST AESTHETICS LTD] to process and store that data. This data shall be stored only for the duration of the previously outlined purpose for collection. We never store or process your data longer than we need to, and we do not use your data for any purpose other than those you have agreed to.


The data you submit to our website will never be shared with or transferred to a third-party organisation. The following partners are exempt from this policy as they assist [1ST AESTHETICS LTD] in processing your personal data and delivering its services; [PH AESTHETICS TRAINING LTD]. 


You reserve the right to request [1ST AESTHETICS LTD] update your personal data at any time. You can also request information about your personal data, withdraw your consent for us to process your information or request a transfer or deletion of your data.

For more information about [1ST AESTHETICS LTD] and how we protect and secure your data, consult our Privacy Policy [HYPERLINK].

Please tick this box to indicate you have read and consent to our Privacy Policy:

Yes, I agree to [1ST AESTHETICS LTD] Privacy Policy 

Data retention and erasure policy introduction

Our approach towards data retention

This policy is designed to ensure [1ST AESTHETICS LTD] does everything within its power to adequately protect, maintain and store data. This policy has also been developed to ensure that any data, documents or records that have no further use or value to [1ST AESTHETICS LTD] are disposed of in line with our regulatory obligations and relevant company policy.


Employees should consult our data retention and erasure policy, to develop an understanding of our company’s obligations relating to the ways in which we retain data or electronic documents. These documents may include, but are not limited to:


  • Emails
  • Word Documents
  • Spreadsheets
  • PDF documents
  • Web files
  • Sound files
  • Videos


Personal data must never be kept for longer than it is needed. Consequently, employees should utilise our company’s data retention schedule as a guide to understanding [1ST AESTHETICS LTD]’s general retention period time for various data categories that have been assigned based upon the purpose of the data. In line with our regulatory obligations, all data that is no longer necessary should be deleted and all copies must be destroyed in line with our data erasure schedule.

Data retention schedule administration

This data retention schedule documents the maintenance, retention and disposal guidelines relating to any and all records our company holds. It must be reviewed and accordingly amended on a regular basis to ensure data storage and erasure processes are adhering to [1ST AESTHETICS LTD]’s wider data retention policy approach.


There will be times when data may need to be retained longer than the pre-defined amount of time permitted. Circumstances in which our policy will need to be suspended may include, but are not limited to:


  • Legal proceedings
  • Regulatory investigations
  • If criminal activity is suspected or alleged
  • If relevant data concerns a company or organisation in receivership or liquidation
  • If the relevant data is of historical importance to the owner or controller


In the event of legal proceedings, criminal activity or investigations, [COMPANY NAME] and its employees must retain data that relates to the situation and could serve to aid the company’s case or position, liability or amount involved. If such a situation may occur during the lifetime of this policy, [COMPANY NAME] will inform all staff of the policy’s suspension as it relates to said situation.

Data retention schedule

[1ST AESTHETICS LTD] has developed its data retention policy in line with the following data retention schedule:

Department

Function

1

Accounting and finance data

2

Contract data

3

Corporate records

4

Correspondence and internal memoranda

5

Personal data

6

Electronic data

7

Insurance data

8

Legal data

9

Miscellaneous data

10

Personnel records and data

11

Tax records and data

 

1. Accounting and finance data

Record 

Retention period

Company financial statements and annual audit reports

Permanent

Annual audit records (including relevant documents)

7 years after audit completion

Company bank statements

7 years

Cancelled cheques

7 years

Employee expense reports

7 years

Interim company financial statements

7 years

Credit card records

2 years

Annual plans and company budgets

2 years

 

Any and all items that display customer bank details or credit card information must be kept under secure conditions when not in immediate use. This includes keeping printed records in a locked desk drawer or filing cabinet.


If [1ST AESTHETICS LTD] determines it is necessary to keep a document that displays customer financial details beyond a retention period of 2 years, all identifying details or financial information as it relates to any customer must be redacted or removed from the document in question.

2. Contract data

Record 

Retention period

All company contracts

7 years after expiration or termination

All correspondence relating to contracts

7 years after expiration or termination

 

3. Corporate records

Record 

Retention period

Corporate records

Permanent

Licenses and permits

Permanent

 


For the purpose of this schedule and corresponding policy, ‘corporate records’ should be defined to include anything relating to:


  • Meeting minutes
  • Signed minutes of the board 
  • Signed minutes of any committees
  • Record of incorporation
  • Articles of incorporation
  • Annual corporate reports

4. Correspondence and internal memoranda

The vast majority of correspondence and internal memoranda must be retained to match the period of time as the document or data to which they relate. Examples may include an email relating to a contract – in which case the email in question would be expected to be retained for a period of 7 years after the expiration of the corresponding contract.


Bearing this in mind, [1ST AESTHETICS LTD] recommends that all correspondence and internal memoranda as it relates to a company project be kept with said project as part of a project-wide file.


Company correspondence or internal memoranda unrelated to documents that have a defined retention period, should be securely destroyed at an earlier time depending upon which of the following two categories it corresponds:

Category 1

Category 1 correspondence or internal memoranda includes any and all data as it relates to routine processes. Category 1 correspondence and internal memoranda generally do not carry any significant consequences and should be disposed of with 2 years.


Examples of category 1 correspondence and internal memoranda may include (but are not limited to):


  • Notes of appreciation or thanks
  • Plans for meetings
  • Forms or letters that do not require a follow up
  • General enquiries that have been settled
  • Chronological correspondence data
  • Complaints requesting a specific action that have already been addressed and carry no further value
  • Correspondence relating to inconsequential subject matter


All copies of internal office correspondence should be read and destroyed as per this policy unless that correspondence includes data or content that must be retained as part of a wider project.

Category 2

Category 2 correspondence or internal memoranda includes non-routine information or correspondence that is likely to have a consequential impact upon the company or its employees. Category 2 correspondence and internal memoranda should be retained on a permanent basis.

5. Personal data

There will be times when [1ST AESTHETICS LTD] and its employees must retain and/or delete personal data in line with its legal obligations.


For the purposes of this data retention and erasure policy, ‘personal data’ can be defined as any identifying information as it relates to an individual. We never keep personal data for longer than is necessary for the purpose in which that data was collected. All personal data as defined within the following categories should be deleted based upon this retention and erasure schedule:


Record

Retention period

Data relating to customer devices

2 years after the account is closed

Data relating to use of our company website

2 years after the account is closed

Any data collected when registering with our website

2 years after the account is closed

Data collected and submitted as part of any profile creation processes

2 years after the account is closed 

Data submitted for the purpose of subscribing to email marketing activities

Indefinitely (or until customer unsubscribes)

Data submitted as part of online service delivery

Indefinitely

Data relating to any subscriptions

2 years after the account is closed 

Data posted in a public area on our company website

2 years after the post

Data contained in communications sent through the website

2 years after contact

Any other personal data

2 years after contact

 

[1ST AESTHETICS LTD] reserves the right to retain any and all documents (both electronic and print) containing personal data to the extent our company is required by law to do. We will also retain documents containing personal data if we have reason to believe said documents could be relevant to legal proceedings, or to establish and/or exercise our own legal rights.


Our company will organise backups of our database and all of the electronic data held within our company server(s). Backup activities should include all data that relates to current users or customers, alongside any document or dataset relating to one of the aforementioned reasons as outlined within this data retention and erasure policy. [1ST AESTHETICS LTD] does this to ensure that lost information can be retrieved within one year, as and where needed.

6. Electronic data

Emails

Most emails do not need to be kept. Emails that are inconsequential or unrelated to contracts or projects should subsequently be treated in line with the following policies:


  • All emails should be deleted after 12 months. This includes both internal and external emails
  • [1ST AESTHETICS LTD] will archive emails for six months after employees have deleted them. After this six-month period, archived emails will be destroyed
  • Employees should never send emails containing confidential or proprietary data to external sources unless it has been approved by a relevant manager

Electronic documents

Electronic documents include, among other formats, both PDF document and files originating from Microsoft Office Suite or similar software.


Retention and erasure will depend upon the purpose of the electronic document, yet as a general rule of thumb employees can apply the following rules:


For PDF documents, the maximum period of retention should be 6 years. PDF documents that employees deem vital to their performance or role should be printed and/or stored in the relevant employee’s workspace. 


For text documents or other formatted files, the maximum period of retention should be 5 years. Text documents or other formatted files that employees deem vital to their performance or role should be printed and/or stored in the relevant employee’s workspace. 


[1ST AESTHETICS LTD] does not and will not automatically delete electronic documents or corresponding data beyond the time periods defined within this policy. It is the responsibility of our employees to ensure they are adhering to our policy guidelines.

7. Insurance data

Record

Retention period

Certificates

Permanent

Claims files

Permanent

Current insurance policies

Permanent

Expired insurance policies

Permanent

 

8. Legal data

Record

Retention period

Legal memoranda and legal opinions

7 years after resolution

Litigation data

1 year after expiration of appeals or time for filing appeals

Court orders

Permanent

Requests for a departure from [COMPANY NAME] retention and erasure schedule

10 years

Register of members

Permanent

Director’s meetings minutes

10 years

 

9. Miscellaneous data

Record

Retention period

Reports from consultants

2 years

Documents containing content of historical value

Permanent

Original policy and procedures manuals

Current version with revision history

Copies of policy and procedures manuals

Retain current version only

Annual company reports

Permanent

Records of personal identification

5 years

Any work-related reportable accident, injury or death

3 years from incident

Immigration checks

2 years from termination of job

 

10. Personnel data

Record Type

Retention Period

Job applications and/or related interview data concerning unsuccessful candidates

6 months

Employee personnel records

6 years after end of contract

Employment contracts

7 years after end of contract

Employment records correspondence with employment agencies

3 years from date of hiring

Job descriptions

3 years after superseded

Working time opt-out documentation 

2 years

Financial details of employees

As long as necessary

 

11. Tax data

[1ST AESTHETICS LTD] keeps accounts and/or records to demonstrate and establish amounts of gross income, deductions, credits and other information. These records are crucial to maintaining our company’s compliance of tax laws.


Associated records and documentation will include (but are not limited to) the following records and associated schedules:


Record

Retention period

Tax-exemption documentation

Permanent

Tax bills

7 years

Tax returns

Permanent

Tax receipts

Permanent

Tax statements

Permanent

Sales and/or use of tax records

7 years

Annual returns

Permanent

Payroll/wage records for unincorporated businesses

5 years after 31 Jan following the year of assessment

PAYE records

3 years from the end of the tax year to which they relate

Maternity records

3 years after the end of the tax year in which the maternity pay period ends

A. General guidance

Under GDPR, your company must provide explicit privacy information to any and all data subjects. These privacy statement stipulations are more specific and contain stronger specifications than what was previously expected of UK companies under the Data Protection Act 1998.


First and foremost, it’s worth noting a privacy statement absolutely must be supplied by your company to any relevant individual at the point in time that they provide to you or submit their personal data. More important still, the statement that your company provides those individuals with must be:


  • Concise
  • Transparent
  • Easily accessible
  • Written in plain language
  • Free of charge to access and read


Please note that additional rules are required if your privacy statement is designed for and/or directed at children.


To help you develop your privacy statement that complies with all of your GDPR obligations, we’ve compiled the following guidance sections.

Name and details of Data Controller

You must identify the name and contact details of the relevant data controller within your privacy statement. Here is an example of how your company may wish to outline these details: 

[J MORE] is the designated data controller for [1ST AESTHETICS LTD] and committed to upholding our commitments to protect the rights of individuals under legislation outlined within the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). 

Name and details of data protection officer

You must identify the name and contact details of the relevant data protection officer within your privacy statement. Here is an example of how your company may wish to outline these details: 

[1ST AESTHETICS LTD] has an appointed data protection officer [J MORE] to assist us in upholding our commitment to individual rights. Our data protection officer can be contacted both through our website [1staesthetic.co.uk], as well as by post [1ST AESTHETICS WC2H 9JQ].


Description of the data being collected

Your company must explicitly describe the personal data you are collecting, storing or processing.


As a reminder, GDPR defines ‘personal data’ as being any type of information that includes an individual’s:


  • Name
  • Location
  • Any sort of identification number
  • Any online identifiers
  • Any physical identifiers
  • Any attribute that could reveal their social identity 


The aforementioned data types should also be applied to include any personal data surrounding employees, students or other stakeholders and clients.


This data includes:


  • Name
  • Date of birth
  • Address
  • Telephone number
  • Email address
  • Role
  • Emergency contacts
  • Passport or other identification 


There are also special categories of personal data called sensitive personal data. This type of data generally includes information like:


  • Race or ethnic origin
  • Religion
  • Sexual orientation
  • Political affiliations
  • Trade union affiliations
  • Genetic or biometric data
  • Health information

Sensitive data

If your company collects sensitive data, your privacy statement must explicitly outline what information you are collecting, where you are going to store it and how you are going to store it.

Here is an example of how privacy statement must address this responsibility: 

“[1ST AESTHETICS LTD] must collect the following sensitive data about you so that we can deliver [PROCESSING]:

  • [SENSITIVE INFORMATION ]

[1ST AESTHETICS LTD] needs your explicit consent for processing this sensitive data. We must request your signature for this consent.”

If your company does not collect sensitive data, you should state this within your privacy statement instead.

The age of consent for children

GDPR defines the point at which an individual is no longer considered a child is 16 years of age. That being said, GDPR empowers all EU member states to amend this age to either 13, 14 or 15 years old at their own discretion. 


Bearing this in mind, data controllers are required to be aware of the age of consent in concerned member states. They are not permitted to seek consent from any individual under the specified age of consent within that individual member state.


If your company needs to obtain consent to collect, store or process the data of a child, you are permitted only to obtain consent to collect, store or process that data from an individual who holds parental responsibility for the concerned child. Your company must subsequently make reasonable efforts to verify the individual granting consent on the behalf of a child actually does hold parental responsibilities.

Privacy statements for children

If your company is offering services directly to a child, then relevant data controllers within your company must do everything they can to ensure that your company’s privacy statements are written in a comprehensive and plain fashion that a child will be able to understand.

Online services being offered to children

The vast majority of consent requests your company will likely be required to collect, will be in relation to the provision of online services. Examples of online services could include provisions such as:

  • Online stores
  • Streaming services
  • Social networking

The aforementioned rules in relation to the age of consent and corresponding privacy statements apply to most online services being offered. One exception to this is if your company is processing data relating to preventative or counselling services being offered directly to a child. Under such a circumstance, you do not need to seek consent from a parental figure.

Why data is processed

Your company must outline all of the reasons for processing data. Examples of processing reasons might include:

  • Financial administration 
  • The provision of support services
  • The provision of information services
  • Account management
  • Equal opportunities monitoring
  • Research and analysis
  • The provision of operational information
  • Marketing
  • Safeguarding
  • Security
  • Crime prevention
  • To protect legitimate interests


You must state in your privacy policy any situations in which automatic decisions or actions are made within your company in relation to data.


Your company should also include a broad description of the ways in which you plan to use personal data, and the legal grounds supporting your ability to do so. 

Furthermore, your privacy statement should also include a line similar to the following:

 “[1ST AESTHETICS LTD] only uses personal data for the reasons in which we have collected. We will only ever use your personal data for another reason if we reasonably consider another purpose in which to use that data which is compatible with the original reason in which the data was collected. 

If we are required to make such a decision, we will always notify you. We may also at times be required by law to process your personal data without your knowledge.

To find out more about the reasoning behind any decision [1ST AESTHETICS LTD] has made to process your data for a new purpose, get in touch.”

If your company plans on using personal data for marketing purposes, you must explicitly say so. An example of how you may wish to convey this within your privacy statement could include:

 “You may receive marketing communications from [1ST AESTHETICS LTD] if you have:

  • Requested information from us
  • Purchased goods or services from us
  • Provided us with explicit consent for us to send you marketing communications
  • Not opted out of receiving marketing communications

We will always ask for your consent before we share your personal data with any third-parties. You can ask us or any relevant third-parties to cease sending you marketing communications at any time, by emailing us. You should send relevant requests to [[email protected]].

Please note that if you opt out of receiving marketing communications from [1ST AESTHETICS LTD], your personal data may still be retained as it relates to the provision or purchase of a product and/or service, warranty registration or other transactions.”

Legal basis for processing personal data

To comply with your legal responsibilities under GDPR, your company must identify the lawful basis upon which you are processing an individual’s personal data.

You must satisfy at least one condition under Article 6 of GDPR if you are processing personal data. If you are processing special category data, you must satisfy at least one condition under both Article 6 and Article 9.

Relevant conditions of these articles are outlined below:

Article 6: Personal Data

Article 9: Special Categories

Individual has given consent

Individual given explicit consent

Processing is required for delivery of contract

Processing is required to carry out obligations of controller or employment

Processing is required for legal compliance

Processing is required to protect vital interests of individual unable to provide consent

Processing is required to protect vital interests of the individual

Processing is required for legitimate activities by a foundation, association or any other non-profit with a political, philosophical, religious or trade union aim

Processing is required for a task that is in the public interest

Processing relates to personal data that has already been made publicly available by the individual

Processing is required for legitimate interests by controller or third party

Processing required to establish, exercise or defend against legal claims


Processing is required for reasons of substantial public interest


Processing is required for occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of treatment or the management of health or social care systems


Processing is required for reasons of public interest in public health


Processing is required for achieving aims that are in the public interest or for scientific, historical or statistical purposes

 

If your company would like to utilise the legitimate interests basis, you must satisfy the following requirements:


  • Your company must process data for the purposes of your legitimate interests or for those of a third-party to whom you disclose it
  • Once the latter requirement has been met, the interests listed must be balanced against the rights of the concerned individual


Your company cannot rely on the legitimate interests basis in situations where the processing is unwarranted or has a prejudicial effect on an individual’s rights or freedoms, as well as the legitimate interests of the individual. If your company’s legitimate interests clash with those of the data subject, it is the legitimate interests of the data subject that will ordinarily be given precedence.

For every type of personal data you process, you should provide a description of the ways you intend to use this data, and the legal grounds for doing so. You should also explain the legitimate interests you have to process this data, where relevant. An example of holding this information is as follows:


Action

Data/Information type 

Legal grounds for processing

Processing the delivery of products or services ordered, and actively managing the payments and debt recovery processes

(1) Personal identifiable information

(2) Contact information

(3) Financial information

(1) To complete the contractual agreement

(2) Required for our legitimate interest of recovering any funds owed to us after the delivery of products or provision of services

Updating customers on any amendments to our terms and conditions or privacy policy

(1) Personal identifiable information

(2) Contact information

(1) To complete the contractual agreement

(2) Required to satisfy legal requirements

Registering a new customer

(1) Personal identifiable information

(2) Contact information

(1) To complete the contractual agreement

Protecting our business and websites by performing website tests, applying security updates, assessing any cybersecurity threats and analysing our databases

1) Personal identifiable information

(2) Contact information

(3) Website and Technical information

(1) Required to satisfy legal requirements

(2) Required for our legitimate interest of protecting our websites and business from malicious usage, to prevent cybercrime, complete technical website audits and increase our network security

Emailing customers to request feedback or participation in a prize draw

(1) Personal identifiable information

(2) Contact information

(3) Product usage information

(4) Marketing information

(1) To complete the contractual agreement

(2) Required to satisfy legal requirements

(3) Required for our legitimate interest of studying how customers interact with our products and services offered, and how these can be further enhanced



The Data Recipients 

Your company needs to explicitly state all of the recipients of data, as well as all of the recipients of categories of data. For the purposes of your company’s privacy statement, a recipient can be actively defined as a natural or legal individual, public authority, agency or any other organisation to which personal data is submitted. This includes organisations that are third-parties, as well as subservient organisations within your company.


An example of the type of messaging you may wish to include in your privacy statement could run along the following lines:

“[1ST AESTHETICS LTD] may be required to share your personal data with carefully selected third-parties for the identified processing purposes. These third parties may include:

  • IT or system administration services providers
  • Professionals providing banking, legal, accounting, consultancy and/or insurance services.
  • Government regulators based in the United Kingdom and other relevant jurisdictions
  • HM Revenue & Customs
  • [PH AESTHETICS TRAINING LTD]
  • Any existing or future third parties to which [1ST AESTHETICS LTD] may sell, transfer or merge aspects of our business or assets

All third parties to which we transfer data are required to respect your personal data, keep it secure and process it only for the specified purposes for which it has been collected. Third parties will only ever receive or process your data with our explicit permission.”

Data transfers to countries outside the EU

If your company plans to transfer personal data to outside the EU, you must specify why that transfer is necessary, where the data will be transferred and to whom it will be transferred.

Data Retention Periods

Your company must state a specific retention period for which personal data will be stored. If it is not possible to share an explicit retention period, you must share the criteria that will be used to determine any retention period.

Automated decision-making processes 

If your company will use data as part of an automated decision-making process, you must state the existence of those processes, the logic involved, and any consequences associated with those processes as they relate to personal data.

Where/how data is collected 

In instances in which your company has not obtained personal data from the data subject directly, you must cite who this data was obtained from.

Individual rights

Your company has an obligation to inform individuals about their rights under GDPR. This includes their right to access and port data, their right to rectify incorrect data, restrict use, object to processing or withdraw consent.

An example of how your company may wish to explain this within your own privacy statement could run as follows:

“[1ST AESTHETICS LTD respects your rights. We fully observe your right to access your personal data, to object to the processing of personal data, or to erase, restrict, rectify or port your personal data. Relevant requests can be made to [J MORE] at [1ST AESTHETICS WC2H 9JQ].”

Visit us online at [1staesthetic.co.uk] for further details relating to your individual rights.”

Information security

If you collect, store or process personal data, you must explain the security measures your company has in place to protect that data.

An example of how your company may wish to explain this within your own privacy statement could run as follows:

“[1ST AESTHETICS LTD] has implemented a series of security measures to make sure that your personal data is protected from accidental loss, unauthorised access, alteration or disclosure. [1ST AESTHETICS LTD] limits access to your data only to those employees, agents, contractors or other third parties with a legitimate reason to access that information. Those individuals or organisations will only ever process or access your personal data upon our explicit instructions. They are subject to a duty of confidentiality.”

Complaints

You must provide individuals with a complaints procedure if they are not content with the way in which their personal data has been collected, stored or processed.

An example of how your company may wish to explain this within your own privacy statement could run as follows:

“If you are not happy with how your personal data has been processed, you should contact [J MORE] in the first instance by using the contact details listed above. If [J MORE] is unable to satisfy your concerns, you have the right to apply to the Information Commissioner’s Office for a resolution.


You can contact the Information Commissioner’s Office at the following address:


Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

www.ico.org.uk ”

B. Privacy notice template

Please note the following privacy notice is a template only. Particular sections of this template may or may not apply to your business, and you may be required to add new sections, statements or information based upon your own unique company needs or data requirements.

Frequently asked questions

Wo is using my data?1ST AESTHETICS LTD

What is my data being used for?

[1ST AESTHETICS LTD ] stores and processes data to help us maintain your account, process and store transaction details, offer customer support, send system updates and send offer details.

What will happen to my data?

[1ST AESTHETICS LTD ] may use your data to send you information, updates and offers we think you’ll be interested in.

What data will be kept and stored?

[1ST AESTHETICS LTD ] stores registration details, transaction details, usage information and any information about your web preferences on our website.

What data will be shared with others?

We only share your data with regulators or government bodies if requested.

How long will my data stored.We will store your data for a period of [7 YEARS] after your last attempted login. After this period, your account will be deleted. You can request your account to be delete at any time.

Who will be able to access my data?

[1ST AESTHETICS LTD] will never sell or share your data to any third-party, unless you grant us your explicit permission to do so.

How will my data be kept and made secure?

[1ST AESTHETICS LTD] stores your data on secure servers that are based in the UK. Data is processed in the UK, and we use standard industry security protocols.

 

Privacy Notice

Date: [01/05/21]


1ST AESTHETICS LTD takes your privacy seriously. That is why we will only use your personal information to provide you with the products and services you have requested, as well as to administer your account. We will not sell or share your information with third-parties you grant us explicit permission to do so, and we will never use your personal data for any reason other than the reasons described within this policy.

About our privacy policy

Our privacy policy outlines your relationship with our company and explains in detail how we use the information that you provide us with.

About [1ST AESTHETICS LTD]


[1ST AESTHETICS LTD] is the trading name of 1ST AESTHETICS LTD, which is registered in [ENGLAND] and registered with the UK’s Information Commissioner’s Office under the Data Protection Act 2018. Our data controller is [J MORE], and we encourage you to get in touch with any questions you may have about [1ST AESTHETICS LTD].


You can reach us by:


  • Post: [WC2H 9JQ]
  • Telephone: [01144 701061 or 01924 682668]
  • Email: [[email protected]]
  • Website: [1staesthetic.co.uk]

Changing your preferences

If you’d like to change your web, contact or marketing preferences, you can do so at any time. Simply contact us at [[email protected]] to request the necessary amendments.

How we do business

[1ST AESTHETICS LTD is committed to upholding and maintaining your personal rights. We operate our business in-line with the European Union’s General Data Protection Regulation and observe your rights to change or withdraw your opt-in options at any time. As part of our ongoing commitment to uphold your rights, [1ST AESTHETICS LTD] will also extend advice on how you can issue formal complaints to relevant authorities, such as the Information Commissioner’s Office.

Sensitive data


[1ST AESTHETICS LTD] does not collect any sensitive data about you. Sensitive data refers to (but is not limited to) information about your race or ethnic background, religious or political affiliations, trade union affiliations, sexual orientation, criminal background or health background.

Who our privacy policy applies to

This privacy policy has been developed to inform users of [1ST AESTHETICS LTD] how we use their data. [1ST AESTHETICS LTD] is a [AESTHETICS PROVIDER / TRAINER], and we need to process the data of individuals to offer our products and/or services. Bearing that in mind, our privacy policy applies to any and all individuals registered with us as a user, customer, administrator or in any other capacity.



What information this policy applies to

There is a lawful basis for processing your data, and this section of our privacy policy outlines how this applies to the personal information you provide us with or allow us to collect.

The information this policy applies to includes information that you:

  • Provide as part of any registration process 
  • Provide as part of any campaign creation activity
  • Provide in the form of numerical data, metadata or communications
  • Give us as part of our ongoing relationship


This policy also applies to information that we:


  • Collect relating to how you interact with our website
  • Must process to complete purchases and other transactions

Consent

Please note that when you submit personal data on our website, you are giving [1ST AESTHETICS LTD] your explicit consent that we can use that data in line with our privacy policy. 

Opting-out 

After giving 1ST AESTHETICS LTD your consent, you are free to amend your consent or withdraw your consent at any time. You have the right to object to the processing of your data. To opt-out, change your preferences or revoke your consent, simply contact us by emailing [[email protected]].

Data processing and storage

[1ST AESTHETICS LTD] collects and stores data in the UK. We will store your data for a period of [7 YEARS] after your last recorded login attempt unless otherwise noted and explicitly stated.

[1ST AESTHETICS LTD] stores data relating to transactions, payments and orders for a period of up to seven years. This period may be extended under certain circumstances as part of our ongoing commitment to comply with UK and international law.

We use carefully selected and recognised third-parties to help us take payments, provide commerce services and manage company accounts. Some of these third-parties may operate outside the European Union.

[1ST AESTHETICS LTD] may process your data based on more than one legal ground.

Circumstances under which we may be required to process your data under more than one legal ground may include:

Reason

Data type

Legal basis

Customer registration

Identity and contact information

To carry out a contract we’ve made with you

Processing and/or delivering your order

Identity, contact information, financial information, financial and transactional data

To carry out a contract we’ve made with you and to exercise our legitimate interests to recover debts owed

To manage our customer relationship with you

Identity, contact information, marketing and communications preferences

To carry out a contract we’ve made with you, to comply with legal obligations and to exercise our legitimate interests to keep our records updated

 

Marketing and communications

[1ST AESTHETICS LTD] may send you marketing communications if you have given us your contact details and opted-in to marketing communications.


You can opt-out of these marketing communications and manage your preferences at any time.

Our company obligations

As a data controller, [1ST AESTHETICS LTD] is legally responsible for the data you provide us with. In honouring that responsibility, we pledge to uphold our commitments under GDPR and the Data Protection Act 2018.


We will only ever use your data:


  • In ways that are both fair and legal
  • As described within this policy
  • In ways that are necessary for the purposes described


In addition, [1ST AESTHETICS LTD] processes the personal data you submit to us or we collect as a data processor. As part of this role, [1ST AESTHETICS LTD] takes all necessary precautions to secure the personal data we collect, process and store.


We may occasionally use the data you provide us with for marketing, relationship management or account management activities. These activities are designed to ensure you have adequate information about other products and/or services we offer, that we have reason to believe you may be interested in. You have the right to opt-out of these activities at any time.



Third-Parties


[1ST AESTHETICS LTD] never shares your personal data with third-parties unless those parties have been explicitly mentioned within our privacy statement.

Our security

As part of our ongoing commitment to GDPR, [1ST AESTHETICS LTD] will report any security breaches or attempted breaches to the relevant authorities within 24 hours. We will subsequently contact all those affected by the breach within 72 hours of its occurrence. 

Legitimate interests

As part of the Data Protection Act 2018, [1ST AESTHETICS LTD] observes the right to share selected information with third-parties that use data for non-marketing purposes. This could include (but is not limited to) organisations that provide credit assessments, identification services and fraud prevention activities.

Contact us

[1ST AESTHETICS LTD] is committed to upholding your rights. If you have any questions, comments or concerns about this privacy policy or wish to exercise your rights in relation to your personal data, please contact [J MORE] at [1ST AESTHETICS LTD].

We will process any request within 20 days. Subject Access Requests are normally performed free of charge, but we may need to charge individuals for excessive or unreasonable data requests.


Due diligence checklist


Name of supplier


Named supplier representative


Contact address of supplier


Review date


Scheduled date for next review


Name of company representative conducting check


 

Contract details information

Are GDPR responsibilities defined within [1ST AESTHETICS LTD] contract with the supplier? 


Does the supplier take full liability in the event of a security breach?


Does the supplier take partial liability in the event of a security breach?


Has [1ST AESTHETICS LTD] reviewed all contracts with the supplier?


Has the supplier defined GDPR responsibilities in their employment contracts?


System security information

Does the supplier take responsibility for data security?


Has the supplier documented its system coding and design?


Does the supplier carry out security testing on a regular basis?


Has the supplier taken all of the necessary steps to protect their systems?


Does the supplier encrypt data that is either ‘at rest’ or ‘in flight’? 

(Note: this should include data exchanges such as email interaction or APIs.)


Data subjects information

Which individuals within the supplier’s business hierarchy have access to various data subjects?


What data can those authorised individuals access?


Why do those authorised individuals have access to that data?


Does the supplier use a ‘privacy by design’ approach in securing subject data?


What type of access and what rights to access does this supplier give to relevant data subjects?


Data security information

Is the supplier capable of fulfilling a subject access request?


What is the supplier’s process for fulfilling a subject access request?

(If applicable)


Does the supplier log changes to data?


Does the supplier report on logged changes to data?


Does the supplier implement right to be forgotten requests?


Does the supplier log right to be forgotten requests?


Does the supplier offer data portability in a usable format?


Standards information

Does the supplier in question observe ISO9001?


Does the supplier in question observe ISO27001?


Does the supplier in question have a Cyber Essentials certificate?


Does the supplier in question have C-base?


Is the supplier in question a member of the ‘Investors in People’ scheme?


Financial information

Has a satisfactory Companies House review of the supplier been successfully completed?


Has a satisfactory FCA/MOJ/ASA/ICO review of the supplier been successfully completed?


Has the supplier in question been administered a credit check?


Has the supplier in question passed a credit check?


Will the supplier indemnify [1ST AESTHETICS LTD] in the event of a security breach?


Insurance information

Does the supplier in question have cyber insurance coverage in place?


Does the supplier’s insurance coverage extend to data protection?


Does the supplier’s insurance coverage extend to breach protection?


Does my supplier carry professional indemnity insurance? (yes/no)


Privacy information

Does the supplier in question restrict access to data to authorised personnel only?


Does the supplier encrypt data?


Has a security review been conducted of [1ST AESTHETICS LTD]’s supplier systems?


Does the supplier ever use Open Source platforms?


Does the supplier in question audit the use of third-party plug-ins, themes or apps surrounding the use of Open Source platforms?

(If applicable)


Data recovery information

Does the supplier have a release management policy in place?


Does the supplier have a clearly outlined and clearly well-defined data recovery policy?


Does that data recovery policy include relevant protocols to ensure that no breaches occur if and when data must be restored?


Does the supplier have a data backup policy in place in the event of a system failure?


What does the supplier’s data backup policy procedure entail?


Does the supplier in question have a disaster recovery plan in place?


What does the supplier’s disaster recovery plan entail?


Data breach information

In the event of a data breach, does the supplier have a recording pathway? 


What is the process by which [1ST AESTHETICS LTD] will be informed of a data breach?


What is the process by which data subjects will be informed of a data breach?


What is the process by which relevant third parties will be informed of a data breach?


Audit and reporting information

Does the supplier in question offer any sort of audit of their services?


Is the supplier able to demonstrate their GDPR compliance?


How regularly does the supplier conduct reviews of the compliance?


Is the supplier able to provide an audit report demonstrating GDPR compliance?


GDPR compliance information

Based on the aforementioned checklist items, is the supplier in question GDPR compliant?


Has the supplier in question audited their own suppliers or vendors?


Does the supplier have a risk management process in place?


Does the supplier have an appointed Data Protection Officer?


 

Supplier due diligence checklist results – Fail/Pass/Additional information required

 

Additional information required 


SUBJECT ACCESS REQUEST FORM


A. Subject access request process template

1ST AESTHETICS LTD is committed to upholding the rights of individuals as defined under GDPR. This is why we observe the right of individuals to request any data that we may hold on them as part of a recorded subject access request.


We are committed to performing subject access requests in a timely and accurate manner. For guidance purposes, subject access requests should adhere to the following six steps:


  • Receive and record the subject access request
  • Verify the identity of the individual making the request
  • Process the subject access request
  • Verify response
  • Respond to the subject with the relevant information
  • Record the request and following interactions

B. Subject access request form template

Please complete this form if you’d like [1ST AESTHETICS LTD] to supply you with a copy of any data relating to you that we may hold.


[1ST AESTHETICS LTD] observes your right and entitlement to receive this information under the European Union’s General Data Protection Regulation and the Data Protection Act 2018.


As part of your subject access request, [1ST AESTHETICS LTD] will also supply you with information about any processing activity that has taken place involving your personal data, as well as the period of retention that has been applied to the data in question.


After receiving this request, [1ST AESTHETICS LTD] will provide you with a confirmation of receipt, as well as a confirmation of receipt concerning any additional information we may ask you for to process your request.


Upon your examination of this data, please note that you have the right to request corrections to be made, restrict use or tell us to delete your information.


Please note that the information you provide us with as part of this request form will be used solely to identify the data you are requesting and to respond to your request. You do not need to complete all fields of this form if you do not wish to do so, but completion will enable us to better facilitate your request.


  • Your contact details

First name


Last name


Address


Telephone


Email


 

  • Are you requesting information about yourself?

[COMPANY NAME] is committed to protecting your data, and so to ensure that we are releasing your personal data to the right person, we will need you to supply us with proof of identity and address.

To verify your identity, please send us a scan or photocopy of one item from both of the categories below:

  • Proof of your identity
  • Passport
  • Driving licence
  • National identity card
  • Birth certificate
  • Proof of your address
  • Bank statement
  • Utility bill
  • Credit card statement (must be under three months old) 
  • Current driving licence
  • Current TV licence
  • Local authority tax bill
  • HMRC tax document (must be under one year old)

Please do not send original copies of documentation.

If you are unable to provide us with sufficient evidence to verify your identity, [1ST AESTHETICS LTD] reserves the right to refuse your subject access request.

  • Are you requesting information on behalf of someone else?

If you are requesting data on the behalf of the individual that data relates to, you must include the following alongside your completed subject access request form:

  • Written consent from the data subject giving you authority to request this information
  • Proof of the data subject’s identity
  • Proof of your identity

To verify your identity and the identity of the data subject, please send us a scan or photocopy of one item from both of the categories below:

  • Proof of your identity
  • Passport
  • Driving licence
  • National identity card
  • Birth certificate
  • Proof of your address
  • Bank statement
  • Utility bill
  • Credit card statement (must be under three months old) 
  • Current driving licence
  • Current TV licence
  • Local authority tax bill
  • HMRC tax document (must be under one year old)

Please do not send original copies of documentation.

If you are unable to provide us with sufficient evidence to verify your identity, 1ST AESTHETICS LTD reserves the right to refuse your subject access request.

Contact details of the data subject:

First name


Last name


Address


Telephone


Email



C. What information are you requesting?


In the box below, please tell us the information you would like to receive, alongside any information or details you think may assist us in identifying the data in question to process your request.


Please specify if you would like to receive any details relating to why [1ST AESTHETICS LTD] is processing your data, who has access to that data and how we were supplied that data. 




 

Please note there may be situations in which disclosure of data or information could adversely affect the rights of others. If we believe disclosure of data to you is not compatible with our duty to uphold the individual rights of others, we will explain this to you, outlining our reasoning.


[COMPANY NAME] will strive to process and complete your subject data access request in a fashion that is satisfactory to all parties; however, there may be times when we cannot provide you with copies of the data you have requested if it would take disproportionate effort. We reserve this right under the Data Protection Act 2018.


Please note that while [COMPANY NAME] strives to carry out and complete subject access requests to all individuals free of charge, we reserve the right under Article 12 of the General Data Protection Regulation to charge a nominal fee or refuse a request that is considered manifestly unfounded or excessive. 

D. Your declaration

Please read and sign the following declaration for us to process your subject access request.

I confirm that I have read the terms of this subject access request form and understand those terms. I hereby certify the information I have provided on this form is true and accurate. I understand it is necessary to verify my identity and/or the identity of the aforementioned data subject to process this request. I understand I may be asked to submit more information to facilitate this request.


Signature: _________________________________________

Date: _____________________________________________

C. Subject access request response template

Subject line: Subject access request: reference *|REFERENCE NUMBER|*

Dear *|NAME OF INDIVIDUAL|*

Thank you for your request dated *|DATE REQUEST WAS MADE|* concerning *|DATA SUBJECT|*. We have processed your request, and are pleased to enclose the requested information.

*|INFORMATION REQUESTED|*

We hope you find provision of this information satisfactory. Please do not hesitate to contact us with further queries.

Best wishes

*|COMPANY NAME AND/OR NAME OF INDIVIDUAL PROCESSING REQUEST|*



D. Subject access request log template

[COMPANY NAME] records all subject access requests. Please use the table provided to document all requests and their corresponding outcomes.



Subject access request number

Date request received

Data subject identity confirmed

Reqst response verified

Request response submitted

Total number of days to request completion















 
DATA BREACH POLICY, LETTER AND REPORTING 

 
Data breach policy, letter and reporting template

Here at [1ST AESTHETICS LTD], we take privacy seriously. That is why we take every possible precaution to protect personal data, and actively work to avoid any data protection breaches which could compromise our data security, or the personal rights of our clients, customers, stakeholders or anyone else associated with our company.


To mitigate the risk that any such data compromise could pose, we have developed the following data breach policy. It is an integral part of our compliance responsibilities under the General Data Protection Regulation and Data Protection Act 2018, and is designed to develop clear lines of responsibility and processes that must be followed to adequately mitigate and manage data breach and security incidents.

What does this policy cover?

The scope of this data breach policy encompasses all personal and sensitive data our company holds. This data breach policy applies to everyone at our company – including employees, temporary or casual staff, consultants, suppliers, contractors, freelance workers or other data processors who are storing or processing data on the behalf of our company.


What is the purpose of this policy?


The purpose of this data breach policy is to contain all data breaches and to minimise the risks associated with any breaches. It also outlines the actions that should be taken in the event of a breach to ensure data is secure and to prevent further breaches.


About data breaches


A data breach is defined as any incident, event or action that has the potential to compromise the availability of data, the integrity of data, confidentiality or our company’s data systems. This includes incidents or events that happen by accident or deliberately. Both confirmed and suspected incidents may qualify as a data breach.


For the purposes of this data breach policy, an incident may include (but is not limited to) any of the following:


  • Unauthorised use or accessing of data
  • Unauthorised modification of data
  • Loss of personal or sensitive data
  • Theft of personal or sensitive data
  • Loss or theft of equipment on which data has been stored
  • Individual error
  • Any attempts to gain access to data or our company IT systems (both successful or failed)
  • Defacement of web property
  • Physical incidents, like a fire, which could compromise IT systems

How to report a data breach

All employees who access, manage or use data in any way are responsible for reporting a data breach or any other type of security incident. This report should be made immediately to the employee’s line manager, using the data breach reporting form.


This report must include full details of the incident or breach, when it occurred, who the data relates to and how. It must also include details about the individual reporting the incident.


If a data breach or a data security incident occurs outside of normal company hours, or a data breach or data security incident is discovered outside of normal company hours, it must be reported as soon as possible.


Any violation of this data breach policy could result in disciplinary action procedures taking place for company employees.

Data breach containment and data recovery

All necessary steps must be immediately carried out to minimise the effects of any data security breach or data security incident. This process of containment should begin with an initial assessment designed to establish the severity of the incident. The initial assessment should also include analysing whether there is any way to recover the lost data, and mitigate further risks associated with the incident.


Your initial assessment should include the following information:


  • The data involved
  • Whether the data involved is sensitive in nature
  • The individuals affected
  • The security measures that are in place to protect the data
  • What has happened to the data
  • Whether the data involved could be used in an illegal or otherwise inappropriate way
  • Any perceived wider consequences associated with the breach or incident

Data breach notification

[1ST AESTHETICS LTD] will determine which individuals must be notified in the event of a data breach or data security incident. Each incident must be assessed on a case-by-case basis. In every instance, the following considerations will be made:


  • Any contractual notification requirements
  • Any legal notification requirements
  • How many people are affected
  • What consequences may occur as a result of the data breach or data security incident
  • Whether notification of a breach or incident would help the individual to mitigate risks associated with the incident
  • Whether notification could assist the company in meeting its legal obligations under GDPR and Data Protection Act 2018
  • Whether notifying an individual could prevent the unauthorised or illegal use of data 
  • Whether [1ST AESTHETICS LTD] must notify the Information Commissioner’s Office


All data breaches and data security incidents, both suspected and verified, must be recorded, to assist in further analysis and to help prevent further breaches.

The danger of notifying too many individuals

There will be data security incidents in which a large number of individuals will need to be notified. However, there will be other incidents in which notifying a large number of individuals may have the potential to cause disproportionate enquiries.


Whenever we notify an individual whose personal data has been affected by an incident or breach, that notification must include a description of when the breach occurred, how the breach occurred and what data was involved. Notifications must also include explicit guidance concerning what said individual can do to protect themselves. We should also outline to concerned individuals what steps our company has already taken to mitigate risks.

Data breach evaluation and response

After the data breach or data security incident has been contained by carrying out all necessary measures, [COMPANY NAME] will conduct an extensive review detailing:


  • The cause(s) of the breach
  • The effectiveness of any responses
  • Whether changes to existing IT systems, company procedures or policies must be implemented

All existing protocols must be reviewed to analyse their adequacy. Any necessary amendments to protocols must be identified and carried out as soon as possible.

Data breach report form

Please complete this form in the event of a data breach or data security incident:


To be completed by employee

Date of incident


Date incident was discovered


Name of the individual reporting incident


Contact details of the individual reporting incident


Where the incident occurred



Description of the incident






Number of data subjects affected by incident




Personal data placed at risk by incident




Description of any actions taken at the point of discovery





 

To be completed by the Data Protection Officer or [COMPANY NAME] management

Name of individual receiving report


Date report received


Name of individual the report was forwarded to for action


Date the report was forwarded for action


 

Data breach letter template

Dear [Customer Title and Surname],


We regret to inform you that [1ST AESTHETICS] has discovered a breach in our processing system that has exposed your personal data to unauthorised use by external parties. We have notified the Information Commissioner’s Office (ICO) and relevant law enforcement agency about this incident and will work with cyber security experts and legal counsel where needed to minimise any further risk posed to you by this incident.

About the incident

We appreciate you’re going to have questions and concerns relating to this data incident, and we will do our best to explain the situation, what happened and why.


[1ST AESTHETICS LTD] has conducted an investigation and we believe the following events led to the data security incident in question:


  • [List timeline of events here]
  • *DETAILS*

About the data involved

We believe the following personal information about you may have been unlawfully accessed or affected by this data security incident:


  • [List details here]
  • *DETAILS*

What this means for you

Following the investigation [COMPANY NAME] has carried out as part of this data security incident, and bearing in mind the type of information or data relating to the incident, we believe you may experience the following consequences as a result of this incident:


  • [List details here]
  • *DETAILS*


As a result, we would recommend you take the following actions as soon as possible to further protect yourself from additional risks associated with this incident:


  • [List details here]
  • *DETAILS*



What will we do to prevent this from happening in the future?

Here at [1ST AESTHETICS LTD], your privacy is one of our top concerns. We do everything we can to ensure your personal data is made secure and your individual rights are preserved and upheld at all times. On this occasion we have fallen short, and we wholeheartedly and unreservedly apologise.


To ensure that data security incidents like this do not occur in the future, [1ST AESTHETICS LTD] is already taking the following steps to eliminate future risk and minimise the impact such threats could pose to you in the future:


  • [List details here]
  • *DETAILS*

What happens next?

We will not send you further email updates relating to this incident unless you explicitly request information. Any further emails you may receive about this security incident should be treated as suspicious, and we would encourage you to verify the authenticity of any further correspondence relating to this incident by contacting our Data Protection Officer, [J MORE ] at [[email protected]].


We will publish future updates relating to this data security incident on our website, which you can access here: *1staesthetic.co.uk*.


Once again, we would like to take this opportunity to apologise for this breach of security. We promise to do everything within our power to make sure this never happens again.


If have additional questions about this incident or your individual rights, please contact our Data Protection Officer, [J MORE] at [[email protected]].


Yours Sincerely,


[Name of employee]

[Job title]

[Company contact details]

Data breach reporting template

Please complete all fields of this form.


Breach identification number

Date logged

Impact on Data Subject

Breach confined

ICO notified of the Breach

Data subjects notified







Employee privacy policy template


Here at [1ST AESTHETICS LTD] we take your privacy seriously. We greatly value your contribution to our success, and we will do everything we can to protect your individual rights and personal liberties.


As part of our ongoing relationship, we will need to collect, store and process certain information about you. This information is required to carry out certain processes, and we will clearly explain what those processes are and how your data will be used. You have the right to object to the processing of your data at any time.


This privacy policy may be occasionally updated in-line with company policy and regulatory updates. Any updates to this policy will be communicated to all employees as soon as possible.


How will your information be used?


As an employee of [1ST AESTHETICS LTD], we must store and process information about you for management and administrative use only. The information you give us will be stored and processed only to allow us to maintain an effective relationship with you as an employee. These management processes apply during the recruitment process, whilst you are an employee for [1ST AESTHETICS LTD] and when your relationship with our company has ended.


The management and administrative processes carried out using your data will allow us to adhere to the employee contract you have signed with us, as well as to comply with legal requirements we are duty-bound to follow. Your data may also be used to pursue the legitimate interests of [1ST AESTHETICS LTD] and to maintain any established position in the event of legal proceedings. 


Most of the information our company holds relating to you has been provided to [1ST AESTHETICS LTD] by you. In some cases, we may also collect information about you from other internal sources such as a line manager. On other occasions we may collect and store information about you from external sources, such as a reference as part of the recruitment process.


If you don’t want to provide us with the information requested, [1ST AESTHETICS LTD] might not be able to meet all of the obligations to you that we outlined in your employee contract. We will inform you in the event we are unable to comply with the conditions of your contract due to missing or withheld data.


We may anonymise your personal data in some cases so that it cannot be used to identify you. This may be done without notifying you.


After your relationship with our company has ended and you are no longer an employee at [1ST AESTHETICS LTD], we will store and/or securely destroy the data we hold relating to you in-line with applicable regulations.


There may be limited circumstances in which your data must be transferred outside of the EU. This will only ever be done to comply with our legal obligations, or our company’s contractual obligations to you as our employee. To protect your personal data, [1ST AESTHETICS LTD] has implemented the following safeguards for data transfers: 


  • [List details here]
  • [DETAILS]
  • [DETAILS]
  • [DETAILS]


Your personal data will be stored for a period of [7 YEARS], unless otherwise noted. Criteria used for determining data retention for other situations are as follows: 


  • [List details here]
  • [DETAILS]
  • [DETAILS]
  • [DETAILS]


There may also be situations in which your data is used as part of automated decision-making processes. Examples of these processes include profiling activity, as well as:


  • [List details here]
  • [DETAILS]
  • [DETAILS]
  • [DETAILS]



Our legitimate interests


[COMPANY NAME] may occasionally need to process your data to pursue legitimate interests relating to our company and its business interests. Examples of situations in which we may process your personal data in the legitimate interests of the company include (but are not limited to): 


  • Fraud prevention
  • Administrative purposes
  • Crime reporting and detection


Our legitimate interests are [BUSINESS INTERESTS] in nature, and [1ST AESTHETICS LTD] will never use your information or wilfully process your data in any situation in which your own interests outweigh the legitimate interests of our company. We process your personal data only within our rights as enshrined in law, and we do so in a way that is transparent and fair.


We may occasionally need to process your data to ensure it is accurate and up-to-date or to ensure it is safe and secure.


What information do we collect?


[1ST AESTHETICS LTD] collects, stores and processes the following types of information about you as an employee:


  • Your name
  • Your title
  • Your date of birth
  • Your gender
  • Your address
  • Your telephone number(s) 
  • Your personal email address(es)
  • Your marital status 
  • Information about dependents
  • Your emergency contact information
  • Your next of kin
  • Your bank account details
  • Your tax status information
  • Your payroll records
  • Your salary
  • Information about your annual leave
  • Your benefits information
  • Your National Insurance number
  • Your photograph
  • Location of your employment or place of work
  • A copy of your driving license
  • A copy of your passport
  • Your right to work documentation (if applicable)
  • Your referees
  • Your CV
  • Your performance history
  • Your disciplinary history
  • Your grievance history
  • CCTV footage (if applicable)
  • Electronic key card records (if applicable)
  • Information about your use of information systems


Why do we process your information?

[1ST AESTHETICS LTD] may process your data for the following reasons:


  • To make a decision about your appointment
  • To carry out payroll processes
  • To provide you with benefits
  • To liaise with your pension provider
  • To administer other elements of your contract
  • To manage performance
  • To carry out accounting and auditing functions
  • To assess your qualifications for a particular project, task or promotion
  • To make a decision about salary reviews
  • To make a decision about your continued employment
  • To gather evidence about grievance or disciplinary hearings
  • To address legal disputes
  • To make a decision about terminating our relationship
  • To assess your education or training requirements
  • To manage your absences
  • To ascertain your fitness to work
  • To comply with health and safety obligations
  • To carry out equal opportunities monitoring
  • To prevent fraud
  • To ensure network and information security
  • To conduct data analytics


It is inevitable that in your capacity as an employee you will be referred to in company records. Please also note that wherever necessary, [1ST AESTHETICS LTD] may need to keep information relating to your health, such as reasons for absence and evidence of GP notes. This information will only ever be used to comply with our health and safety obligations and to administer benefits such as statutory sick pay or [BENEFITS].


If we need to process special categories of data, we will always obtain your explicit consent and explain for what purpose this information must be processed, unless this information is required to protect your health in an emergency, or if consent is not required by law.


Special categories of information may include (but are not limited to):


  • Sexual orientation
  • Racial or ethnic origin
  • Political affiliations
  • Religious affiliations
  • Trade Union membership
  • Biometric data

Where consent is given to process this information, you reserve the right to withdraw your consent at any time.

We will only ever disclose information about you to external parties if [COMPANY NAME] is legally obligated to do so, or in situations in which we must disclose your information to comply with our company’s contractual obligations to you. Examples may include passing your contact details onto your pension provider. We may also transfer information about you to other companies within our wider family of companies, for purposes related to your employment or purposes related to company management and administration.

We may occasionally rely on profiling and/or automatic decision-making. This will only be used in certain limited situations, [INSERT DETAILS OF THESE SITUATIONS] [INCLUDE INFORMATION ABOUT THE REASONS, IMPACT AND POTENTIAL CONSEQUENCES OF PROCESSING DATA USING AUTOMATED DECISION-MAKING]. 

We also monitor computer and telephone usage, to ensure that employment activities are carried out in-line with our Data Protection Policy and the Company Handbook. 

To perform our contract with you or adhere to our legal requirements, your information may be transferred outside the EU or to global organisations. To ensure your data is protected, we have a list of security measures [CYBOR SECURITY MEASURES]. A copy of these security measures can be requested from [OFFICE].

We will store your personal information for a period of [7 YEARS]. We will also rely on the criteria outlined in the retention schedule when deciding how long to store your information. If we decide to store your personal information for a new reason, or a reason which differs from the one it was originally collected and stored for, the Data Protection Officer will provide you with this reason and any other accompanying information.

What are your rights?

[COMPANY NAME] observes a host of regulatory obligations under the EU’s GDPR legislation and the Data Protection Act 2018. As part of our ongoing commitment to preserve and uphold these regulatory commitments, we will also uphold your personal rights under these regulations.


Your statutory rights under GDPR and the Data Protection Act 2018 include:


  • The right to request access to your personal information (also known as a ‘data subject access request’)
  • The right to request corrections be made to the data we hold about you
  • The right to request erasure of your personal data
  • The right to object to the processing of your data
  • The right to request any restrictions to the processing of your data
  • The right to request the transfer of your data to another party


If you would like to exercise any of these rights, please contact [J MORE] in writing at [[email protected]].


You do not need to pay a fee to access the personal data we hold on you to exercise your rights under relevant data protection regulation; however, [1ST AESTHETICS LTD] reserves the legal right to charge a nominal fee for requests that are deemed to be unfounded or excessive in nature. We may also refuse to comply with requests that are deemed unfounded or excessive in-line with our own legal rights.


Please note that [1ST AESTHETICS LTD] may be required to collect more information about you to confirm your identity, before granting access to any information requested.


You have the right to issue a formal complaint to the Information Commissioner’s Office at any time, if you feel [1ST AESTHETICS LTD] has not adequately complied with its requirements under GDPR or the Data Protection Act as they relate to the collection, storage, processing of your personal data, or your individual rights to access your data.


Who is [1ST AESTHETICS LTD]’s Data Protection Officer?

[COMPANY NAME] is the controller and processor of data. We collect, store and process data in accordance with our legal obligations under GDPR and the Data Protection Act 2018.


If you have any questions or concerns relating your information and the way we use it, please get in touch:


[J MORE]

[[email protected]]

[1ST AESTHETICS LTD]

[1staesthetic.co.uk]


Signature ______________________________________________ Date __________________

Employer GDPR checklist

Complete this checklist to confirm you have reviewed your contracts and other documentation to include the relevant privacy notice and consent forms.

Action

 Complete

 Notes

Employee information audit

Identify what personal data you hold on employees and where it originated from



Identify how your company will process personal data and for what purposes the data is being processed



Verify retention periods and review



Identify any third-parties your company must transfer data to and outline reasoning



Conduct a review of associated contracts



Identify any situations in which automated decision-making could be used



Document audit



Identifying lawful basis for processes data

Obtain employee consent



Confirm status for processing sensitive personal data



Identify lawful basis for processing employee personal data (one of the following must apply)

Employee must give valid consent



Processing activity required to carry out delivery of contract



Processing activity necessary to comply with legal obligation



Processing activity necessary to serve vital interests of individual or others



Processing activity necessary to serve public interest



Processing activity necessary to serve legitimate interests of the company (note the legitimate interests of the company can and will be overridden by the individual rights of the data subject)



Identify lawful basis for processing special categories of personal data (one of the following must apply):

Explicit consent



Processing activity required to comply with employment rights



Processing activity necessary to serve vital interests of individual or another if individual cannot give valid consent



Processing by a foundation, association or not-for-profit with a political, philosophical, religious or Trade Union aim



Situation in which employee has made data public



Processing activity necessary for legal action



Processing activity necessary to serve public interest



Processing activity necessary to assess employee’s work capacity



Identify lawful basis for processing personal data relating to criminal convictions

Processing activity must be authorised under UK and EU law



Explicit consent



Processing activity necessary to serve vital interests of individual or another if individual cannot give valid consent



Processing by a foundation, association or not-for-profit with a political, philosophical, religious or Trade Union aim



Situation in which employee has made data public



Processing activity necessary for legal action



Data cleansing

Update retention policy



Securely delete or de-personalise data



HR policies and procedures

Amend procedures relating to recruitment, promotions, compensation, disciplinary, grievances, performance management, sickness absence, employee monitoring and references.



Conduct a data protection impact assessment (if applicable).



Notify employees of any relevant changes to employee handbook or corresponding manuals.



Automated decision-making

Identify lawful basis that enable you to make decisions based on automated processing



Automated decision-making necessary to carry out delivery of contract



Notify employees of a decision based on automated processing (and allow right to request a reconsideration within 21 days of notification)



Explicit consent



Implement suitable safeguards to defend employee rights



Automated decision-making concerning special categories of personal data must include explicit consent unless processing is in the public interest



Data transfers to third parties

Identify lawful basis for data transfers



Implement processor agreements where applicable



Update procedures



Notify employees of processing

Draft an updated privacy policy for employees



Ensure all procedures are up-to-date



Data subject rights

Update Subject access request policy and procedures



Arrange training for all employees handling subject access requests



Develop company procedures for the handling of employee rights



Data protection officer

Find out whether you need to appoint a data protection officer



If applicable, appoint a data protection officer



If a data protection officer is not required by law, appoint a senior management figure to handle data protection issues



Review

Arrange training for all employees responsible for handling data



Ensure all processes and policies are scheduled for regular review



 

Employee consent template

Here at [COMPANY NAME] we value your privacy. As part of our relationship with you, our company will be required to collect, process and store certain information about you. This information may include your personal details, information about your family, employment history, medical conditions or any other information we have outlined in our employee privacy policy.


We will never share your information with any individual or company other than those listed within our employee privacy policy, and wherever possible we will always uphold your right to withdraw consent or to remove data.

You can withdraw your consent, amend your consent or object to processing at any time by contacting:

[INDIVIDUAL NAME]

[COMPANY NAME]

[COMPANY ADDRESS]

[COMPANY PHONE]

[COMPANY EMAIL]

Please sign and date below to verify you have read and understand the enclosed employee privacy policy and that you consent to [COMPANY NAME] processing your data as described within this policy. 


Signature ______________________________________________ Date __________________