PRIVACY POLICY

DATA PROTECTION AND INFORMATION MANAGEMENT

1. PRIVACY STATEMENT

1.1 Our Commitment

Marchstone Security Limited is committed to safeguarding the privacy and protecting the personal data of all individuals who interact with our organization. In compliance with UK and EU data protection regulations, this privacy policy explains what information we collect, how we use personal data, our data processing practices, and your rights regarding your personal information.

As a professional security services provider, we understand the critical importance of data protection and maintain the highest standards of information security and privacy management in accordance with our ISO 27001 certification and GDPR requirements.

1.2 Legal Framework

This privacy policy complies with:

• General Data Protection Regulation (GDPR) 2016/679

• Data Protection Act 2018

• UK GDPR (post-Brexit implementation)

• Privacy and Electronic Communications Regulations 2003

• Human Rights Act 1998

• Private Security Industry Act 2001

1.3 Data Controller Information

Marchstone Security Limited is the data controller for personal data processed under this policy.

Company Registration: 16717355
Registered Office: Rivar Farm House, Rivar Farm, Shalbourne, Marlborough, Wiltshire SN8 3RL
Data Protection Officer: [NAME]
DPO Contact: dpo@marchstonesecurity.co.uk
ICO Registration Number: [ICO REG NUMBER]

2. INFORMATION WE COLLECT

2.1 How We Collect Information

We obtain information about you through various means:

2.1.1 Direct Collection

• Service enquiries and consultations

• Contract negotiations and agreements

• Application forms and registration processes

• Website interactions and communications

• Training course registrations

• Feedback surveys and questionnaires

• Direct communications (email, phone, post)

2.1.2 Automatic Collection

• Website analytics and usage data

• Cookie information and preferences

• IP addresses and browser information

• Security system logs and access records

• Communication system logs

• CCTV footage where appropriate

2.2 Categories of Personal Data

2.2.1 Client Information

Individual Clients:

• Personal identifiers (name, address, contact details)

• Professional information (occupation, employer)

• Financial information (payment details, billing addresses)

• Security requirements and risk assessments

• Emergency contact information

• Medical information (where relevant for close protection)

Corporate Clients:

• Company registration details

• Authorized contact persons

• Financial and payment information

• Facility and location information

• Security system specifications

• Incident reports and security data

2.2.2 Employee and Contractor Data

Recruitment and Employment:

• Personal details (name, address, contact information)

• Employment history and references

• Qualifications and certifications (SIA licences)

• Criminal record checks (Enhanced DBS)

• Medical fitness assessments

• Training records and competency assessments

• Performance evaluations and disciplinary records

• Payroll and benefits information

Operational Data:

• Duty assignments and schedules

• Incident reports and witness statements

• Training completion records

• Equipment allocation and maintenance

• Travel and expense claims

• Communication logs and recordings

2.2.3 Supplier and Partner Data

• Company and contact information

• Financial and banking details

• Insurance and certification records

• Performance evaluations and assessments

• Communication records

• Contract and agreement details

2.2.4 Website and Digital Data

• IP addresses and device identifiers

• Browser type and operating system

• Page views and navigation patterns

• Search terms and referral sources

• Cookie preferences and settings

• Form submissions and downloads

2.3 Special Categories of Personal Data

We may process special categories of data where necessary:

2.3.1 Legitimate Processing Grounds

• Criminal Conviction Data: For SIA licensing and security vetting

• Health Data: For occupational health and fitness assessments

• Biometric Data: For access control and identity verification

• Racial/Ethnic Data: For equality monitoring (with consent)

• Religious/Philosophical Beliefs: For cultural sensitivity requirements

2.3.2 Safeguards and Controls

• Enhanced security measures for special category data

• Strict access controls and need-to-know basis

• Regular data minimization reviews

• Encrypted storage and transmission

• Staff training on sensitive data handling

3. LAWFUL BASIS FOR PROCESSING

3.1 GDPR Lawful Bases

We process personal data on the following legal bases:

3.1.1 Legitimate Interests (Article 6(1)(f))

• Client Security Services: Providing effective security services

• Risk Management: Protecting client safety and assets

• Business Operations: Managing contracts and service delivery

• Staff Management: Ensuring competent and reliable personnel

• Legal Compliance: Meeting regulatory and industry requirements

3.1.2 Contract Performance (Article 6(1)(b))

• Delivering contracted security services

• Processing client requirements and instructions

• Managing personnel deployment and scheduling

• Handling payments and billing

• Providing customer support and service

3.1.3 Legal Obligation (Article 6(1)(c))

• SIA licensing and regulatory compliance

• Health and safety requirements

• Criminal record checking and vetting

• Anti-money laundering obligations

• Tax and employment law compliance

3.1.4 Consent (Article 6(1)(a))

• Marketing communications (where required)

• Optional data collection activities

• Website cookies and analytics

• Special category data processing (where applicable)

• Photography and promotional activities

3.1.5 Vital Interests (Article 6(1)(d))

• Medical emergencies during service provision

• Life-threatening security situations

• Child protection circumstances

• Serious crime prevention or detection

3.2 Special Category Processing

Special categories of personal data are processed under:

• Article 9(2)(b): Employment, social security, and social protection law

• Article 9(2)(c): Vital interests where data subject cannot consent

• Article 9(2)(f): Legal claims establishment, exercise, or defense

• Article 9(2)(g): Substantial public interest (with appropriate safeguards)

4. HOW WE USE YOUR INFORMATION

4.1 Service Delivery Purposes

4.1.1 Security Service Provision

• Conducting security risk assessments and surveys

• Deploying appropriate personnel and resources

• Monitoring and responding to security incidents

• Maintaining communication with clients and authorities

• Providing regular reports and updates

• Coordinating with emergency services when required

4.1.2 Personnel Management

• Recruiting and vetting security personnel

• Managing work schedules and deployments

• Providing training and professional development

• Monitoring performance and conduct

• Ensuring compliance with industry regulations

• Managing payroll and benefits administration

4.2 Business Operations

4.2.1 Client Relationship Management

• Processing service enquiries and quotations

• Managing contracts and service agreements

• Handling billing and payment processing

• Providing customer support and assistance

• Collecting feedback and improving services

• Managing complaints and dispute resolution

4.2.2 Compliance and Legal Requirements

• Meeting SIA licensing and regulatory obligations

• Conducting mandatory background checks and vetting

• Maintaining health and safety standards

• Fulfilling tax and employment law requirements

• Responding to legal proceedings and investigations

• Cooperating with regulatory authorities

4.3 Marketing and Communications

4.3.1 Legitimate Business Communications

• Providing information about our services

• Sending contract updates and service notifications

• Sharing industry news and regulatory updates

• Inviting participation in surveys and feedback

• Promoting training courses and development opportunities

4.3.2 Consent-Based Marketing

• Email newsletters and promotional materials

• Social media marketing and advertising

• Event invitations and networking opportunities

• Case study development and testimonials

• Website personalization and recommendations

5. INFORMATION SHARING AND DISCLOSURE

5.1 Within Marchstone Security

Personal data is shared internally on a need-to-know basis:

• Operations teams for service delivery

• HR department for personnel management

• Finance team for billing and payments

• Management for strategic decision-making

• Legal and compliance for regulatory matters

5.2 External Sharing

5.2.1 Service Providers and Partners

We may share information with:

• Subcontractors: For service delivery support

• Training Providers: For certification and development

• Technology Suppliers: For system maintenance and support

• Professional Advisors: Legal, financial, and insurance advisors

• Auditors: For compliance and quality assurance

5.2.2 Legal and Regulatory Disclosure

Information may be disclosed to:

• Law Enforcement: For crime prevention and investigation

• Regulatory Bodies: SIA, ICO, HSE, and other authorities

• Courts and Tribunals: For legal proceedings

• Emergency Services: For life-threatening situations

• Government Agencies: For national security purposes

5.2.3 Client-Authorized Disclosure

With explicit client authorization:

• Insurance companies for claims processing

• Other security providers for coordinated services

• Facilities management companies

• Client's legal and professional advisors

• Third-party investigators and consultants

5.3 International Transfers

Where personal data is transferred outside the UK/EEA:

• Adequacy Decisions: To countries with adequate protection

• Standard Contractual Clauses: For commercial transfers

• Binding Corporate Rules: Within corporate groups

• Explicit Consent: Where other safeguards are not available

• Public Interest: For law enforcement cooperation

6. DATA RETENTION

6.1 Retention Principles

We retain personal data for:

• The period necessary to fulfill the purposes for collection

• Compliance with legal and regulatory requirements

• Establishment, exercise, or defense of legal claims

• Legitimate business interests (balanced against individual rights)

6.2 Specific Retention Periods

6.2.1 Client Data

• Active Contracts: Duration of contract plus 7 years

• Security Incident Records: 7 years from incident date

• Financial Records: 7 years from last transaction

• Risk Assessments: 5 years from completion

• Communication Records: 3 years from last contact

6.2.2 Personnel Data

• Employment Records: 6 years after employment ends

• DBS Certificates: 6 months after recruitment decision

• Training Records: Duration of employment plus 3 years

• Disciplinary Records: 12 months to 6 years (depending on severity)

• Payroll Records: 6 years after tax year end

6.2.3 Supplier and Business Data

• Contract Records: 7 years after contract termination

• Financial Records: 7 years from last payment

• Performance Data: 3 years from last assessment

• Communication Records: 3 years from last contact

6.2.4 Website and Digital Data

• Analytics Data: 26 months from collection

• Cookie Data: As specified in cookie preferences

• Server Logs: 12 months from creation

• Backup Data: As per backup retention schedule

6.3 Secure Disposal

At the end of retention periods:

• Data is securely deleted or destroyed

• Physical documents are confidentially shredded

• Electronic media is securely wiped

• Certificates of destruction are obtained

• Disposal activities are logged and audited

7. YOUR RIGHTS AND CHOICES

7.1 Individual Rights Under GDPR

7.1.1 Right to Information (Articles 13-14)

You have the right to know:

• What personal data we collect about you

• Why we process your data

• Who we share your data with

• How long we retain your data

• Your rights regarding your data

7.1.2 Right of Access (Article 15)

You can request:

• Confirmation that we process your data

• A copy of your personal data

• Information about processing purposes

• Details of data sharing and transfers

• Retention period information

7.1.3 Right to Rectification (Article 16)

You can request:

• Correction of inaccurate personal data

• Completion of incomplete data

• Updates to outdated information

• Amendment of incorrect records

7.1.4 Right to Erasure (Article 17)

You may request deletion when:

• Data is no longer necessary for original purpose

• You withdraw consent (where applicable)

• Data has been unlawfully processed

• Legal obligation requires deletion

• You object to processing (with no overriding grounds)

7.1.5 Right to Restrict Processing (Article 18)

You can request restriction when:

• Accuracy of data is contested

• Processing is unlawful but you don't want erasure

• We no longer need data but you need it for legal claims

• You have objected pending verification of grounds

7.1.6 Right to Data Portability (Article 20)

Where technically feasible, you can:

• Receive your data in structured, commonly used format

• Transmit data to another controller

• Request direct transmission where possible

7.1.7 Right to Object (Article 21)

You can object to processing based on:

• Legitimate interests (including profiling)

• Direct marketing (absolute right)

• Scientific, historical, or statistical purposes

• Public interest or official authority tasks

7.2 Exercising Your Rights

7.2.1 How to Make a Request

Contact our Data Protection Officer:

• Email: dpo@marchstonesecurity.co.uk

• Post: Data Protection Officer, Marchstone Security Limited, [ADDRESS]

• Online Form: Available on our website

• Phone: [DPO PHONE NUMBER]

7.2.2 Request Processing

• Response Time: Within 1 month of receipt

• Identity Verification: May be required for security

• Complex Requests: May take up to 3 months

• Fee: Usually free, but may charge for excessive requests

• Refusal: Justified reasons will be provided

7.2.3 Appeals Process

If you're not satisfied:

• Contact our Data Protection Officer for internal review

• Complain to the Information Commissioner's Office (ICO)

• Seek judicial remedy through the courts

• Consider mediation or alternative dispute resolution

8. DATA SECURITY

8.1 Technical Security Measures

8.1.1 Data Encryption

• Data encrypted at rest using AES-256 encryption

• Data in transit protected by TLS 1.3 protocols

• End-to-end encryption for sensitive communications

• Key management systems with regular rotation

• Hardware security modules for critical keys

8.1.2 Access Controls

• Multi-factor authentication for system access

• Role-based access permissions

• Regular access reviews and deprovisioning

• Privileged account management

• Session monitoring and logging

8.1.3 Network Security

• Firewall protection and intrusion detection

• Network segmentation and isolation

• VPN access for remote connectivity

• Regular vulnerability scanning and assessment

• Security incident monitoring and response

8.2 Physical Security Measures

8.2.1 Facility Security

• Secure data centers with 24/7 monitoring

• Biometric access controls for sensitive areas

• CCTV surveillance and recording

• Environmental controls and monitoring

• Fire suppression and emergency procedures

8.2.2 Equipment Security

• Locked storage for portable devices

• Clean desk policies and secure disposal

• Asset tracking and management

• Secure transportation procedures

• Equipment sanitization before disposal

8.3 Organizational Security Measures

8.3.1 Staff Training and Awareness

• Regular data protection training for all staff

• Role-specific security awareness programs

• Incident response training and drills

• Security culture development initiatives

• Continuous education and updates

8.3.2 Policies and Procedures

• Comprehensive information security policies

• Data handling and processing procedures

• Incident response and breach notification plans

• Vendor management and due diligence

• Regular policy reviews and updates

9. COOKIES AND WEBSITE ANALYTICS

9.1 Cookie Usage

Our website uses cookies to:

• Remember your preferences and settings

• Analyze website traffic and user behavior

• Improve website functionality and performance

• Provide personalized content and experiences

• Enable social media sharing features

9.2 Types of Cookies

9.2.1 Essential Cookies

• Required for website functionality

• Cannot be disabled without affecting service

• Include session management and security tokens

• No consent required under cookie regulations

9.2.2 Analytics Cookies

• Google Analytics for website performance analysis

• Anonymized data collection where possible

• Used to improve website design and content

• Can be disabled through cookie preferences

9.2.3 Marketing Cookies

• Used for targeted advertising and remarketing

• Social media integration and tracking

• Third-party advertising networks

• Require explicit consent before activation

9.3 Cookie Management

You can control cookies through:

• Browser settings and preferences

• Our website cookie consent manager

• Third-party opt-out tools and services

• Direct contact with our support team

10. CHILDREN'S PRIVACY

10.1 Age Restrictions

• We do not knowingly collect data from children under 13

• Special protections apply to children aged 13-16

• Parental consent required for certain processing

• Enhanced privacy protections for all minors

10.2 Child Protection

If we become aware that we have collected personal data from a child:

• We will delete the information promptly

• Parents/guardians will be notified where possible

• Additional safeguards will be implemented

• Incidents will be reported to relevant authorities

11. DATA BREACH NOTIFICATION

11.1 Our Obligations

In the event of a data breach:

• ICO notification within 72 hours (where required)

• Individual notification without undue delay (high risk breaches)

• Documentation of breach and response measures

• Implementation of containment and remediation

• Review and improvement of security measures

11.2 Your Rights

If your data is involved in a breach:

• We will inform you of the nature of the breach

• Likely consequences will be explained

• Mitigation measures will be described

• Support and assistance will be provided

• You can exercise your rights as described above

12. INTERNATIONAL CONSIDERATIONS

12.1 Cross-Border Services

When providing international security services:

• Local data protection laws are considered

• Appropriate safeguards are implemented

• Client consent is obtained where required

• Data transfers are minimized where possible

12.2 UK-EU Data Flows

Following Brexit:

• UK adequacy decision status is monitored

• Standard contractual clauses are used where necessary

• EU representative appointed where required

• Regular compliance reviews are conducted

13. CONTACT INFORMATION

13.1 Data Protection Contacts

Data Protection Officer:
Name: TBC
Email: TBC
Phone: TBC
Address: TBC

Privacy Enquiries:
Email: TBC
Phone: TBC

13.2 Regulatory Contacts

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

14. POLICY UPDATES

14.1 Changes to This Policy

This privacy policy will be reviewed and updated:

• Annually as a minimum

• When significant changes occur to our processing activities

• Following changes in data protection law

• After major incidents or lessons learned

• When new technologies or services are introduced

14.2 Notification of Changes

We will notify you of significant changes:

• By email to registered users

• Through website notifications

• Via our social media channels

• Through direct communication where appropriate

• With reasonable advance notice where possible