GDPR & Data Protection Policy
1. Purpose & Scope
This policy sets out how Retec Group collects, uses, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable privacy laws.
This policy applies to:
Personal data processed by Retec Group for its own operational purposes (e.g. staff, suppliers, partners).
Personal data processed on behalf of clients as part of service delivery.
Where Retec Group determines the purpose and means of processing personal data, it is acting as a Data Controller. Where it processes personal data on behalf of clients, it is acting as a Data Processor and complies with the instructions and contractual terms set by the client.
2. Key Principles of Data Protection
Retec Group adheres to the following principles when processing personal data:
Lawfulness, fairness, and transparency – Personal data is processed legally, ethically, and openly.
Purpose limitation – Data is only used for specific, clearly stated purposes.
Data minimisation – Only the data necessary for the purpose is collected and used.
Accuracy – Reasonable steps are taken to keep data accurate and up to date.
Storage limitation – Data is kept only as long as necessary for the original purpose.
Integrity and confidentiality – Appropriate security measures are applied to prevent loss, misuse, or unauthorised access.
3. Legal Basis for Processing
Personal data is processed on one or more of the following lawful bases:
Contractual necessity – To fulfil a contract or take steps before entering one.
Legal obligation – Where we are required to process data by law.
Legitimate interests – Where processing is necessary for our or a third party’s legitimate business interests, and individuals' rights are not overridden.
Consent – Where individuals have freely given clear permission (e.g. for marketing).
Vital interests or public task – Rare cases involving protection of life or public interest duties.
4. Individual Rights
Under UK GDPR, individuals (also known as “data subjects”) have the right to:
Access their personal data
Request correction (rectification) or deletion (erasure)
Restrict processing
Object to processing
Request data portability (to move their data elsewhere)
Requests can be submitted to:
Email: hello@retecgroup.co.uk
We aim to respond to all valid requests within one calendar month. We maintain an internal log of all requests and our response actions, and provide updates to the individual during the request lifecycle.
5. How We Handle Personal Data
a. Collection and Use
We collect data directly from individuals or via contractual arrangements with clients or partners. Data is only collected and used where there is a clear and documented reason.
b. Storage and Access
Data is stored securely using encrypted systems and cloud-based infrastructure. Access is limited to authorised personnel and monitored in line with our access control policy.
c. Transfers
Personal data will only be transferred outside the United Kingdom (UK) or European Economic Area (EEA) if appropriate safeguards are in place, such as:
Adequacy decisions by the UK or EU
Standard contractual clauses (SCCs)
Explicit individual consent
d. Retention and Disposal
We retain data only as long as necessary for its original purpose or to meet legal and contractual obligations. When no longer required, data is securely deleted or destroyed.
6. Security and Breach Response
We apply technical and organisational measures to protect data, including:
Endpoint protection (e.g. antivirus software, device encryption)
Multi-factor authentication (MFA) for access to all cloud services
Role-based access control (RBAC)
Controlled access to systems and documents
Regular user access reviews
Regular security reviews and patching of devices
Monitoring and alerting for potential security events
Any suspected or actual breach must be escalated internally to the Data Protection Officer (DPO) immediately. Where appropriate, we will notify the Information Commissioner’s Office (ICO) and affected individuals within 72 hours of becoming aware of a reportable breach, in accordance with UK GDPR requirements.
7. Responsibilities
Data Protection Officer (DPO): Tim Linsell is responsible for data privacy compliance, advice, and internal oversight.
All Retec Group staff and contractors: Must comply with this policy, follow data handling best practices, and report incidents or concerns.
Subcontractors and suppliers: Are contractually bound to apply equivalent standards of data protection and confidentiality.
8. Working with Client Data
When delivering services to clients, we may act as a Data Processor. In these situations:
We follow client instructions and contractual terms for data use.
We implement client-approved security, access, and retention rules.
We do not use or share client-controlled personal data for any unrelated purposes.
9. Data Classification
To ensure appropriate controls are applied, we classify data into:
Personal Data: Any information relating to an identifiable individual (e.g. name, email, address, ID number).
Special Category Data: A higher-risk category under UK GDPR that includes data on health, race, religion, sexual orientation, biometric data, etc. Additional safeguards apply.
Internal Business Data: Non-personal information relevant to internal operations (e.g. team structures, project documentation).
Special Category Data will only be processed when strictly necessary and legally justified with appropriate risk assessments and safeguards in place.
10. Training & Awareness
All employees and contractors receive data protection and security training as part of onboarding and annually thereafter. We maintain records of completion.
11. Policy Review
This policy will be reviewed annually or when material changes occur in:
Legal or regulatory requirements
Business operations affecting data use
Any major incidents or privacy risks